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PREFACE 


MODAL LOGIC 


This Handbook documents the current state of modal logic, a lively area of logical research which 
was born in philosophy, but which has since made its way into mathematics, linguistics, computer 
science, AI, and even economic game theory. As with other thriving scientific endeavours, it 
is not easy, and perhaps not even fruitful, to give an official definition of the subject. From 
the earliest days of modern modal logic, about a century ago now, there were many different 
interpretations, formalisms, and applications, and new developments have only added to this 
diversity. On the other hand, modal logic is also a remarkably coherent field in many ways, and 
its practitioners have no difficulty recognising research — and colleagues! — as being ‘modal’ 
in spirit. As editors, we see two broad perspectives that help give rise to this coherence. Writing 
with very broad strokes of the pen, we might say that the following two conceptions of the field 
have been particularly influential among modal logicians: 


e Modal logics as formalisations of modalities. Many natural notions in language and sci- 
ence have a ‘modal’ character, in that they talk about possibility and necessity in some 
space of relevant situations. This was true for the original philosophical study of meta- 
physical modality, but it is equally true of modal logics of time, space, obligation, condi- 
tionality, knowledge, computation, and action, which have permeated other fields. Under 
this view, modal logics model natural reasoning concerning ubiquitous notions, and in do- 
ing so, they expand the descriptive scope of ‘standard’ logic. Technically, then, modal 
logics are obtained from standard logical systems (like classical propositional or predicate 
logic, intuitionistic logic, and so on) by adding new, non-truth-functional operators (that 
is, modalities). The non-truth-functional nature of the operators, reflecting the larger space 
of relevant situations, typically leads to systems richer than the underlying logic. 


e Modal logics as fragments of standard logics. But surprisingly, another viewpoint on 
modal logic has become equally prominent among its practitioners. Under this view, modal 
logics inherit their semantics from the standard semantics of classical first or even higher- 
order predicate logic, but they restrict expressive power by using operators instead of 
explicit quantification. The term “fragment” carries no negative connotation of poverty 
here: curbing expressive power leads to systems with logical properties rather different 
from those of standard logic; the decidability of many modal logics is a striking example. 
The mathematical study of modal logics in this vein has brought to light a delicate balance 
between the expressive power and computational complexity of logical systems in general. 
That is, from this perspective modal logic is better viewed as a methodology for tapping 
into a core theme in standard logic. It is this second, more technical perspective, which 
provides much of the mathematical coherence of the field today. 


xii Preface 


The first perspective emphasises the descriptive range of modal logic as the study of key con- 
cepts and the reasoning patterns they give rise to. The second perspective emphasises the method- 
ological aspect of fine-structure: modal languages bring to light the inner structure of classical 
systems. But these views are not in conflict. As the Handbook makes abundantly clear, most 
active research directions in modal logic take something from both. Indeed, the most widespread 
semantics of modal logic in terms of relational models (used in virtually every chapter of the 
Handbook) provides a setting in which these perspectives coexist fruitfully. Moreover, the two 
views help us better understand historical contributions made in the field. For example, the modal 
system S4 was introduced in the 1920s as an analysis of the concept of necessary implication. 
But the limited expressive power of the formalism as an account of implicative structure turned 
out to be the key to S4’s wide range of other applications, and its attractive mathematical be- 
haviour. In short, both perspectives on modal logic are widely applicable, and both have proved 
historically robust. Let’s take a closer look at them, and see how they are related. 


Modal logic as the study of old and new modalities Modal logic, conceived of as the formal 
study of modalities was invented in philosophy almost a century ago — though the informal 
study of modalities can be traced back much earlier: through the work of the medieval logicians, 
and back to the ancient Greeks. The first modal operators were introduced in order to solve the 
paradoxes of material implication and to obtain logics of necessity and possibility; the key figure 
here is C. I. Lewis, who published his pioneering work in 1918. Putting his idea in modern 
notation, we take some logical formula y, and by prefixing it with a O or a © symbol we obtain 
the expressions Oy (“the proposition y is necessary”) and Oy (“the proposition ọ is possible”). 
That is, the box and diamond notation enables us to assert fundamentally new modes of truth 
concerning the information expressed by y, namely that it is necessary or possible. 

In 1933, Kurt Gédel, driven by concerns in the foundations of mathematics, used modal op- 
erators to formalise the notion of mathematical provability. In particular, his work enabled in- 
tuitionistic logic to be reduced to classical logic extended with a provability operator, and the 
resulting logic turned out to be Lewis’s system S4. A striking result indeed, but the general point 
is this: once again, modalities are being used to express fundamentally new modes of truth con- 
cerning a piece of information. In particular, now Oy means that » is provable, and Oy means 
that it is consistent. 

These early examples of applying modalities to logical formulas to make assertions concern- 
ing a novel mode of truth are only the tip of the iceberg. In the decades following the work of 
Lewis and Gédel, many modal operators were introduced and investigated, all dealing with truth 
in some space of possible situations. Tense logic (or temporal logic) arises with the addition 
of modalities like “eventually” or “earlier”. Deontic logic adds modalities “it is permitted, or 
obligatory, that”. In epistemic logic we make use of modalities like “it is known that’, either for 
single agents or for groups. And conditional logics analyse further species of conditional reason- 
ing far beyond Lewis’s original account. This way of thinking about modal logic and modalities 
underlies the work of some of the field’s most prominent pioneers, including G. H. von Wright, 
Arthur Prior, Jaakko Hintikka, Hans Kamp, and David Lewis. 

Then the torch passed to other disciplines. In particular, temporal, dynamic and epistemic 
logics found their way into computer science, AI, and economic game theory. Temporal log- 
ics, of both branching and linear time, are now used in industry for automated verification 
of hardware and software. Epistemic, temporal and conditional operators are the main in- 
gredient of knowledge-based programming. And modal logics of active agents with knowl- 
edge, beliefs, and desires form a theoretical backbone of modern accounts of intelligent dis- 
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tributed computing. Pioneers of modal methods in computer science include Edmund Clarke, 
Joe Halpern, Zohar Manna, Robin Milner, Rohit Parikh, Amir Pnueli, Vaughan Pratt, and many 
others — including quite a few of the authors and commentators in this Handbook. But again, 
diversity reigns, and creation of new modal formalisms for novel reasoning purposes continues 
unabated. 

Summing up: it is entirely reasonable to say that modal logics are formalisms used to represent 
and reason about the plethora of modal notions that underlie, among other things, distributed 
computations and intelligent actions, and their corresponding modes of truth. They achieve this 
by making use of new operators, called modalities, whose truth-conditions involve access to 
some larger space of relevant situations, such as worlds, times, theories, or computational states. 
If you view modal logic in this descriptive way, you will be in excellent company. 


Modal logic and the fine-structure of classical logics The invention of graph-based relational 
semantics (by Jaakko Hintikka, Stig Kanger, and Saul Kripke) in the late 1950s and early 1960s 
showed that standard modal logics could be regarded as fragments of first or second-order predi- 
cate logics. The underlying idea is straightforward. Suppose we read Oy as “necessarily y” and 
Oç as “possibly y”. Drawing on an idea that dates back to the work of Leibniz, we could view 
“necessarily y” as a claim that ¢ is true in all possible worlds, and “possibly y” as a claim that 
ọ is true in some possible world. Thus, modal operators perform quantification without making 
use of explicit variables and binding. 

This idea, when expressed mathematically, has turned out to be the most significant milestone 
in the history of modal logic. For present purposes, the crucial idea in the above is just this. 
Because necessity means truth at all worlds, O becomes linked to the universal quantifier Y, and 
because possibility means truth at some world, © becomes linked to the existential quantifier 3. 
That is, necessity and possibility have been analysed in terms of classical quantification. The idea 
that modal operators are essentially concealed forms of classical quantification is fully general: 
for example, we can think of “eventually y” as meaning “there is some future time at which p 
holds”, and we can think of “after performing a certain action, y” as meaning “at every state 
which is accessible by performing a certain kind of action, y holds”. 

But this is not all there is to the analogy. Viewed in this way, modal logics might just be 
different notation for classical ones! The creative difference is that the quantification in modal 
languages tends to be bounded in some way to ‘relevant’ or ‘accessible’ situations lying beyond 
the current one. In other words, we are working on structured universes of worlds, computational 
states, or what have you — and access is mediated. Together with the quantifier analogy, this 
bounded access explains two things. First, a number of properties of modal logics follow at once 
from those of their classical quantificational counterparts. Second, as the fragments of classical 
logic that modal operators correspond to typically have less expressive power than full first-order 
predicate logic, this results in many new properties. For example, the semantic invariances be- 
tween models appropriate for modal expressive power are not those of classical logic, but rather 
turn out to be various forms of bisimulation, which preserve local properties of worlds and their 
transition patterns. Moreover, the study of fragments of classical systems and translations from 
modal to predicate logic (and sometimes back) has yielded satisfying explanations of why so 
many modal logics are decidable (unlike classical predicate logic), and why their computational 
complexity is often relatively low — and in a more activist way, modal analysis has led to the 
discovery of many new decidable fragments of classical logics. Indeed, the systematic design of 
modal languages stronger than the formalisms bequeathed to us by the founding fathers has been 
a major theme in recent research. 
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First-order languages have been the most traditional companions of modal ones, but the same 
points apply to modal fragments of higher-order languages, and — a significant development in 
recent years — to modal fragments of classical languages with fixed-point operators expressing 
iterative or recursive structures in action, computation, and knowledge representation. 

Summing up: it is also entirely reasonable to say that modal logics are fragments of classical 
logics, which somehow strike an optimal balance between expressive power and computational 
simplicity. And if you view modal logic in this way (that is, as a laboratory for fine-structure) 
you will also be in excellent company. 

Nowadays, few modal logicians would feel compelled to choose between the two perspectives 
just outlined. Their respective virtues are clear, and most researchers have assimilated both. 
Given the current explosion of practical applications and fundamental ideas in the field (amply 
documented in this Handbook), dogmatism concerning the nature of modal logic is becoming 
increasingly unsustainable. Let us emphasise this point a bit more. 


Contemporary modal logic Modal logic today is a vast family of studies of modal notions, 
with the original philosophical and mathematical motivations still alive, but with an increasing 
symbiosis with other fields, and in particular, with computer science. Indeed, its interface with 
computer science (and more generally, informatics) is extremely broad, ranging from hardware 
and software verification, to ontologies in medical and bio-informatics, and the analysis of query 
languages for XML documents. Moreover, it also takes in commonsense reasoning in AI, cover- 
ing issues ranging from representing and reasoning about space and time to modelling complex 
interactive multi-agent information systems. Nowadays, modal structures seem to occur every- 
where, just as they did in the creative explosion of modality in the philosophical logic of the 
1950s and 1960s. This independent (re-)discovery of modal operators in different settings is one 
of the strongest arguments for the stability and naturalness of the modal stance. Here are three 
striking illustrations of contemporary rediscoveries. 

The first example is description logic, a branch of knowledge representation and reasoning 
in AI; nowadays it supplies many of the formalisms used to fix terminologies in medical and 
bio-informatics, and has been proposed as the language for annotating web pages to develop a 
semantic web. Since the late 1970s, the description logic community has articulated its funda- 
mental research goal with great clarity: to obtain fragments of predicate logics which are compu- 
tationally well-behaved but still have the expressive power required in knowledge representation 
applications. Intriguingly, around 1990 it became apparent that many of the logics obtained by 
pursuing this goal were in fact modal logics in a different notational guise. Bounded quantifica- 
tion turns out to be as fundamental for description logics as it is for standard modal logics. In 
this case, of course, the accessible objects are not worlds or situations but individual objects from 
some application domain (for example, the biological function of a DNA sequence). But many 
of the underlying ideas are the same, and this observation has opened the doors to joint work 
with the modal logic community, with benefits to both fields. 

Another area where modal structure is currently surfacing is in the abstract study of processes 
in the emerging field of coalgebra. Though modally inspired process theories like dynamic logic, 
temporal logic, and process algebra have a long history in computer science, coalgebra adds a 
new twist. Starting from the work by Peter Aczel, Jon Barwise, and others on generalised set 
theory, coalgebra has now become a theory of finite and infinite processes, with deep connections 
with universal algebra and other parts of mathematics and theoretical computer science. The 
crucial feature here is that processes need not be bottom-up inductive, but can instead be top- 
down co-inductive streams of events. One gets to know a process through observation of events, 
chewing off the head of the event stream. The surprising discovery has been that such processes 
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and their observational analysis again shows clear modal patterns, leading to rapidly developing 
interfaces between coalgebra, modal logic, and universal algebra. 


Finally, a third independent rediscovery of modal notions occurred in economic game theory. 
In the 1970s, Robert Aumann and others introduced formal models of interactive knowledge of 
agents in order to account for the reasoning underpinning the Nash equilibrium solutions that 
would be found by rational players of a game. Disregarding some differences in notation and 
style, the resulting formalisms turned out to be epistemic logics from the philosophical tradi- 
tion, with operators for various forms of collective knowledge of groups. Over the past three 
decades, logical analysis of games has become another flourishing interface, with studies of be- 
liefs and preferences in modal languages, and the development of dynamic logics of actions 
that can change modal attitudes as a game proceeds. Moreover, this modal study of games 
has now largely merged with that of computational processes, as games are naturally viewed as 
goal-driven multi-agent forms of computation. Traditional game theory was the mathematics of 
equilibrium, using methods from analysis and dynamical systems. The modal stance that is now 
emerging provides a natural level of fine-structure to go with this. 


Despite this diversity of modal structures, there are also strong unifying tendencies, especially 
in the mathematical metatheory of the field, which got into its stride in the 1970s with work 
by Wim Blok, Kit Fine, Dov Gabbay, Rob Goldblatt, Larisa Maksimova, Steve Thomason, and 
others. Model theory of bisimulation and related frame constructions is one important strand 
here; among other things, it yielded broad definability techniques for matching modal languages 
with classical ones, and enabled the interpolation properties of modal languages to be charted. 
A second major strand is algebraic semantics and the duality between modal algebras and re- 
lational structures, which built on seminal work by Bjarni Jonsson and Alfred Tarski from the 
1950s; since the rediscovery of their work in the 1970s, as universal algebra has grown in so- 
phistication, so have its ties with modal logic. Another unifying force was the development of 
genuinely ‘modal’ techniques with wide applicability for proving completeness, axiomatizabil- 
ity and decidability results. And since the 1980s, further unifying mathematical themes have 
emerged: these include the study of the computational complexity of reasoning and its relation 
to succinctness; the exploration of the relation between various forms of tree automata, logical 
games, and the expressivity of modal languages; and the study of logic combinations and related 
model constructions, which has lead to a theory, still under active development, of various types 
of products of modal logics. 


Another unifying tendency is the undeniable fact that the members of this growing modal 
family keep influencing each other. The word “applications” has a uni-directional ring to it, but 
it is a fact of life that every road can be walked both ways. For example, the action-oriented modal 
perspectives that are so prominent at the computer science interface have now crossed back into 
philosophy, giving rise to theories of information update and belief revision, which describe how 
agents come to acquire knowledge or change problematic beliefs. Moreover, setting up such 
systems also brings in conditional logics from the philosophical tradition; these are now seen as 
underlying belief revision and non-monotonic reasoning in deep and surprising ways. 

This interdisciplinary and interactive setting is the stage where the drama of contemporary 
modal logic is played out. Modal structures are being studied in a growing number of areas, 
and often they seem to arise almost like naturally occurring phenomena; no premeditation by the 
modal logician is required. And at the same time, in response to this dramatic expansion, modal 
logicians have had to adopt a far wider range of technical ideas and tools than ever before, tools 
that lie beyond the placid waters of traditional textbook introductions to the field. It was against 
this exciting and challenging background that this Handbook was conceived. 
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THE HANDBOOK OF MODAL LOGIC 


This Handbook presents a detailed overview of the main lines of research in contemporary modal 
logic. The editors have tried to present a fair picture of the modern scene, and one that (to 
the extent possible in a one-volume handbook) reflects the scene in its entirety. Moreover, the 
selection of authors has been made with a view toward representing the most active and creative 
research communities worldwide 

The tricky question is: what is the best compromise between “detailed” and “overview”? We 
felt the field would be best served by a single volume handbook; that is, we opted for judicious 
selection and bounded access. Not that it would have been difficult to design a multi-volume 
handbook. On the contrary, the most frequent request we had from our authors was for more 
generous pages limits; the pull towards detail is strongly felt in a field such as modal logic, and 
quite rightly so. Many of the most treasured results and insights of the field are the results of 
years of painstaking work. In a sense, every student of the subject has to retrace these intellectual 
journeys; short cuts aren’t possible. 

But the evident need for an accessible overview of the whole, leaving deeper access to valleys 
and caves to a second stage, suggests that the one volume choice was correct. One of the points 
that emerged most strongly during the Handbook’s preparation was just how unified modal logic 
still is. To be sure, some of its branches are now highly technical, whereas other branches are 
better thought of as conceptual investigations which use the language of modal logic as an aid 
to precision. Furthermore, some work emphasises generality and takes mathematical criteria as 
its primary guide, whereas other areas may be highly specific in their focus and take their cue 
from applications. But in spite of such differences, the field remains stubbornly coherent, and 
surprisingly comprehensible. It is not an exaggeration to claim that most researchers in modal 
logic have at least a nodding acquaintance with the majority of the topics discussed in this Hand- 
book, feel that this sort of extensive knowledge is useful, and would like their students to have a 
map of the terrain at least as wide. This Handbook is an attempt to provide such a map. To put 
it another way, it tries to gather together the background assumptions, the working knowledge, 
the mathematical techniques, and the general world view that add up to that somewhat elusive 
entity “contemporary modal logic”, and to bring it together in a digestible form. We hope it will 
provide exactly the sort of snapshot of the field that will serve as intellectual nourishment for the 
next generation of researchers in, and users of, modal logic. 

We made no serious effort to impose notational or other kinds of uniformity on the authors. 
This was partly for pragmatic reasons: it was always evident that the attempt to impose a standard 
notation would please nobody — and who is to say that linguistic diversity is worse than linguis- 
tic, or even cultural, uniformity? But there are deeper reasons for our hands-off stance. Research 
in contemporary modal logic takes place in a shifting environment that jostles the borders of 
many fields. One modal logician’s interests may lead to the frontiers of linguistics or automated 
reasoning, another to the foundations of computation and games, and another towards purely 
mathematical issues concerning topological spaces. Moreover, these interests keep converging, 
and diverging, in new and often unpredictable ways; we have given some telling examples al- 
ready. Had this Handbook appeared five years earlier, the borders between various fields would 
have been drawn somewhat differently, and it is entirely possible that in another five years many 
will have to be drawn yet again. In the face of such flux, imposing uniformity would be an arti- 
ficial exercise. Modal logic is a sea, and the point of this Handbook is to help the reader learn to 
swim in it; pretending it is a swimming pool distorts the truth, and what’s worse, is unhelpful. 
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USING THE HANDBOOK 


We suspect that most of our readers will be accustomed to navigating their way through weighty 
research tomes, and will require little in the way of advice. In particular, readers who already 
know something about modal logic should simply consult the Table of Contents and start where 
it looks most interesting; while there are cross-references between the chapters, each is, to a 
great extent, self contained, so this is a viable strategy. Moreover, the Handbook can be used as 
a reference to the field. In particular, the index gives detailed entries for most common logics, 
notions, and results. 

But we have also attempted to make the Handbook accessible to less experienced readers. 
Now, we should say right away that by “less experienced” we mean less experienced in modal 
logic. This is a technical volume, and readers without technical background are going to find it 
difficult. Thus our less experienced reader is someone who already has some understanding of 
what modern logic is about, and why and where it is useful, and who wants to find out something 
about what modern modal logic has to offer. 

The Handbook is structured to provide an answer to such readers. The book has 21 chapters, 
and is divided into four parts: Basic Theory, Advanced Theory, Variations and Extensions, and 
Applications. Although independent, together they tell a story, the story of contemporary modal 
logic. This story starts with the basic tools and techniques, takes the reader to the outer reaches of 
the underlying mathematical theory, surveys the key points where the modal approach is being 
adapted and extended, and finishes by examining the various applications which modal logic 
serves and from which it draws inspiration. Let’s take a closer look at how all this unfolds over 
the course of the Handbook. 


Part 1. Basic Theory The chapters in Part 1 lay the foundation for later ones. Together they 
present an overview of the most fundamental themes, techniques and results in contemporary 
modal logic. The growing impact of computer science is clearly reflected in the choice of topics: 
two chapters are wholly devoted to complexity, decision methods, and implementation. 


Chapter 1. Modal Logic: A Semantic Perspective. Patrick Blackburn and Johan van Benthem. 
This chapter discusses the semantic ideas underlying modern modal logic, and in particular, 
Kripke semantics — or relational semantics, as it now (more informatively and fairly) tends 
to be called. It introduces the basic model theoretic constructions in a modern way, explores 
links between modal logic and classical (predicate) logic, both on models and on frames, and 
examines the extent to which the key semantic ideas transfer to richer modal logics and languages 
while maintaining a relatively low computational complexity. It also introduces some alternative 
viewpoints: algebraic semantics, neighbourhood semantics, and topological semantics. 


Chapter 2. Modal Proof Theory. Melvin Fitting. 

Modal proof theory is the study of syntactic calculi, defined in terms of symbol manipulation, 
for performing modal logical reasoning. How can such systems be designed? Is there an interest- 
ing range of design choices? And how can the syntactic ideas underlying proof calculi be linked 
with the semantic ideas introduced in Chapter 1? This chapter answers these questions by intro- 
ducing a wide range of proof styles, and discussing modal completeness theory, the fundamental 
bridge between proof-theoretical and semantic investigations. 
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Chapter 3. Complexity of Modal Logic. Maarten Marx. 

The basic modal language, when interpreted over relational models, can be regarded as a 
decidable fragment of classical logic. But this observation immediately leads to a host of fur- 
ther questions. Given that it is decidable, how difficult is it to compute with? That is, what is 
the computational complexity of determining validity, or of performing more modest tasks like 
model checking? And what are the parameters that affect modal complexity results, and what 
happens when we play with their settings? This chapter, an introduction to the computational 
complexity of modal logic, provides some fundamental answers. 


Chapter 4. Computational Modal Logic. Ian Horrocks, Ullrich Hustadt, Ulrike Sattler, and 
Renate Schmidt. 

Although Chapter 2 introduced modal proof theory, and Chapter 3 studied the computational 
complexity of modal logic, only with this chapter do we reach the heartland of computational 
modal logic: how to build modal inference systems that are efficient in practice. Although it 
surveys a number of topics, this chapter concentrates on two fundamental issues: how resolution 
and tableaux methods can be adapted to modal logic, and how these methods are related. 


Part 2. Advanced theory The chapters in Part 2 provide a deep and wide ranging theoretical 
analysis of modal logic that is broad enough to apply to many application areas. In some cases 
they provide deeper perspectives on topics already introduced in Part 1, but often they intro- 
duce ideas barely hinted at in earlier chapters. Taken together, they present the central core of 
contemporary insight into the mathematical structure of modal logic. 


Chapter 5. Model Theory of Modal Logic. Valentin Goranko and Martin Otto. 

At the heart of relational semantics is the idea of interpreting modal languages over relational 
structures by viewing them as fragments of first-order predicate logic or some stronger formal- 
ism. This perspective is not only intuitively attractive, it also makes available to modal logic the 
results and tools developed in such areas as classical model theory and finite model theory. This 
chapter shows, in great detail, how such tools can be put to work to gain a deep mathematical 
understanding of modal model theory, and what makes it sui generis. 


Chapter 6. Algebras and Coalgebras. Yde Venema. 

This chapter develops in detail the algebraic semantics of modal logic and introduces an alter- 
native coalgebraic approach. Algebraic semantics, which has thrived as a research area since the 
early 1970s, is important because it makes it possible to apply general techniques from universal 
algebra to the study of modal logic. The approach has given rise to some of the most penetrating 
analyses of the mathematics of modality. The more recent coalgebraic approach, which also links 
up with category theory, is valuable because it offers a uniform mathematical setting in which to 
analyse dynamic systems in terms of modal logic. 


Chapter 7. Modal Decision Problems. Frank Wolter and Michael Zakharyaschev. 

Modal logic is decidable — or at least it is when interpreted on the class of all models. But 
change the interpreting class of models, and you change the logical validities, and decidability 
is typically lost when the structural conditions come too close to ‘danger zones’ such as tiling 
patterns, arithmetic, or other structures allowing for Turing machine computation. This chapter 
is a detailed examination of how such properties as decidability, the finite model property, and 
finite axiomatisability are distributed across the lattice of normal modal logics. The emphasis is 
on providing general results, and drawing attention to important open questions. 
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Chapter 8. Modal Consequence Relations. Marcus Kracht. 

The notion of consequence, which tells us when a conclusion follows from given premises, is 
a fundamental logical concept, and in the setting of modal logic it can be defined in a number 
of different ways. This chapter surveys some of the most important ideas, covering in detail 
such topics as local versus global consequence, reducing multimodal consequence to monomodal 
consequence, interpolation theorems, and the admissibility of rules. As with Chapter 7, the 
emphasis is on providing general results which apply across a wide range of logics. 


Part 3. Variations and Extensions The main focus of the chapters in Parts 1 and 2 was on 
relatively simple propositional modal systems based on (collections of) © and O modalities. 
Such systems are historically central but they don’t exhaust the kinds of logic that now go under 
the name “modal logic”. The chapters in Part 3 introduce some of the extensions and variations 
of the basic modal technology that the reader is likely to encounter. 


Chapter 9. First-order Modal Logic. Torben Braiiner and Silvio Ghilardi. 

First-order modal logics are modal logics in which the underlying propositional logic has been 
replaced by a first-order predicate logic. These are one of the oldest forms of modal logic, and 
arguably the most philosophically important. They also pose some of the most difficult mathe- 
matical challenges. This chapter first surveys basic first-order modal logics, and then examines 
recent attempts to find a general mathematical setting in which to analyse them. 


Chapter 10. Higher-order Modal Logic. Reinhard Muskens. 

The basic ideas of modal logic have also been extended to higher-order settings, and indeed, 
extended in a number of different ways. This chapter motivates such extensions, some of them 
from linguistic semantics in the tradition of Richard Montague, examines some of the more 
historically influential ones, indicates some of the difficulties that can arise in the transition to 
higher-order logic, and finally shows how these difficulties can be overcome. 


Chapter 11. Temporal Logic. Ian Hodkinson and Mark Reynolds. 

Temporal logic is one of the classic branches of modal logic and is currently one of the most 
active. It has been remarkably fruitful in the issues it has raised (what kinds of temporal structure 
should we work with?), the results it has given rise to (it is the source of some of the most 
interesting expressivity results in modal logic), and as an applied tool (contemporary model 
checking technology is based on temporal logic). This chapter will introduce the reader to the 
key issues of this important and diverse area. 


Chapter 12. Modal p-Calculi. Julian Bradfield and Colin Stirling. 

In the late 1960s, pioneers in reasoning about programs adopted some key ideas of modal 
logic. They repaid the debt handsomely. Among other things, they developed dynamic logic 
(used in several chapters of this Handbook), and the modal u-calculus, one of the most inter- 
esting modal formalisms to have emerged in the last two decades. This provides second-order 
expressive power sufficient to generalise the most common temporal logics, but is still decidable 
and has the finite model property. It raises many intriguing issues about the interface between 
modal logic, complexity theory, and automata theory. 


Chapter 13. Description Logic. Franz Baader and Carsten Lutz. 

Modal logic is sometimes thought of as an intrinsically intensional logic, suitable only for 
applications such as reasoning about necessity, possibility, and knowledge. But description logics 
(which developed from pioneering work in the AI community) are undeniably modal logics and, 
as the description logic community has shown in impressive detail, are extremely well suited for 
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reasoning about ordinary individuals and the relations between them. This chapter is a detailed 
introduction to one of modal logic’s closest neighbours. 


Chapter 14. Hybrid Logics. Carlos Areces and Balder ten Cate. 

Standard modal logics use modalities for talking about the relations in relational structures, 
but don’t contain mechanisms for talking about particular worlds. Hybrid logic arises when 
mechanisms for naming and asserting identity of worlds are added; to give an analogy, they are to 
standard modal systems what first-order languages with equality are to equality-free languages. 
This chapter surveys the proof theory, expressivity, and complexity of a number of the better 
known hybrid logics, thereby giving a snapshot of the logical territory lying between the basic 
modal languages and their classical companions. 


Chapter 15. Combining Modal Logics. Agi Kurucz. 

The idea of combining modal logics (for example, a modal logic of time with a modal logic of 
knowledge) is natural for many applications. But how can modal logics be combined, and what 
happens when you combine them? This chapter surveys two key combination methods (fusions 
and products) in detail, shows how various properties do (or do not) transfer from the individual 
logics to the combination, and briefly examines a number of other combination methods. The 
properties of combined logics turn out to depend in subtle ways on those of their components 
plus the particular method of combination. 


Part 4. Applications Historically, modal logic has been profoundly influenced by its appli- 
cations, which have been extremely diverse in nature. The chapters in Part 4 survey the key 
application domains, thereby showing where modal logic comes from, where it has visited along 
the way, and also indicating areas to which it is likely to return. 


Chapter 16. Modal Logic in Mathematics. Sergei Artemov. 

Mathematics is one of modal logic’s oldest application areas. In particular, the pioneering 
work of Gédel in the 1930s showed that modal logic offered an important perspective on the no- 
tion of mathematical provability, and (more recently) modal logics of proof have been developed. 
But modal logic also gives rise to natural logics of space and dynamic systems, and even turns 
out to be a tool with applications in set theory. This chapter surveys these themes. In doing so, it 
emphasises an intriguing duality in interpreting the modal box: either as the universal quantifier 
“in all worlds”, or as the existential “there exists a proof”. Just when and how such accounts 
converge is a deep metamathematical issue. 


Chapter 17. Automata-Theoretic Techniques for Temporal Reasoning. Moshe Y. Vardi. 

Many modal and temporal logics can be viewed as fragments of monadic second-order logic 
over trees in a suitable signature, so there is a clear theoretical link (via Rabin’s celebrated decid- 
ability theorem) between modal logic and automata theory. But this link turns out to have prac- 
tical repercussions for computational applications. In particular, by viewing temporal formulas 
as giving rise to what are known as “alternating automata’, we gain a theoretically transparent 
but also practical perspective on both validity and model checking, one of the most significant 
applications of contemporary modal logic. 


Chapter 18. Intelligent Agents and Common-Sense Reasoning. John-Jules Meyer and Frank 
Veltman. 

Modal logics have been used in AI in a number of different ways. This chapter discusses two 
of its more important roles there. The first is as a logic of agents, and here the chapter takes 
the reader from basic epistemic and deontic logic to multi-agent logics of beliefs, desires, and 
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intentions. The second is as a model of common sense reasoning, and here the chapter covers 
modal treatments of counterfactual conditionals and non-monotonic reasoning in a variety of 
guises, including default reasoning. 


Chapter 19. Applications of Modal Logic in Linguistics. Lawrence S. Moss and Hans Jörg 
Tiede. 

Modal logic is best known in linguistics for the light it throws on semantics; indeed Richard 
Montague’s use of higher-order modal logic for this purposes is widely considered to be the 
starting point of modern natural language semantics. Recently, however, modal logic has also 
been used to analyse syntactic structure, and interesting links with formal language theory have 
thereby emerged. This chapter discusses both topics, providing a sophisticated view of modern 
interfaces between logic and natural language. 


Chapter 20. Modal Logic for Games and Information. Wiebe van der Hoek and Marc Pauly. 

Game-theoretic ideas have long played an influential rule in analysing various branches of 
logic, but the focus of this chapter is on using modal logics to describe and reason about games. 
After introducing the basic ideas of game theory, it systematically investigates how modal logic 
can be used to do this. Three main topics are discussed: modeling imperfect information and 
multi-agent information update via dynamic epistemic logics; reasoning about game structure 
through operations for combining games; and logics of collective action and the power of coali- 
tions of agents over time. 


Chapter 21. Modal Logic and Philosophy. Sten Lindström and Krister Segerberg. 

Modal logic was born in philosophy, and though it has since travelled widely, it still retains 
important links with the discipline. This chapter first discusses the historical heartland of philo- 
sophical modal logic: namely, the scope and limitations of modal logic as an account of neces- 
sity and possibility. It then examines two more recent topics: modal logic and the logic of belief 
change, and modal logic as a logic of action. 


Together, these chapters present a broad picture of modal logic today. Of course, some choices 
had to be made, and some bias may remain. In particular, the emphasis throughout has been 
on relational graph-style models. The editors fully acknowledge that there are other important 
traditions, such as modal logics based on non-classical logics, proof-theoretic semantics, as well 
as the more general neighbourhood semantics. Some of these have a historical pedigree reaching 
back to the 1930s, and they are still very much alive. These approaches do occur at various places 
in the book, but we have not made them fundamental to the Handbook’s architecture. We think 
this is a fair reflection of the bulk of current research, but times may change. 

Some readers may also think that this Handbook has a bias toward propositional model sys- 
tems, leaving predicate-logical versions underrepresented. This may be true to some extent — 
however, the chapters on modal predicate logic, modal logic in philosophy, and also temporal 
logic give a clear account not only of the basic theory of modal predicate logic, but also of recent 
developments of its mathematics and its relevance to computer science. But there is also a more 
defiant stance. Predicate logic itself can be profitably viewed as a modal logic of variable as- 
signment and assignment change. And in that light, modal predicate logic is not some privileged 
enrichment of modal logic. It is really about combining a propositional modal logic of worlds 
and one of variable assignment. And the reader can learn a lot about both, and about combination 
methods, from the pages of this Handbook! 

Once these chapters are seen together, many questions may at once be formulated concerning 
further relationships between them. The editors considered adding some remarks on this topic, 
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as diversity tempered by the resulting need for system comparison are a major driving force for 
innovation in the field. But in the end, we have decided to let the chapters, and their juxtaposition, 
speak for themselves. 

Finally, we would like to remark that modal logic is as much a community of living people 
as a family of systems. The results and insights in this Handbook exist only because of a long 
line of distinguished researchers who have shaped modal logic and its interfaces with computer 
science and other fields. The Hall of Fame of our field certainly extends beyond the grand old 
names of the classical period; just read this Handbook, and you will come to know the grand new 
names by their fruits. 


COMMENTATORS 


Following an idea of Dov Gabbay’s used in many publications, we made use of the designated 
commentator system in this Handbook. That is, in addition to editorial feedback, we attempted 
to find, for each chapter, a reader who could provide the kind of feedback that would inspire the 
authors during the writing process. In some cases we chose commentators with special expertise 
in the topic of the chapter. In other cases, we felt that the comments offered by someone work- 
ing in a somewhat different area might be more appropriate and helpful. Moreover, whenever 
possible, we chose authors of other chapters as commentators, as we felt this would improve the 
Handbook’s coherence. 

We are extremely grateful to everyone who agreed to undertake this task; in many cases the 
input of a commentator acted as precisely the catalyst needed to help the full potential of a chapter 
to emerge. Our commentators were (Chapter 19 had no commentator): 


Chapter 1: Aleksander Chagrov. Chapter 2: Heinrich Wansing. 


Chapter 3: Martin Otto. Chapter 4: Carlos Areces. 
Chapter 5: Maarten de Rijke. Chapter 6: Aleksander Kurz. 
Chapter 7: Rosalie Iemhoff. Chapter 8: Ian Hodkinson. 
Chapter 9: Melvin Fitting. Chapter 10: Grigori Mints. 
Chapter 11: Valentin Goranko. Chapter 12: Yde Venema. 
Chapter 13: Silvio Ghilardi. Chapter 14: Ulrike Sattler. 
Chapter 15: Carsten Lutz. Chapter 16: Rineke Verbrugge. 


Chapter 17: Julian Bradfield. Chapter 18: Reinhard Muskens. 
Chapter 20: Giacomo Bonanno. Chapter 21: Vincent Hendricks. 


FURTHER INFORMATION 


We have set up a home page for the Handbook at: 
http://www.csc.liv.ac.uk/~frank/MLHandbook 


We will make available there any corrections that may need to be made, and news concerning 
future Handbook-related developments. We welcome feedback from our readers. 

It would not be useful to attempt to list all the workshops, conferences, and journals where 
work on modal logic is published; given what we have said about its wide range of applications 
and techniques, it will come as no surprise that such work may be made public in a wide variety of 
forums. However it is worthwhile taking this opportunity to mention two workshops specifically 
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devoted to modal logic. The first is Advances in Modal Logic (AiML), modal logic’s main event, 
which is held every two years. You can find out more about this event, and the associated book 
series at: 


http://www.aiml.net 


Here we’ll simply say that AiML attempts to bring together scholars working in all areas of 
modal logic and its applications. The second workshop is Methods for Modalities (M4M), see 


http://m4m.loria.fr 


M4M is also held every two years. It is more practically oriented than AiML, focusing on the 
development of computational tools and results for modal logic. 
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1 INTRODUCTION 


This chapter introduces modal logic from a semantic perspective. That is, it presents modal logic 
as a tool for talking about structures or models. But what kind of structures can modal logic talk 
about? 

There is no single answer. For example, modal logic can be given an algebraic semantics, 
and under this interpretation modal logic is a tool for talking about what are known as boolean 
algebras with operators. And modal logic can be given a topological semantics, so it can also 
be viewed as a tool for talking about topologies. But although we briefly discuss algebraic and 
topological semantics, for the most part this chapter focuses on modal logic as a tool for talking 
about graphs. To put it another way, this chapter is devoted to what is known as the relational 
or Kripke semantics for modal logic. This is the best known and (with the possible exception of 
algebraic semantics) the best explored style of modal semantics. It is also, arguably, the most 
intuitive. Over the years modal logic has been applied in many different ways. It has been used 
as a tool for reasoning about time, beliefs, computational systems, necessity and possibility, and 
much else besides. These applications, though diverse, have something important in common: 
the key ideas they employ (flows of time, relations between epistemic alternatives, transitions 
between computational states, networks of possible worlds) can all be represented as simple 
graph-like structures. And as we shall see, modal logic is an interesting tool for talking about 
such structures: it provides an internal perspective on the information they contain. 

But modal logic is not the only tool for talking about graphs, and this brings us to one of the 
major themes of the chapter: the relationship between modal logic and other forms of logic. As 
we shall see, under the graph-based perspective discussed here, modal logic is closely linked 
to both first- and second-order classical logic. This immediately raises interesting questions. 
How does modal logic compare with these logics as a tool for talking about graphs? Can modal 
expressivity over graphs be characterised in terms of classical logic? We shall ask (and answer) 
such questions in the course of the chapter. 

Games (in various guises) are another recurring motif. The simple way that modal formulas 
are interpreted on graphs naturally gives rise to games and game-like concepts. The most impor- 
tant of these is the notion of bisimulation. This is a relation between two models, weaker than 
isomorphism, which can be thought of as giving rise to a transition-matching game between two 
players. As we shall see, this concept holds the key to modal model theory and characterises the 
link with first-order logic. 

This chapter has two pedagogical goals. The first is to provide a bread-and-butter introduction 
to relational semantics for modal logic that can be used as a basis for tackling the more advanced 
chapters in this handbook. Thus the reader will find here definitions and discussions of all the 
basic tools needed in modal model theory (such as the standard translation, generated submodels, 
bounded morphisms, and so on). Basic results about these concepts are stated and some simple 
proofs are given. But we have a second, more ambitious, goal: to help the reader start thinking 
semantically. We want to give the reader a sense of how modal logicians view structure, and 
what they look for when exploring new logics. To this end we have tried to isolate the intuitions 
that guide working modal logicians, and to present them vividly. We also make numerous asides, 
some of which touch on advanced logical topics. Their purpose is to situate the key ideas in a 
wider context, and even beginners should try to follow them. 

Here is our plan. In Section 2, we introduce basic modal languages and the graphs over which 
they are interpreted. We give the satisfaction definition (which tells us how to interpret modal 
formulas in graphs) and the standard translation (which links modal logic with classical logic). 
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With these preliminaries out of the way, we are ready to go deeper. What can (and cannot) 
modal languages say about graphs? In Section 3 we introduce the notion of bisimulation and 
use it to develop some answers; among other things, we characterise modal logic as a fragment 
of first-order logic. In Section 4 we examine the computability and computational complexity 
of modal logic. A shift of topic? Not at all. In essence, this section examines modal logic 
as a tool for talking about finite graphs. In Section 5 we move to the level of frames and re- 
examine the link between modal and classical logic. As we shall see, at this level the fundamental 
correspondence is between modal logic and (monadic) second-order logic. In Section 6 we 
move beyond the basic modal language and discuss a number of richer languages that offer more 
expressivity. But what makes them all modal? As we shall see, many of the themes explored 
in earlier sections re-emerge, and point towards an idea that seems to lie at the heart of modal 
logic: guarding. Moreover, in some cases it is possible to prove Lindstrém-style characterisation 
results. In Section 7 we discuss three alternatives to relational semantics, namely algebraic, 
neighbourhood, and topological semantics. We conclude in Section 8. 

Two final remarks. First, although we introduce modal logic from scratch, we assume that 
the reader has at least a basic understanding of classical first-order logic (especially its model- 
theoretic semantics) and some grasp of the notion of computability. Any standard introduction to 
mathematical logic (Enderton [37] is a good choice) supplies more than enough material to follow 
the main line of the chapter. Second, we don’t discuss modal proof-theory or related notions such 
as completeness in any detail (these topics are the focus of Chapter 2 of this handbook). Although 
we haven’t banished all mention of normal modal logics and completeness from the chapter, in 
our view traditional introductions to modal logic tend to overemphasise these topics. We want 
this chapter to act as a counterbalance. As we hope to convince the reader, simply asking the 
question “But what can I say with these languages?” swiftly leads to interesting territory. 


2 BASIC MODAL LOGIC 


In this section we introduce the basic modal language and its relational semantics. We define 
basic modal syntax, introduce models and frames, and give the satisfaction definition. We then 
draw the reader’s attention to the internal perspective that modal languages offer on relational 
structure, and explain why models and frames should be thought of as graphs. Following this 
we give the standard translation. This enables us to convert any basic modal formula into a first- 
order formula with one free variable. The standard translation is a bridge between the modal and 
classical worlds, a bridge that underlies much of the work of this chapter. 


2.1 First steps in relational semantics 


Suppose we have a set of proposition symbols (whose elements we typically write as p, q, r and 
so on) and a set of modality symbols (whose elements we typically write as m, m’, m”, and so 
on). (The’choice‘of PROP and MOD is called the igaara (or similarity type) of the language; in 
what follows we’ll tacitly assume that PROP is denumerably infinite, and we’ll often work with 
signatures in which MOD contains only a single element. Given a signature, we define the basic 
modal language (over the signature) as follows: 


gp := pIT|Ll-~lpAvl evel yoydl|geoy| (my | my. 


That is, a basic modal formula is either a proposition symbol, a boolean constant, a boolean 
combination of basic modal formulas, or (most interesting of all) a formula prefixed by a diamond 
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or a box. There is redundancy in the way we have defined basic modal languages: we don’t need 
all these boolean connectives as primitives, and it will follow from the satisfaction definition 
given below that, for all m € MOD, {my is equivalent to +(m)- and (m)¢ is equivalent to 
Sim] g (so boxes and diamonds are what are known as (dual connectives, just as 3 and V are 
in first-order logic). But we won’t bother picking out a preferred set of primitives, as this is not 
relevant to our discussion. If there is only one modality in our language (that is, if MOD has 
only one element) we simply write © and O for its diamond and box forms. We often tacitly 
assume that some signature has been fixed, and say things like “the basic modal language”, or 
“the basic modal language with one diamond”. We won’t need many syntactic concepts in this 


chapter, but the following ones will be useful. First, the swbformulas of a basic modal formula 
(late |W itself together with"all'the formulas|used!to build) Second, we say that a subformula 


w of y occurs positively if it is under the scope of an even number of negations, otherwise we 
say it occurs negatively (when this definition is applied, subformulas of the form y% — 0 should 
be read as —=y V 0, and subformulas of the form L should be read as ~T). Finally, the @6da) 
@peratordepth of a basic modal formula ¢ is the maximum level of nesting of modalities in ‘p, 
and we write md(p) to denote this number. 

A model (or Kripke model) SN for the basic modal language (over some fixed signature) is a 
triple M = (W,{R™ }memop, V). Here W, the domain, is a non-empty set, whose elements we 
usually call points, but which, for reasons which will soon be clear, are sometimes called states, 
times, situations, worlds and other things besides. Each R™ in a model is a binary relation on W, 
and V is a function (the valuation) that assigns to each proposition symbol p in PROP a subset 
V (p) of W; think of V (p) as the set of points in M where p is true. The first two components 
(W, {R" }memop) of M are called the frame underlying the model. If there is only one relation 
in the model, we typically write (W, R) for its frame, and (W, R, V) for the model itself. We 
encourage the reader to think of Kripke models as graphs (or to be slightly more precise, directed 
graphs, that is, graphs whose points are linked by directed arrows) and will shortly give some 
examples which show why this is helpful. 

Suppose w is a point in a model M = (W, { R” }memop, V). Then we inductively define the 
notion of a formula y being satisfied (or true) in IN at point w as follows (we omit some of the 
clauses for the booleans): 


Muep iff weEV(p), 
M,w ET always, 


M, w EL never, 
M, w H~ iff not M,wE yọ (notation: M, w E p), 
MweypAw iff M,w =y and M, w E Y, 
Mueyow if M, wyp o M, wy, 
M, w H (my iff forsome v € W such that R” wv we have M, v E y, 
M, w H [m]p iff forallv € W such that R™wv we have M, v H y. 


A formula y is globally satisfied (globally true) in a model M if it is satisfied at all points in 
IM, and if this is the case we write Mt E P. A formula pis valid if it is globally satisfied in all 
models, and if this is the case we write |= g. A formula ẹ is satisfiable in a model ™ if there is 
some point in D at which ¢ is satisfied, and ¢ is satisfiable if there is some point in some model 
‘at which it is satisfied. These definitions are lifted to sets of formulas in the obvious way. For 
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example, a set of basic modal formulas » is satisfiable if there is some point in some model at 


which all the formulas it contains are satisfied. A formula y is a semantic consequence of a set 
of formulas X if for all models Yt and all points w in M, if M, w = X then M, w = p, and in 
‘such a case we write © =. Instead of writing {9} = y% we write p = y. 


We now have all the concepts needed to begin exploring modal logic. But instead of moving 
on, let us reflect upon the ideas just introduced. First, note the internal character of the modal 
satisfaction definition: modal formulas talk about Kripke models from the inside. In first-order 
classical logic, when we talk about a model, we do so from the outside. A sentence of first-order 
logic does not depend on the contextual information contained in assignments of values to vari- 
ables: sentences take a bird’s-eye-view of structure, and, irrespective of the variable assignment 


(we use, are simply true or false of a given model. Modal logic works differently: we evaluate 
formulas inside models at some particular point. A modal formula is like an automaton placed 


inside a structure at some point w, and forced to explore by making transitions to accessible 
points. This may seem a fanciful way of thinking about the satisfaction definition, but it turns 
out to be crucial. When we isolate the mathematical content of this intuition, we are led, fairly 
directly, to the notion of bisimulation, the key to modal model theory, which we will introduce 
in Section 3. 

Second, note that basic modal languages are syntactically extremely simple: we are working 
with languages of propositional logic augmented with additional unary operators. And yet these 


languages clearly pack quantificational punch Diamionds and boxes can be thought of as macros 
that encode quantification over R”-accessible states in a perspicuous variable-free notation. We 


will shortly define the standard translation, which makes this macro analogy precise. 

Third, note that Kripke models can (and in our opinion should) be thought of as (directed) 
graphs. As we have already mentioned, modal logic has been applied in many different areas. 
What these areas have in common is that they deal with applications in which the important ideas 
can be represented by relatively simple graph-like structures. Let’s consider some examples, 

A classic interpretation of Kripke models of the form (W, R, V) is to regard the elements of 
W as times, and the relation R as the relation of temporal precedence (that is, Rww’ means 
that time w is earlier than time w’). Consider the (directed) graph in Figure 1. This shows a 


p p.q q 
o—eo -o ~o o 
t to tg t4 ts 


Figure 1. A simple temporal model. 


simple flow of time consisting of five points. Here we will take the precedence relation to be the 
transitive closure of the next-time relation indicated by the arrows (after all, we think of the flow 
of time as transitive) thus every point t; precedes all points to its right. Note that (as we would 
expect from the internal perspective provided by modal languages) whether or not a formula is 
satisfied depends on where (or in this example, when) it is evaluated. For example, the formula 
©(p A q) is satisfied at points tı, t2 and ts (because all these points are to the left of t4 where 
both p and q are true together) but not at t4 and t5. On the other hand, because q is true at t5, we 
have that Òq is true at t1, t2, t3 and t4. One special case is worth remarking on: note that for any 
basic formula y whatsoever, Uy is satisfied at ts. Why? Because the clause in the satisfaction 
definition for boxes says that Og is satisfied if and only if ¢ is satisfied at all R-accessible points. 
As no points are R-accessible from ts (it has no points to its right) this condition is trivially met. 
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The idea of using modal logic as a tool for temporal reasoning is due to Arthur Prior [104, 
105]. His work offers what is probably the clearest example of modal logic being appreciated 
for its internal perspective. In languages such as English and Dutch, the default way of locating 
information temporally is to use tenses, and 
‘speech. For example, if at some time t I say “Clarence will fly”, then this will be true if at some 
future time t’ Clarence does in fact fly. Prior viewed tensed talk as fundamental: we exist in 
time, and have to deal with temporal information from the inside. He believed that the internal 
perspective offered by modal languages made it an ideal tool for capturing the situated nature 
of our experience and the Context dependent way we talk about it. Prior called his system tensé 
logic. He wrote F for the forward looking (or future) diamond, and had a second diamond, 
written P, for looking back into the past (so in Figure 1, P(p A q) is true at ts, for this point 
is to the right of t4, where p and q are true together). Prior needed backward looking operators 
to mimic the effect of natural language past tense constructions; for further discussion of Prior’s 
work in this area, see Chapter 19 of this handbook. 

Our next example brings us to one of the most influential ways of thinking about Kripke 
models: to give them a process interpretation, which means that we view models as collections 
of computational states, and the binary relations as computational actions that transform one state 
into another. This interpretation dates back to the classic work of Hoare [67] and Dijkstra [32]. 
Let’s look at a simple example. Consider the graph shown in Figure 2. This shows a finite state 


a b 


Figure 2. Finite state automaton for a”b™ (n, m > 0). 


automaton for the formal language a”b™ (n,m > 0), that is, for the set of all strings consisting 
of a non-empty block of as followed by a non-empty block of bs. But this is precisely the type 
of graph we can use to interpret a modal language. In this case it would be natural to work 
with a language with two diamonds (a) and (b). The (a) diamond will be used to explore the 
a-transitions in the automaton, while the (b) diamond explores the b-transitions. It follows that 
all formulas of the form 


(a) ++ (a) (b) «+ (b)t 


(that is, an unbroken block of (a) diamonds preceding an unbroken block of (b) diamonds in 
front of a proposition symbol t which is only true at the terminal node t) are satisfied at the start 
node s, for all modality sequences of this form correspond to the strings accepted by the automa- 
ton. Although simple, this example shows the key feature of many computational interpretations 
of modal logic: the relations are thought of as processes (here our processes are “read the sym- 
bol a” and “read the symbol b”). Note that in this case we are thinking in terms of deterministic 
processes (each relation is a partial function) but we could just as well work with arbitrary re- 
The process 
interpretation, in various forms, underlies much of the discussion of this chapter, and it underlies 
Chapters 12 and 17 of this handbook. 
Another important application of modal languages is to model the logic of knowledge and 
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belief; this line of work was pioneered by Jaakko Hintikka [66], and as the more recent treatise 
by Fagin, Halpern, Moses, and Vardi [39] makes clear, the study of epistemic logic continues to 
flourish. Again, simple graph-based intuitions underly this application. Consider, for example, 
the graph shown in Figure 3. Here we see the epistemic state of a very simple agent. One 


qP q 


p,q,r q,r 


Figure 3. Epistemic state of a simple agent. 


of the epistemic situations making up this state is marked e; this represents the agent’s current 
knowledge (the agent knows that q is the case). The other situations represent the way the world 
might be. For example, although neither p nor r are true in the current situation, the agent views 
situations in which p and q are true together, and situations in which r and q are true together, 
and even situations in which p and q and r are all true together, as epistemically acceptable 
alternatives to the current situation e. So O(p A q) (“p A q is consistent with what the agent 
knows”), and O(r Aq), and O(pAqAr) are all satisfied at e. Moreover Og (“the agent knows that 
q”) is satisfied at e, as at every alternative epistemic situation the information q holds. Hintikka 
introduced the symbol K for this usage of box (that is, he wrote Kq for “the agent knows that q”) 
and his notation is still standard in contemporary epistemic logic. Epistemic logic is discussed 
in Chapters 18 and 20 of this handbook. 

The next example is important for another reason. Modal logic is often viewed as an intrinsi- 
cally intensional logic, interpreted using possible world semantics. This view comes from what 
is probably the most historically influential interpretation of modal logic, namely as the logic 
of necessity and possibility. In this interpretation, © is read as “possibly”, O is read as “nec- 
essarily”, and the points of Kripke models are regarded as possible worlds. Unfortunately, this 
interpretation has tended to overshadow the others, at least in certain research communities (some 
philosophers view modal logic, intensionality, and possible worlds as inextricably intermingled). 
To ensure that this illusion is dispelled, our last example will be completely extensional. Consider 
the graph in Figure 4. 


loves 


johnny 


detests 


loves 


frank 


detests 


Figure 4. Ordinary individuals. 


This is the sort of extensional information that classical logics (such as first-order logic) are 
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often used for. But modal logic is at home here too. We can say lots of interesting things about 
such situations. For example 


(LOVES) T A (DETESTS) (LOVES) T 


is true when evaluated at Terry: he loves someone and he detests someone who loves someone. 
Nowadays, modal logic is widely used for reasoning about such extensional situations. In par- 
ticular, the concept languages which lie at the heart of the description logics used in knowledge 
representation are often notational variants of (various kinds of) modal languages. Description 
logics are used in a wide range of applications for representing and reasoning about extensional 
information. They are treated in depth in Chapter 13 of this handbook. 

We’re almost ready to define the standard translation, but before doing so let’s deal with three 
other matters. First, in most branches of logic and mathematics, there is a notion of two structures 
being isomorphic, which can be glossed as “mathematically indistinguishable”. Let’s take this 
opportunity to be precise about what isomorphism means in basic modal logic (we give the 
definition for models and frames with one relation; it generalises straightforwardly to structures 
with multiple relations). 


DEFINITION 1 (Isomorphism). Let St = (W, R, V) and W = (W’, R’, V”) be models, and 
f:W |> W a bijection. If for all w,v € W we have that Rwv if and only if Rf(w) f(v) then 
we say that f is an isomorphism between the frames (W, R) and (W’, R’) and that these frames 
are isomorphic. If in addition we have, for all proposition symbols p, that w € V (p) if and only 
if f(w) € V’(p) then we say that f is an isomorphism between the models M and W and that 
these models are isomorphic. 


As this definition makes clear, if models M and IN’ are isomorphic, each replicates perfectly 
the information in the other. Hence the following result is unsurprising: 


PROPOSITION 2. Let f be an isomorphism between models IN and W. Then for all basic 
modal formulas ọ, and all points w in IN, we have that W, w = ¢ if and only if W, f(w) = y. 


Proof. Immediate by induction on the construction of y (see Lemma 9 for an example of such 
a proof.) QO 


Second, we want to point out that it is possible to take a more dynamic perspective on the 
satisfaction definition. In particular, we can think of it as a game. Let’s start with a concrete 
example. Consider the model in Figure 5. 


p1 2p 
1—eo 


Figure 5. The formula OO©Ọp is true at 1 and 4, but false at 2 and 3. 


As the reader should check, ©OO©p is true at points 1 and 4, but false at points 2 and 3. Now 
suppose we play the following evaluation game. This game has two players, a Verifier (V) and a 
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Falsifier (F), who disagree about the satisfiability of a formula in some model. The two players 
react differently to the connectives in the formula: for example, occurrences of disjunction allow 
V to make a choice as to which disjunct to verify, and play continues with the formula chosen; 
negation switches the roles of the two players; and diamonds make V pick a successor of the 
current point, while boxes do the same for F. Moreover, for any proposition symbol p, V wins 
the p-game if p is true at the current state, otherwise F wins. A player also wins the game if the 
other player must make a move for a modality but cannot. 


4p 2p 1p 
V wins V wins 


Figure 6. Initial segment of a game tree. 


So let’s play the game for OO p at 1. Figure 6 shows (an initial segment of) the resulting 
game tree. Note that V can always win. Her most obvious option is to play 3 in response to 
the outermost diamond; this leaves F with no possible response when faced with the task of 
falsifying Op. But V can also safely play 4 on her first move. As the tree shows, irrespective of 
F’s response, V can always reach a winning position. What this example suggests is completely 
general: for any model M, point w, and basic formula y, we have that Mt, w = vy if and only if 
V has a winning strategy when the y-game is played in Wt starting at w. Moreover, as we see in 
this example, different strategies correspond to different ways of showing that the given formula 
is true. 


Finally, some historical remarks. Where does the relational interpretation of modal logic 
come from? The three authors usually cited as pioneers are Saul Kripke, Jaakko Hintikka, and 
Stig Kanger. Kripke’s contributions are the best known (indeed relational semantics is often 
called Kripke semantics) and Kripke [83, 84] are regarded as landmarks in the development 
of modal semantics. But Hintikka independently developed the idea in his work on logics of 
knowledge and belief (see, for example, his classic monograph “Knowledge and Belief” [66]). 
Furthermore, although his work was not well known at the time, Kanger, in a series of papers 
and monographs published in 1957, introduced relational semantics for modal logic (see, for 
example, Kanger [77, 78]). Indeed, the idea of relational semantics seems to have been in the 
air at around this time, and a number of other logicians (for example Arthur Prior and Richard 
Montague) discussed similar ideas. For a detailed discussion of who did what and when, the 
reader should consult Goldblatt [59]. 
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2.2 The standard translation 


We now understand what modal languages are, how they can be interpreted in graphs, and why 
this can be an interesting thing to do. What next? Well, if we were following a traditional path, 
we would probably remark that as modal languages are to be used for reasoning, some sort of 
proof system is called for. For example, if we were working in a language with one modality 
(and in which we had chosen to define © in terms of O) we might point out that the set of all 
modal validities (that is, the minimal modal logic) in the language could be axiomatised by a 
Hilbert-style proof system called K. This proof system can be defined in a number ways; we 
might, for example, stipulate that the axioms of K consist of all formulas in the language which 
have the form of a propositional tautology (by which we mean not merely tautologies such as 
p — p which contain no modalities, but also formulas such as Op — Op, which contain 
modalities but are truth-functionally tautologous too) and all instances of the following axiom 
schema: 


(p > Y) > (Oy > Oy). 


There are two rules of proof: modus ponens (if p and p — w then F w) and modal 
generalisation (if į ~ then + Oy); in the definitions of these rules, | @ is standard notation that 
means “the formula 0 is provable”. Now, this looks like a standard axiomatisation of first-order 
logic with O behaving like Y. But K has no analogs of the first-order axioms with tricky side 
conditions on freedom and bondage of variables, such as Vay — [7/a]y, where 7 is a first-order 
term. This is no coincidence. As the standard translation given below will make clear, modal 
logic is essentially a perspicuous variable-free notation for a fragment of first-order logic. 


But proof systems are not our goal. This chapter is concerned with semantic issues, so quite 
different aspects of modal logic call for our attention. To get the ball rolling, let’s return to our 
basic semantic entities (Kripke models) and ask what they actually are. This will provide a point 
of entry to one of the main themes of the chapter: the relationship between modal and classical 
logic. 

So, what is a Kripke model? No mystery here. A Kripke model (W, { R” }memop, V) is what 
model theorists call a relational structure. That is, we have a domain of quantification W, a 
collection of binary relations over this domain, and a collection of unary relations as well (after 
all, V (p) is a unary relation for each p € PROP). But this means that we are not forced to talk 
about Kripke models using modal languages: they provide us with everything needed to interpret 
classical languages too. For example, to talk about a model (W, {R }memop, V) using first- 
order logic we would simply make use of a first-order language with a binary relation symbol 
R™ for every m € MOD, and a unary relation symbol P for every p € PROP. Modal logicians 
have a name for this language: they call it the first-order correspondence language (for the basic 
modal language over PROP and MOD). 

Why “correspondence language”? Because every basic modal formula (in the language over 
PROP and MOD) corresponds to a first-order formula from this language via the standard trans- 
lation: 


STz(p) = Px 

STel) se" a 

STz(-y) = 7ST2(y) 
STe(p AY) = STel) A ST2() 
STz((m)y) = Ay(R™zry A STy(y)) 
STz([m]y) = Vy(R™zry > ST,(y)). 
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That is, the standard translation maps proposition symbols to unary predicates, commutes 
with booleans, and handles boxes and diamonds by explicit first-order quantification over R™- 
accessible points. The variable y used in the clauses for diamonds and boxes is chosen to be 
any new variable (that is, one that has not been used so far in the translation). We remarked 
earlier that diamonds and boxes were essentially a simple macro notation encoding quantification 
over accessible states; the standard translation expands these macros. Note that ST,(y) always 
contains exactly one free variable (namely x). This free variable is what allows the internal 
perspective, typical of modal logic, to be mirrored in a classical language: assigning a value to 
this variable is analogous to evaluating a modal formula inside a model at a certain point. 

Here’s an example of the translation at work: 


ST, (p> Op) = S8Tz(p) > STx2(Op) 
= Px - ST,(Op) 
= Pa- dy(Rry \ST,(p)) 
= Pz — Jy(Rzy^ Py). 


As the reader can easily check, p — ©p and its standard translation Px — dy(Ray ^ Py) are 
equisatisfiable in the following sense: for any model Wt, and any point w in M, we have that 
Mw = p > Cp if and only if M H} Px — 3y(Rry A Py)|x — w], where the notation 
[x — w] means assign w to the free variable x. Unsurprisingly, this relationship is completely 
general: 


PROPOSITION 3. For any basic modal formula ọ, any model W, and any point w in IN, we 
have that M, w = vp if M H stz(y) [a — w]. 


Proof. There is practically nothing to prove. The clauses of the standard translation mirror the 
clauses of the satisfaction definition. Hence the result is immediate by induction on the structure 
of modal formulas. Q 


Thus the standard translation gives us a bridge between modal logic and classical logic. And 

we can immediately use this bridge to transfer meta-theoretic results for first-order logic to modal 
logic. 
PROPOSITION 4. Basic modal logic has the compactness property. That is, if X is a set of 
basic modal formulas, and every finite subset of & is satisfiable, then © itself is satisfiable. 
Moreover, basic model logic has the Löwenheim-Skolem property. That is, if a set of basic modal 
formulas & is satisfiable in at least one infinite model, then it is satisfiable in models of every 
infinite cardinality. 


Proof. We show that basic modal logic has the Löwenheim-Skolem property. Suppose that X 
is a set of basic modal formulas that has at least one infinite model. Let ST,(=) be the set of 
(first-order) formulas obtained by standardly translating all the formulas in X. Now, as X has 
an infinite model, by Proposition 3 so does ST,(%). But first-order logic has the Léwenheim- 
Skolem property, hence STz(%) has a model of every infinite cardinality. But, again by appeal to 
Proposition 3, each of these models satisfies X£, so basic modal logic has the L6wenheim-Skolem 
property too. The argument showing it has the compactness property is similar. m) 


Another easy consequence of the standard translation is that the set of validities (in basic 
modal languages) is recursively enumerable. For a basic modal formula g is valid iff STs (4) is 
a first-order validity, and the set of first-order validities is recursively enumerable. 
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Let’s sum up what we have learned so far. Propositional modal languages are syntactically 
simple languages that offer a neat (variable-free) notation for talking about relational structures. 
They talk about relational structures from the inside, using the modal operators to look for infor- 
mation at accessible states. This internal perspective on models, coupled with the simplicity of 
modal syntax, means that propositional modal logic is an attractive tool for certain applications. 
Moreover, viewed as a tool for talking about models, any basic modal language can be regarded 
as a fragment of its corresponding first-order language: the standard translation systematically 
maps modal formulas to first-order formulas (in one free variable) and makes the quantification 
over accessible states explicit. This allows us to quickly establish some basic modal meta-theory 
by appeal to known results for first-order logic. 


3  BISIMULATION AND DEFINABILITY 


With the basics behind us it is time to look deeper. In particular, it is time to start mapping the 
expressive strengths and weaknesses of the basic modal language. Now, the expressive power of 
a language is usually measured in terms of the distinctions it can draw. A language with just the 
two expressions “like” and “dislike” would provide only the roughest possible classification of 
the world, whereas a richer language of assent and dissent would make it possible to draw finer 
distinctions inside the accepted and rejected situations. So what distinctions can modal languages 
draw? In this section we discuss this question at the level of models, and in Section 5 we shall 
reconsider it at the level of frames. In what follows it will often be useful to think in terms of 
pointed models. That is, we shall often present models together with an explicit distinguished 
point to indicate where we are trying to find a difference. 


3.1 Drawing distinctions 


A modal language (and indeed any logical language whose formulas form a set) can distinguish 
between some models (M, s) and (N, t), but not between all such pairs. For example, our basic 
modal language can distinguish the pair of models shown in Figure 7. 


M N 


Figure 7. (M, s) and (N, t) are modally distinguishable. 


Here O(0 L V OO L) is a modal formula that distinguishes these models: it is true in M at 
s, but false in N at t. But now consider the pair of models shown in Figure 8. Is it possible to 
modally distinguish (WM, s) from (K, u)? That is, is it possible to find a (basic) modal formula 
that is true in Wt at s, but false in R at u? Note that it is easy to distinguish them if we are 
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M R 


Figure 8. (M, s) and (A, u) are not modally distinguishable. 


allowed to use first-order logic: all points in Wt (including s) are irreflexive, while point u in & 
is reflexive, hence the first-order formula Rxz is not satisfiable (under any variable assignment) 
in model W, but it is satisfied in R when u is assigned to x. But no matter how ingenious you 
are, you will not find any formula in the basic modal language that distinguishes these models at 
their designated points. Why is this? 


3.2 Bisimulation 


A natural approach to this question is to consider its dual: when should two models be viewed 
as modally identical? For example, given a process interpretation, when would we view two 
transition diagrams as representations of the same process? The models M and of Figure 8 
provide an intuitive example: they seem to stand for the same process when we look at possible 
actions and deadlocks (note that at each state the process can enter a deadlock situation; that is, 
it can enter a state from which it cannot exit). By contrast, Wt and Ò in Figure 7 are different, as 
the right hand state in 9t is not threatened with immediate dead-lock. Or consider the epistemic 
interpretation: when would we want to say that two graphs represent the same epistemic state? 
For example, we would probably want to identify the two epistemic models shown in Figure 9 at 
their distinguished points s and t. 


Figure 9. Two epistemically equivalent models. 


After all, in essence both models present us with a two way choice: either we are in an epistemic 
situation where p holds and there is an accessible epistemic situation where q holds, or we are 
in an epistemic situation where q holds and there is an accessible epistemic situation where p 
holds. The intuition that both these graphs code the same epistemic state is captured by our 


14 Patrick Blackburn and Johan van Benthem 


modal language: the reader will not find any modal formula that distinguishes them. 

The modal logician’s idea of asking when two distinct structures are modally identical (that is, 
make the same modal formulas true) lies within an older (and broader) tradition of looking for the 
structure preserving morphisms in a given mathematical domain, and letting the corresponding 
theory describe those notions that are invariant for such morphisms. This is the spirit of Klein’s 
Program in geometry, proposed around 1870, and still influential in many fields. Of course, there 
is no unique answer to the question of when two structures are the same. This insight was stated 
forcefully in recent years by President Clinton during the Lewinsky hearings: It all depends on 
what you mean by “is”. Clinton’s Principle for modal logic means that we should first try to stip- 
ulate some notion of structural equivalence for models that is appropriate for modal languages. 
This is the purpose of the following definition (first formulated in van Benthem [128, 131]). We 
state it here for models with one relation R, but the definition generalises straightforwardly to 
models with any number of relations. 


DEFINITION 5 (Bisimulation). A bisimulation between models Wt = (W, R, V) and W = 
(W’, R’, V”) is a non-empty binary relation E between their domains (that is, EF C W x W”) 
such that whenever wEw’ we have that: 


Atomic harmony: w and w’ satisfy the same proposition symbols, 
Zig: if Rwv, then there exists a point v’ (in WM) such that vEv’ and R’w'v’, and 


Zag: if R’w’v', then there exists a point v (in M) such that vEv’ and Rwv. 


If there is a bisimulation between two models Wt and N, then we say that Nt and N are bisimilar. 
Moreover, we say that two states are bisimilar if they are related by some bisimulation. 


Putting this in words: two states are bisimilar if they make the same atomic information true 
and if, in addition, their transition possibilities match. That is, if a transition to a related state is 
possible in one model, then the bisimulation must deliver a matching transition possibility in the 
other. Atomic harmony, coupled with the matching transitions concept embodied in the zigzag 
clauses, make bisimulation a natural notion of process equivalence, and indeed bisimulations 
were independently discovered in computer science (see Park [100]). 

Returning to the models Mt, K, and N considered above (and disregarding proposition sym- 
bols) it is easy to see that Dt and R are bisimilar: the dotted lines in Figure 10 indicate the 
required bisimulation (note that the indicated bisimulation links the two designated points). Fur- 
thermore, it is easy to see that there is no bisimulation that links the designated points of N and 
KR. Why not? Because a move from t to the right-hand world in St has no matching move in £K: 
moving downwards from u is no option (end-points never bisimulate with points having succes- 
sors) but neither is moving reflexively from u to itself (as one can move from u to a successor 
which is an endpoint, but this can’t be done from the right-hand world in Nt). 

Given any modal model 9%, bisimulations can be used in a number of ways. The so-called 
bisimulation contraction makes 9M as small as possible. To define this, note that it follows from 
Definition 5 that any union of bisimulations between two models is itself a bisimulation. There- 
fore the union of all bisimulations between two models is a maximal bisimulation between them. 
Now form the maximal bisimulation of model Wt with itself (incidentally, a bisimulation of a 
model with itself is called an autobisimulation). Define a quotient of 9t whose points are the 
equivalence classes, and relate the equivalence class |w| to the equivalence class |v| iff |w| and 
|u| contain points w’ and v’ such that Rw'v’. The map from points to their equivalence classes is 
a bisimulation. For example, the bisimulation shown in Figure 10 between Wt and £ is a bisim- 
ulation contraction. Bisimulation contractions are the most compact representation of processes, 
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Figure 10. (M, s) and (R, u) are bisimilar, (R, u) and (N, t) are not. 


at least from a modal standpoint. They remove all the redundancies in the representation — but 
also all aesthetic symmetries. (A butterfly is a redundant object, as one wing contains enough 
information under this perspective.) 

Bisimulations can also be used to make bigger models: one important construction which 
does this is called tree unraveling (for a very early paper using this construction, see Dummett 
and Lemmon [34]; for an influential paper that made heavy use of it, see Sahlqvist [111]). 

To unravel a model, take all finite R-sequences of points in Wt that start at some point w. 
These sequences form a tree with one-step extensions of sequences as the tree-successor relation. 
Projection from a sequence to its last element is a bisimulation onto the original model 9t. As 
an example, consider the unraveling of the two element model & around its distinguished point 
u to the infinite comb-like structure shown in Figure 11 (we use v as the name of the other point 
in this model). Reasoning about trees is often easier than reasoning about arbitrary graphs, and 


<u> >  <u,v> 


<u,u> ————— <u, u,v> 


<u,u,u> ———— <u,u,u, V> 


Figure 11. Unraveling & around u. 


so this method is of considerable theoretical utility. Moreover, as we shall see in the following 
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section, tree unraveling is relevant to the decidability of modal logic. 

Three other model constructions used in modal logic, namely disjoint unions, generated sub- 
models, and bounded morphisms (or p-morphisms) are also bisimulations. Historically, all three 
constructions were widely used in modal logic more than a decade before the unifying concept of 
bisimulation was introduced (the classic source for these constructions is Segerberg [113], where 
they are heavily used, often in combination, to prove completeness theorems). All three con- 
structions are fundamental tools in many areas of modal logic (for example, when reformulated 
at the level of frames, they are key ingredients in the Goldblatt-Thomason Theorem which we 
discuss in Section 5) so we take this opportunity to define them for models with one accessibility 
relation. These definitions generalise straightforwardly to models of arbitrary signature. 

The simplest construction is forming disjoint unions. If we have a pair of disjoint models 
(that is, a pair of models (W, R, V) and (W’, R’, V”) such that W and W” are disjoint) then their 
disjoint union is the model (W UW’, RU R’,V + V’), where V + V” is the valuation defined 
by (V + V’)(p) = V(p) UV" (p), for all proposition symbols p. That is, forming a disjoint union 
of two models means lumping together all the information in the two graphs. What if the graphs 
are not disjoint? Then we simply take disjoint isomorphic copies of the two models, and form 
the disjoint union of the copies. This lumping together process can be generalised to arbitrarily 
many models, which prompts the following definition. 


DEFINITION 6 (Disjoint Unions). Given mutually disjoint models M; = (W;, Ri, Vi), where 
i ranges over the elements of some index set J, we define the disjoint union of these models 
to be M = (W, R, V), where W = Uer Wi, R = User Ri, and V(p) = Uj; Vip) for all 
proposition symbols p. To form the disjoint union of a collection of models that are not mutually 
disjoint, we first take mutually disjoint isomorphic copies, and then form the disjoint union of 
the copies. 


It is immediate from this definition that any component model 9t; of a disjoint union Mt is 
bisimilar with Mt: for the bisimulation relation Æ we simply take the identity relation. Identity 
clearly satisfies the atomic harmony and zigzag conditions required of bisimulations. 

Disjoint unions build bigger models from (collections of) smaller ones. Generated submodels 
do the reverse. They arise by restricting attention to subgraphs of a given graph that are closed 
under relational transitions. For example, consider the two graphs in Figure 12. It is clear that 


a ae 


Figure 12. Generating a submodel from s. 


the graph on the right arises by restricting attention to a certain transition-closed subgraph of the 
graph on the left, namely the set of point reachable by taking sequences of transitions from s. 
This motivates the following definition. 


DEFINITION 7 (Generated Submodels). Let M = (W, R, V) be a model and let W’ C W. 
We say that a model W = (W’, R’, V”) is the restriction of M to W’ if R’ = RN (W' x W’) 
and for all proposition symbols p we have that V’(p) = V (p) N W”. We say that W” is R-closed 
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if for all u € W’, if Ruv then v € W”. Finally, we say that W is a generated submodel of W iff 
IM’ is the restriction of M to an R-closed subset of W. 

If W = (W’, RP’, V’) is a generated submodel of M = (W,R,V), and S C W” has the 
property that every w’ € W’ is reachable via a finite sequence of R-transitions from some s € S, 
then we say that St’ is the submodel of M generated by S. If S is a singleton set {s}, then we 
say that D’ is the submodel of M generated by the point s. 


A generated submodel is bisimilar to the model that gave rise to it: as with disjoint unions, 
the identity relation relates the two models in the appropriate way. Incidentally, note that every 
component model of a disjoint union is a generated submodel of the disjoint union. 

Finally we turn to bounded morphisms (or p-morphisms as they are often called). 


DEFINITION 8 (Bounded Morphisms). A bounded morphism between models M = (W, R, V) 
and WY = (W’, R’, V’) is a function f with domain W and range W” such that: 


Atomic harmony: Points in W and their f-images satisfy the same proposition symbols (that 
is, w E€ V(p) iff f(w) € V'(p), for all proposition symbols p). 


Morphism: if Rwv, then R’ f(w) f(v). 
Zag: if R’ f(w)v’, then there exists a v (in M) such that f(v) = v’ and Rwv. 


If f is a bounded morphism from M to W and f is surjective, then we say that It’ is a bounded 
morphic image of M. 


Bounded morphisms are bisimulations: a bounded morphism is simply a bisimulation in 
which the bisimulation relation E is an R-preserving morphism f (note that the only essen- 
tial difference between the two definitions is that the morphism clause replaces the zig clause, 
and clearly morphism implies zig). Historically, it was the definition of bounded morphisms that 
inspired the definition of bisimulations. 

As an example of a bounded morphism between models, consider Figure 13 (again we ignore 
proposition symbols). 


Figure 13. Bounded morphism collapsing the natural numbers to a reflexive point. 


Here we have collapsed the natural numbers in their usual order to a single reflexive point. It 
is clear that this map satisfies both the morphism and zig clauses, so it is indeed a bounded 
morphism. 
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3.3. Invariance and definability in first-order logic 


Structural invariances preserve certain patterns definable in appropriate languages. Before pur- 
suing the match between bisimulation and modal logic, let us examine the situation in first-order 
logic. The archetypal structural invariance is isomorphism between models. As we saw ear- 
lier (recall Proposition 2) modal formulas are invariant for isomorphism. More generally, it is 
well known that if f is an isomorphism between Mt and N, then for each first-order formula 
—p(@1,...,U%), and each matching tuple of objects (d1,..., dx) in M, the following equivalence 
holds: 


ME vldi,...,de] if NE vlf(d),.--, f(de)], 


or stated in words: first-order formulas are invariant for isomorphism. 

On special models, the converse also holds. For example, it is a well-known fact that any 
two finite models with the same first-order theory are isomorphic. But no general converse 
holds, as there are many more isomorphism classes of models than complete first-order theories. 
Invariance for isomorphism is even a defining condition for any logic in abstract model theory. 
But no matter how strong the logic, the converse still fails whenever the formulas of a logic form 
a set, as opposed to the proper class of isomorphism types. 

Thus it makes sense to look at invariance conditions for weaker notions of structural equiva- 
lence. For example, a potential isomorphism between two models M and N is a non-empty set I 
of finite partial isomorphisms satisfying the back-and-forth extension conditions that, whenever 
f € I andd € M, then there is an e € N such that f U {(d,e)} € I, and vice-versa. Note 
that isomorphisms induce potential isomorphisms: simply take J to be the family of all finite 
restrictions. The converse is not true. Matching up all finite sequences of rational numbers with 
equally long sequences of real numbers (in the same order) is a potential isomorphism between 
Q and R, even though these two structures are not order-isomorphic for cardinality reasons. 

It is easy to show that all first-order formulas are invariant for potential isomorphism, but the 
real match is with a stronger language: two models are potentially isomorphic iff they have the 
same complete theory in the infinitary first-order logic Low. This formalism also gives rise to 
much stronger definability results. For example, for each model Wt there is a sentence doy of 
Low Which holds only in those models St which have a potential isomorphism with WM; that is, 
models can be defined up to potential isomorphism. Moreover, countable models can even be 
defined (modulo isomorphism) using only countable conjunctions and disjunctions. This is all 
very nice of course, but infinitary logic is a bit outlandish from a practical viewpoint. 

Better matches between structural invariance and first-order definability arise in the more 
fine-grained setting of Ehrenfeucht-Fraissé comparison games between models Wt and N played 
between a Spoiler (who looks for differences between the models) and a Duplicator (who looks 
for analogies between them). Models M and N have the same first-order theory up to quantifier 
depth k iff the Duplicator has a winning strategy in their comparison game over k rounds. We 
won’t give details here, as we will define a modal comparison game of this sort at the end of the 
section. 


3.4 Invariance and definability in modal logic 
With these analogies in mind, let us now investigate the modal situation. For a start, modal 
formulas are invariant for bisimulation: 


LEMMA 9 (Bisimulation Invariance Lemma). If E is a bisimulation between M = (W, R, V) 
and IN’ = (W’, R', V’), and wEw", then w and w' satisfy the same basic modal formulas. 
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Proof. By induction on the construction of modal formulas. The case for proposition symbols 
is immediate by atomic harmony. The inductive steps for the boolean connectives are straight- 
forward. And the inductive step for © formulas shows exactly what the zigzag clauses were 
designed for. For consider the left to right direction. Given M, w = Oy and wEw’, we want to 
show that W, w’ = Oy. Now, M, w = Ow means that there is some v in M such that Rwv 
and M, v = y. But then (by zig) there must be a point v’ in N such that vE'v’ and R’w'v’. By 
the induction hypothesis, W’, v’ = p, hence W, w’ | Oy as required. The argument for the 
right to left direction is essentially the same, using zag in place of zig. m) 


The result allows us to show failures of bisimulation easily. For example, we have already 
sketched an argument showing that the models 9t and & of Figure 10 have no bisimulation 
between their designated points, but a quicker proof is now possible: these points cannot be 
bisimilar because there are modal formulas (for example O(0 L V OO L)) which are satisfied 
at one point but not the other. On the other hand, the dotted lines in Figure 10 show that 90 and 
K are bisimilar; it follows that all points linked by a dotted line in these graphs make exactly the 
same modal formulas true. Another typical application of this result is to show the undefinability 
of certain structural notions. For example, we can show that irreflexivity is modally undefinable: 
no modal formula holds in exactly those points w of models such that ~Rww. To prove this, it 
suffices to find two bisimilar points in two models, one of which is reflexive, the other irreflex- 
ive. One such example is the bisimulation between the designated points of Wt and & shown in 
Figure 10. Another is the bounded morphism of Figure 13 which collapses the natural numbers 
to a single reflexive point. 

Another consequence of this result is that the disjoint union, generated submodel, and bounded 
morphism constructions are all satisfaction preserving. More precisely: 


LEMMA 10. Modal satisfaction is invariant under the formation of disjoint unions, generated 
submodels, and bounded morphisms. That is: 


1. If MN = (W, R, V) is the disjoint union of W; = (W;, Ri, Vi), for i from some index set I, 
then for all w € W; and alli € I we have that W, w = vy if Wi, w H| g. 


2. fW = (W', R', V”) is a generated submodel of M = (W, R, V) , then for all w' € W' 
we have that MR, w = p iff W, w = ọ. 


3. If MN = (W', R', V’) is a bounded morphic image of IN = (W, R, V) under the bounded 
morphism f, then for all w € W we have that M, w = ọ if W, f(w) E g. 


Proof. All three results could be proved by induction on the structure on vy. But such proofs are 
unnecessary: we know that disjoint unions, generated submodels, and bounded morphisms are 
all examples of bisimulations, hence these results follow from Lemma 9. Q 


To sum up the discussion so far, bisimulation implies modal equivalence. But what about the 
converse? For finite models, we have the following. 


PROPOSITION 11. If points w and w' from two finite models IN and N satisfy the same modal 
formulas, then there is a bisimulation E between W and N such that wEw'. 


Proof. Assume we are working with models containing only a single relation R. We will 
show that the relation of modal equivalence is itself a bisimulation. That is, we will define the 
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bisimulation relation E by wEw’ iff w and w’ make the same modal formulas true. We now 
verify that E so defined is indeed a bisimulation. 

It is immediate that E satisfies atomic harmony. As for zig, assume that wEw’ and Rwv. 
Assume for the sake of contradiction that there is no v’ in 9’ such that R’w'v' and vEv’. Let 
S! = {u | R’w'u’}. Now, as w has an R-successor v, we have M, w = OT. As wEw’, we 
have W, w’ — OT too, hence S” is non-empty. Furthermore, as WY is finite, S’ must be finite 
too, so we can write it as {u},...,u/,}. By assumption, for every ui € S” there exists a formula 
api such that M, v H pi but W, ui KF vy. It follows that 


i 


M, w H Olp A+-Adn) and W, w E Oli AA dn), 


which contradicts our assumption that wEw’. Hence E satisfies zig. A symmetric argument 
shows that F satisfies zag too, hence it is a bisimulation. QO 


Thus, on finite models, the expressive power of modal languages matches up exactly with 
bisimulation invariance. This result can be extended to broader model classes, such as models 
with finite branching width for successors (note that the proof just given does not depend on the 
models involved being finite: it would also work for infinite models in which each point has only 
finitely many f-successors) and suitably saturated models in a model-theoretic sense. But no 
general converse can hold, for the set-theoretic reasons mentioned earlier. Indeed, the converse 
does not hold generally even for countable models: not all modally equivalent countable models 
are bisimilar. Consider the two models in Figure 14 (assume that all proposition symbols are true 
at all points in both models). Both models have infinitely many branches leading away from their 
root nodes, but whereas all the branches in the model on the left are of finite length, the model 
on the right has a branch of infinite length. Now, as the reader should check, both models satisfy 
the same modal formulas at their root nodes. However there is no bisimulation that links their 
root nodes; the infinite branch in the model on the right makes it impossible to define one. 


Z 7N, 


Figure 14. Modally equivalent but not bisimilar. 


This counterexample could be repaired by passing to an infinitary modal language LS „ with 
arbitrary (countable) conjunctions and disjunctions. Infinitary modal equivalence occurs between 
countable models (Jt, s) and (N, t) whenever there is a bisimulation linking s to t. Furthermore, 
every countable model (I, s) is defined up to bisimulation by some LS „ formula ôw, s. Again, 
such infinitary languages are somewhat impractical, but there are some useful bisimulation in- 
variant formalisms which lie between the basic modal language and its infinitary extension. Two 
examples are propositional dynamic logic and the modal j1-calculus, which are discussed in Sec- 
tion 6. 

Lemma 9 and its partial converses do not exhaust what needs to be said about the role played 
by bisimulations in modal model theory. But to gain a deeper understanding, we need to bring in 
a third component: the first-order correspondence language that we met in Section 2.2 when we 
introduced the standard translation. 
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3.5 Modal logic and first-order logic compared 


The basic modal language can be viewed as a sort of miniature version of full first-order logic 
over graph models. The standard translation defined in the previous section shows that each 
modal formula y corresponds to a first-order formulas ST,,(y) containing a free variable x. But 
the converse does not hold: some first-order formulas in the correspondence language are not 
modally definable. We have already see an example. As the bisimulation between models SJt and 
R shows (recall Figure 10) no modal formula defines —Raz. Thus, viewed as a tool for talking 
about models, modal logic is strictly less expressive than the full first-order correspondence 
language. And this prompts a further question: given that a modal language is essentially a 
fragment of the corresponding first-order language, exactly which fragment is it? This question 
has an elegant answer. First, a preliminary definition. 


DEFINITION 12. A first-order formula y(x) is invariant for bisimulation if for all models Mt 
and 9M’, and all points w in M and w’ in IN’, and all bisimulations E between It and Mt’ such 
that wEw", we have that M H y[z — w] iff W — via — w'). 


We can now state the main result: basic modal languages correspond to the fragment of their 
first-order correspondence language that is invariant for bisimulation. More precisely: 


THEOREM 13 (Modal Characterisation Theorem). The following are equivalent for all first- 
order formulas p(x) in one free variable x: 


1. p(x) is invariant for bisimulation. 


2. p(x) is equivalent to the standard translation of a basic modal formula. 


Proof. That clause 2 implies 1 is a more or less immediate consequence of Lemma 9. The 
hard direction is showing that clause 1 implies 2. The original proof can be found in van Ben- 
them [128, 131]. Two other proofs are given in Chapter 5 of this handbook. One is quite close to 
van Benthem’s original approach, the other is based on games. m) 


Nowadays many different proofs are known for this result, and for various extensions and 
variants. For example, Rosen [109] showed that the result holds over finite models; this is far 
from obvious, as the restriction to finite models means that many standard results of first-order 
model theory (such as the Compactness Theorem) cannot be applied. And Otto [99] showed that 
the modal equivalent guaranteed to exist by the previous theorem can be restricted to a formula 
of modal operator depth 2%, where k is the quantifier depth of y(x). 

Basic modal logic and first-order logic are analogous in many ways. As we mentioned in 
Section 2, via the standard translation modal logic immediately inherits basic meta-theoretic 
properties of its more powerful neighbour, such as the Compactness and L6wenheim-Skolem 
Theorems. But not all such transfer is automatic. Consider, for example, the Craig Interpolation 


property: 


If p | Y then there exists a formula 0 whose vocabulary is included in that of both 
yp and w such that p = 0 and 0 — 4. 


Does the same result hold for basic modal formulas y and w such that y = w? Appealing 
to the result for first-order logic gives us a first-order formula @ such that ST,(y) = @ and 
0 — ST,(w). But what guarantees that this interpolant is modally definable? Interpolation does 
in fact hold for the basic modal language (for a detailed account, see Chapter 8 of this handbook), 
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but additional work is needed to prove this. Nonetheless, interpolation does mesh well with the 
above preservation results; here is an improvement on the Modal Characterisation Theorem. We 
say that a first-order formula y implies p along bisimulation if the following implication holds: 
if E is a bisimulation between (M, s) and (N, t), and M, s = y, then N, t H wv. 


THEOREM 14 (Modal Characterisation-Interpolation Theorem). The following are equivalent 
for all first-order formulas p(x): 


1. p(x) implies y(x) along bisimulation. 


2. There is a modally definable 0 in the common vocabulary of p and 4% such that p = 0 and 
0H y. 


Proof. The proof can be found in Barwise and van Benthem [11]. Note that the Modal Char- 
acterisation Theorem follows by taking y(x) equal to y(x). This result does not imply ordinary 
modal interpolation as it stands: additional work is again needed. m) 


Behind the above observations is the fact that the cheaply transferred properties are universal 
in some sense, whereas the universal-existential property of interpolation requires honest work. 
Even so, there is an intuition (based on decades of positive experience with transferring results) 
that modal logic and first-order logic share all general meta-properties except decidability. No 
proofs of significant formulations of this idea have been found so far, but we can point to some 
broad analogies regarding methods. Generally speaking, bisimulation plays the same role for 
modal logic that potential isomorphism does for first-order logic. This can even be made precise 
in the following sense. To each first-order model M we can associate a modal model whose 
points are the variable assignments into WM, and whose accessibility relations are changes from 
one assignment g to another g(a := d) that resets the value for the variable x to the object d E€ M. 
Then two models Wt and N have a potential isomorphism between them iff their associated modal 
models are bisimilar; see van Benthem [136] for details. 

We conclude this discussion with two general results that allow us to switch between modal 
and first-order relations between models. In essence, both results have the form of a commutative 
diagram. 


LEMMA 15 (First Lifting Lemma). The following are equivalent for all models (IM, s) and 
(N, t): 


1. (W, s) and (N, t) are modally equivalent. 


2. (M, s) and (N, t) have elementary extensions to models (IN*, s) and (N*,t) which are 
bisimilar. 


LEMMA 16 (Second Lifting Lemma). The following are equivalent for all models (IM, s) and 
(N, t): 


1. (M, s) and (N, t) are modally equivalent. 


2. (M, s) and (N, t) are bisimilar to models (IM+, s) and (Nt ,t) which are elementarily 
equivalent. 
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Proof. The first lifting lemma was originally proved in van Benthem [128]. It is the key item in 
(some proofs of) the Characterisation Theorem (the -models are suitably saturated elementary 
extensions which allow the Characterisation Theorem to be proved rather straightforwardly). The 
second lifting lemma (see van Benthem [134] for the original result, and Andréka, van Benthem, 
and Németi [5] for full proof details) involves judicious tree unraveling of the two models, dupli- 
cating sub-trees to create uniformity, coupled with an Ehrenfeucht-Fraïssé argument to establish 
elementary equivalence. m) 


3.6 Bisimulation as a game 


Bisimulation can naturally be thought of as a form of process equivalence, but a more dynamic 
perspective is also possible. We have already seen that the modal satisfaction definition can be 
recast in the form of a game (recall Figure 6) but the task of determining whether two models 
are bisimilar can also be viewed in this way. Consider a game between Spoiler (the difference 
player) and Duplicator (the similarity player) comparing successive pairs in two pointed models 
(M, w) and (N, w’): 


If w and w' do not agree on atomic information, Spoiler wins the game in zero 
rounds. In subsequent rounds, Spoiler chooses a state in one model which is a suc- 
cessor of the current w or w', and Duplicator responds with a matching successor in 
the other model. If the chosen points differ in their atomic properties, Spoiler wins. 
If one player cannot move, the other wins. Duplicator wins on infinite runs on which 
Spoiler does not win. 


This game captures the zigzag behaviour of bisimulations in an obvious sense. It is also 
determined: one of the two players has a winning strategy. (This is because it is an open Gale- 
Stewart game in the sense of game theory.) For example, returning yet again to the models M, N 
and & considered at the start of this section, we see that Duplicator has a winning strategy in the 
comparison game for the models Jt and & starting from their matched designated points, while 
Spoiler has one for Wt and N. The following result clarifies the role of these games precisely: 


LEMMA 17 (Adequacy of Modal Comparison Games). 


1. There is an explicit correspondence between Spoiler’s winning strategies in a k-round 
comparison game between (IN, s) and (MN, t) and modal formulas of modal operator depth 
k on which s and t disagree. 


2. There is an explicit correspondence between Duplicator’s winning strategies over an infinite- 
round comparison game between (WM, s) and (N, t) and the set of all bisimulations be- 
tween IN and N that link the points s and t. 


Proof. This result is essentially a fine-grained restatement of the Lemma 9 from a game-theoretic 
perspective. See Chapter 5 of this handbook for more on game-based approaches to bisimulation. 
Q 


For example, in the game between the models M and K given earlier, Duplicator wins by 
choosing responses that stick to the bisimulation links. And in the game between Wt and N, 
Spoiler can win in at most three rounds by using the earlier modal difference formula 0(0 1 
vV © L) of modal operator depth three. In each round he can make sure that some modal 
difference remains at the current match, with the modal operator depth descending each time. 


24 Patrick Blackburn and Johan van Benthem 


4 COMPUTATION AND COMPLEXITY 


We view modal logic as a tool for representing and reasoning about graphs. Our discussion of 
expressivity has given us some insight into the representational capabilities of modal logic (at 
least at the level of models) but what about reasoning? 

In this section we discuss modal reasoning from a computational perspective. We concentrate 
on the model checking task and the satisfiability and validity problems, but also make some 
remarks about the global satisfiability and the model comparison tasks. As we shall see, the 
complexity of the modal version of these tasks is lower than that of their first-order counterparts. 

Before going further, two general remarks. First, although we are about to study reasoning, 
we are not about to embark on the study of modal proof systems (apart from anything else, the 
standard proof systems are only relevant to satisfiability and validity checking, and there is more 
to modal reasoning than this). Secondly, although we are ostensibly moving on from expressivity 
issues to computational issues, the two topics are intertwined. In essence, the positive computa- 
tional results reported here arise from negative expressivity results (for example, the inability of 
the basic modal language to force the existence of infinite models). 


4.1 Model checking 


The model checking task can be formulated locally: 


Given a (finite) model IN, a point w in W, and a basic modal formula vp, is p 
satisfied in IN at w? 


Or globally: 


Given a (finite) model W, and a basic modal formula ọ, is y satisfied at all points 
in M? 


Or in a form that subsumes both the local and global perspectives: 


Given a (finite) model IN, and a basic modal formula p, return the set of points in 
M that satisfy vp. 


In what follows we shall work with the last formulation, which is probably the most common 
way of thinking about model checking in practice. 

Now, model checking is clearly a task with computational content — but is it really a reason- 
ing task? In our view, yes. In essence, a model is a ‘flat’ store of information: it consists of a 
collection of entities, together with a specification of which entities have which properties, and 
which entities are related by which atomic relations. A modal formula, on the other hand, is a 
recursively constructed tree. The embedding of connectives and modalities within one another 
permits relatively short formulas to make interesting assertions, assertions that go way beyond 
the mere listing of atomic facts. If we add to these differences the practical observation that in 
typical applications the formula will be much smaller than the model, we see that model checking 
is about synchronising two very different forms of information: it tells us whether the abstract in- 
formation embodied in the formula is implicitly present in the model, and gives us a set of points 
where this implicit information emerges. Viewed this way, model checking is a quintessential 
reasoning task. 

Moreover, model checking has turned out to be of great practical importance — indeed, one 
of the more salutary lessons computer science has taught logic is just how important this mod- 
est looking form of reasoning actually is. Nowadays the practical importance of modal model 
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checking dwarfs that of determining modal satisfiability or validity (the tasks logicians have 
traditionally viewed as paramount) as a wide range of practical tasks can be modeled in a com- 
putationally natural manner, and efficiently solved, via model checking. A classic example is 
hardware verification. Even though a computer chip is a concrete object, it gives rise to a nat- 
ural abstract model, namely the set of all states the chip can be in, and the transitions between 
them. If a chip is to work satisfactorily, its computational runs (that is, the sequences of states 
it can follow by making transitions from the initial state) should possess a number of high-level 
‘emergent’ properties: for example, these runs should not enter deadlock situations. If we have a 
modal language that can express the desired properties (for example, absence of deadlock) then 
by checking the formula in the model representing the chip we can determine whether the design 
is satisfactory or not. 

So how should we perform model checking? The standard approach is to use a bottom-up 
labeling algorithm. To model check a formula y we label every point in the model with all the 
subformulas of ọ that are true at that point. We start with the proposition symbols: the valuation 
tells us where these are true, so we label all the appropriate points. We then label with more 
complex formulas. The booleans are handled in the obvious way: for example, we label w with 
w A @ if w is labeled with both w and 0. As for the modalities, we label w with Oy if one of 
its R-successors is labeled with y, and we label it with Oy if all of its R-successors are labeled 
with y. A precise definition of the algorithm for checking diamond formulas is given in the 
pseudo-code of Figure 15. 


procedure Check (y) 
T := {v |v € label(v)} ; 
while T Æ Ø do 
choose v € T ; 
T:=T\{v}; 
for all w such that Rwv do 
if Ow ¢ label(w) then 
label(w) := label(w) U {Ov} ; 
end if ; 
end for all ; 
end while ; 
end procedure 


Figure 15. Model checking Ow. 


The beauty of this algorithm is that we never need to duplicate work: once a point is labeled 
as making y true, that’s it. This makes the algorithm run in time polynomial in the size of the 
input formula and model: the algorithm takes time of the order of 


con(y) x nodes(Mt) x nodes(IM), 


where con(y) is the number of connectives in y, and nodes(M) is the number of nodes in M. 
To see this, note that con(y) tells us how many rounds of labeling we need to perform, one of 
the nodes(9t) factors is simply the upper bound on the nodes that need to be labeled, while the 
other is the upper bound on the number of successor nodes that need to be checked. 

Thus modal model checking is a computationally tractable task, but this is not the case for 
first-order logic. In fact, model checking first-order formulas is a PSPACE-complete task (see 
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Chandra and Merlin [22]). That is, although it is possible to write an algorithm that solves the 
first-order model checking task using an amount of computer memory that is only polynomial 
in the size of the input model and formula, the algorithm may require running time that is ex- 
ponential in the size of the input. The problem, of course, lies with the quantifiers. Assuming 
that the standard assumptions made in complexity theory are correct, there is no way of adapting 
the labeling algorithm (or indeed, any other algorithm) to perform first-order model checking in 
polynomial time. 

However the labeling algorithm sketched above does adapt to more powerful modal languages, 
and this is important. As we said above, when model checking we want to state interesting high- 
level properties of the situation we are modeling, and often the ordinary 0 and © modalities 
simply aren’t expressive enough. In model checking applications, it is usual to work with tree- 
like models, namely trees of computational runs. On such models © is interpreted as “at some 
immediate successor state”. This is natural, to be sure, but somewhat limited. However, by 
adding the binary Until modality, we gain access to entire sequences of successor states: 


M, s H| U(w,A) iff there isat such that sR*t and M, t = 4, 
and for all u such that sR*u and uRTt we have M, u = 8. 


Here R* is the reflexive transitive closure of the “immediate successor” transition relation R 
explored by ©, and Rt is its transitive closure. Thus Until gives us a direct handle on the com- 
putational runs that can be followed in the model, and this clearly places interesting expressive 
power at our disposal. Nowadays the Until modality is a fundamental component of some of the 
most important model checking formalisms — formalisms such as LTL (Linear Time Temporal 
Logic) and CTL (Computational Tree Logic). For an introduction to these logics, see Chapter 11 
of this handbook, or Clarke, Grumberg and Peled [25]. 

We shall examine the Until operator and the extra expressivity it offers more closely in Sec- 
tion 6.3. Here we simply want to address the following question: how do we extend the labeling 
algorithm to handle formulas of the form U (4, 0)? Here’s the basic idea. First, if any point w is 
labeled with w, label w with U(w,@). Second, if any point v is labeled with 0 and at least one 
R-successor of v is labeled with U (4, 0), then label v with U(~, 0). It should be clear that these 
two steps reflect the semantics for Until just given; the pseudo-code given in Figure 16 shows 
how to make the basic idea precise. 

Now for an important point. Throughout the previous discussion we have tacitly assumed 
that we have some way of representing formulas and finite models that is suitable for compu- 
tational implementation. It is probably not worth sketching details of how this might be done: 
nowadays it seems safe to assume that most readers of a technical book on logic have at least 
a nodding acquaintance with programming (indeed, we suspect that most of our readers would 
find it straightforward to devise a computational syntax for models and modal languages, and to 
implement simple programs for working with them). 

Nonetheless, such issues cannot be taken lightly. A major factor in the spectacular progress of 
model checking has been the development of Binary Decision Diagrams (BDDs) and Ordered 
Binary Decision Diagrams (OBDDs). BDDs (which are compact representations of boolean 
expressions) were introduced by Lee [88] and Akers [3], and OBDDs (a more sophisticated form 
of BDD with fewer representational redundancies) were introduced by Bryant [17]. BDDs were 
first proposed for model checking by Burch, Clarke, McMillan, Dill, and Hwang [18] and as 
the title of this paper indicates (“Symbolic model checking: 10°? states and beyond”) this led 
to a dramatic increase in the size of the models that could be handled. It is important not to 
underestimate the gap between the labeling algorithm sketched above, and what it takes to make 
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procedure CheckU (~, 0) 
T := {v | Y € label(v)} ; 
for all v € T do 
label(v) = label(v) U {U (4%, 0)} ; 
end for all ; 
while T + Ø do 
choose v € T; 
T:=T\{v}; 
for all w such that Rwv do 
if U(w,0) ¢ label(w) and 0 € label(w) then 
label(w) := label(w) U {U (4%,0)} ; 
T:=TU{w}; 
end if ; 
end for all ; 
end while ; 
end procedure 


Figure 16. Model checking U(y, 0). 


a working model checker handle a large model. Crossing this gap requires a combination of 
theoretical insight and computational expertise, and an entire research community is devoted to 
exploring the issues involved. 

For a good textbook level introduction to model checking, see Huth and Ryan [72]. This 
book not only introduces the basic algorithms, it also shows how they can be implemented with 
the aid of OBDDs. Moreover, it discusses modal checking for the modal ju-calculus (which we 
introduce in Section 6.7). For a more advanced treatment, see Clarke, Grumberg and Peled [25]. 
Finally, for an account of model checking via automata-theoretic methods, see Chapter 17 of this 
handbook. 


4.2  Satisfiability and validity: decidability 


It is often said that modal logic is decidable. This can be read as shorthand for the following 
claim: the validity problem for the basic modal language (given a basic modal formula , is 
valid?) is decidable. That is, it is possible (ignoring constraints of time and space) to write a 
computer program which takes a basic modal formula as input, and halts after a finite number of 
steps and correctly tells us whether it is valid or not. 

The decidability of modal logic can also be viewed as a claim that the satisfiability problem 
for the basic modal language (given a basic modal formula ọ, is p satisfiable in some model?) 
is decidable. That is, it is possible (again, ignoring constraints of time and space) to write a 
computer program which takes a basic modal formula as input, and halts after a finite number 
of steps and correctly tells us whether it is satisfiable in some model or not. The validity and 
satisfiability problems are dual problems: a modal formula ¢ is valid iff = is not satisfiable, 
hence if we have a method for solving one problem, we have a method for solving the other. In 
what follows we show that both problems are decidable; we’ll talk in terms of satisfiability. 

A lot is known about the decidability of satisfiability problems for various logics, so it is not 
too difficult to establish modal decidability: we can do so by reducing the problem to known 
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results for other logics. Here’s an easy example. The satisfiability problem for the two variable 
fragment of first-order logic (that is, the fragment of first-order logic in which every formula 
contains only two variables) is decidable. Now, every basic modal formula can be translated into 
a formula in the two-variable fragment. To see this we need simply make a small adjustment to 
the standard translation ST,. Whenever we translate a © or a O, instead of choosing a completely 
new variable to quantify over accessible points, we use a second fixed variable (say y). If we later 
encounter another © or O, we flip back to the original variable x, and so on. More precisely, we 
redefine ST, so it always uses y to quantify over accessible points, and define a twin translation 
ST, which always quantifies using x. Here are the key clauses: 


STz(Oy) = Jy (Ray ASTy(~)) — STy(Op) = 3x (Ryx A STa(p)) 
ST,(Oy) = Vy (Rzy > st,(y)) ST (O9) = Va (Ryx > ST, (¢)). 


The interleaving of ST, and ST, guarantees that for any basic modal formula y, ST,(y) will 
contain only the two variables x and y, and it should be clear that the modified translation is 
equivalent to the original one. It follows that the satisfiability problem for the basic modal lan- 
guage must be decidable: to test a modal formula for satisfiability, simply translate it with this 
new version of the standard translation, and then apply the satisfiability algorithm for the two- 
variable fragment to the output. 

It is pleasant that modal decidability can be established so easily, but the proof isn’t particu- 
larly instructive. The following semantic argument is somewhat more revealing. We shall show 
that the basic modal language has the finite model property, or to put it another way, that it does 
not have the expressive strength required to force the existence of infinite models. Needless to 
say, this is in sharp contrast with first-order logic: even such a simple first-order formula as 


VarRaea \Veyz(Rey ^A Ryz > Raz) \VasyRry 


has only infinite models. In fact, the basic modal language has a rather strong form of the finite 
model property. We shall show the following: 


THEOREM 18 (Strong Finite Model Property). Let p be a basic modal formula. If p is 
satisfiable, then it is satisfiable on a finite model containing at most 2°‘°) points, where s(y) is 
the number of subformulas of ¢p. 


The decidability of the modal satisfiability problem follows immediately from this result. If a 
modal formula y is satisfiable at all, it is satisfiable on a model containing at most 2°) points. 
As there are (up to isomorphism) only finitely many such models, exhaustive (and exhausting!) 
search through them all will settle the issue of y’s satisfiability. 

Just as important as the result is the method we shall use to prove it: filtrations. These are 
a standard item in the modal logician’s toolkit, and have been used to prove completeness and 
decidability results for many different modal systems. The basic idea underlying the method is 
simplicity itself: given a modal formula y and a model M that satisfies it, we make a finite model 
M by collapsing to a single point all the points within M that satisfy the same subformulas of 
yy. But there is a tricky issue: how should we define the relation on the collapsed points in such 
a way that y remains true in the finite model? Let’s work through the details and see. 

We shall say that a set of basic modal formulas © is subformula closed if every subformula of 
every formula in © is a member of © (that is, if y A Y% € È then so are y and w, and if ~y € X 
then so is y; and if Oy € &, then so is y, and so on). We now define: 
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DEFINITION 19 (Filtrations). Let M = (W, R, V) be a model, let © be a subformula closed 
set of formulas, and let ~s be the equivalence relation on the states of Wt defined as follows: 


wey v iff forall y in X: (M, w = ọ iff M, v H g). 


The official notation for the equivalence class of a point w of M with respect to «»y is |wly, 
but in what follows we’ll usually assume that © is clear from context and simply write |w]. 


Let Ws = {|w| | w € W}. Suppose ME is any model (W/, Rf, VŽ) such that: 
1. Wf = Wy. 
2. If Rwv then Rf|w||v]. 


3. If R|w||v| then for all Op € E, if M, v H y then M, w = Oy. 


4. VI (p) = {|w| | Mt, w H p}, for all proposition symbols p in X. 


Then ME is called a filtration of 9% through X. In what follows we’ll drop the subscripts and 
write I instead of MË, 


Two points should be made about this definition. First, observe Mf is a filtration of M through 
a subformula closed set of formulas £, then MÅ contains at most 21?! nodes, where |£] is the 
cardinality of ©. This should be clear: after all, the points of MË simply are the equivalence 
classes in Wy, and there cannot be more than 212l of these. Second, the previous definition does 
not specify an accessibility relation on Ws — it only imposes constraints (namely clauses 2 
and 3) on the properties a suitable accessibility relation R should have. That the constraints 
imposed are sensible is shown by the following result: 


THEOREM 20 (Filtration Theorem). Let Mf (= (Wy, R!,V/)) be a filtration of M through 
a subformula closed set of basic modal formulas X. Then for all formulas o € &, and all nodes 
w in M, we have M, w = o iff MF, |w| = o. 


Proof. By induction on the structure of formulas. The case for proposition symbols is immediate 
from the definition of Vf, and because © is closed under subformulas, the inductive step for the 
boolean connectives is clear. 

So suppose Oo € X and M, w = Oc. Then there is a v such that Rwv and M, v = o. As 
MF is a filtration, by the first constraint on Rf (clause 2 of the previous definition) we have that 
Rf|w||v|. As © is subformula closed, o € ©, hence by the inductive hypothesis M, |v] H o. 
Hence INF, |w| Oc. 

Conversely, suppose Oo € X and M/F, |w| H Oc. Then there is a state |v| in Nt such that 
Rf\w||v| and MF, |v] Eo. As o € E, by the inductive hypothesis M, v H} øo. Making use of 
the second constraint on R/ (clause 3 of the previous definition) yields IN, w = Oc. Q 


It only remains to verify that relations satisfying the constraints demanded of R/ actually exist. 
They do. Define: 


1. R|w||v| iff dw’ € |w| w € w| Rw'v’. 


2. R'\w||v| iff for all formulas Oy in £: M, v H y implies M, w = Ov. 
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It is straightforward to show that both relations satisfy the required constraints. Actually, you can 
show a little more: if Rf is any relation satisfying the above constraints then RS C Rf C RÈ. 
For this reason, R° and R’ are said to give rise to the smallest and largest filtrations respectively. 
So we have proved Theorem 18: the basic modal language indeed has the strong finite model 
property. As we argued above, this in turn establishes the decidability of the basic modal satis- 
fiability problem. Now, as is well known, the satisfiability problem for full first-order logic is 
undecidable. First-order logic is the classic example of a language where expressivity has been 
purchased at the expense of decidability. The basic modal language reverses this trade-off. 


4.3 Satisfiability and validity: complexity 


What do the decidability proofs just given tell us about the computational complexity of the 
modal satisfiability problem? Only that it can be solved in NEXPTIME (that is, non-deterministic 
exponential time). This is clear from the filtration proof: to see if y is decidable, we can non- 
deterministically choose a model containing at most 25(#) points, and then check whether or not 
it satisfies y. As we have seen from our discussion of model checking, the checking takes time 
polynomial in the size of model; however as the model is exponential in the size of the input 
formula , this is a complex task. The reduction to the satisfiability problem for the two-variable 
fragment yields the same upper bound, as this problem is NEXPTIME-complete. 

But the satisfiability problem for basic modal logic is PSPACE-complete. That is, given a 
modal formula y, it is possible to write an algorithm to determine whether or not ¢ is satisfi- 
able that uses an amount of computer memory that is only polynomial in the size of p. Now, 
most complexity theorists believe that PSPACE-complete problems are harder than the satisfi- 
ability problem for classical propositional logic (the classic NP-complete problem) but easier 
than EXPTIME-complete problems, which in turn are believed to be easier than NEXPTIME- 
complete problems. So, given standard complexity-theoretic assumptions, the modal satisfiabil- 
ity problem is probably easier than our earlier decidability proofs suggest. 

How do we design a PSPACE algorithm for modal satisfiability? We cannot give a detailed 
answer here, but we can point to an expressive weakness of modal logic which should make it 
plausible that PSPACE algorithms for modal satisfiability exist. 


LEMMA 21. Let St = (W, R,V) be a model, let w € W, let n be a natural number, let Sn w 
be the subset of W containing w and all points in W reachable from w by making at most n R- 
transitions, and let Nt be the submodel (Sn w, R|s, V|s), where R| s and V|g are the restrictions 


of Rand V respectively to Sn w. Then, for all basic modal formulas such that md(p) < n, we 
have that W, w = y if N, w E ọ. 


That is, if we take a model IN, and extract a submodel Nt from it by throwing away all points 
that are more than n steps away from w, then no formula with modal operator depth of at most 
n can distinguish the two models at w. Modal formulas have shallow vision. And if we combine 
this lemma with what we have already learned about finite models and bisimulations, we obtain 
the following: 


THEOREM 22. Every formula ọ in the basic modal language is satisfiable in a model based on 
a finite tree of depth at most md(vp). 


Proof. As model logic has the finite model property, if a modal formula is satisfiable, it is 
satisfiable on a finite model Wt at some point w. As we remarked in the previous section, it is 
always possible to unravel a model into an equivalent tree-based model. Now, if we unravel Wt 
about w, we don’t necessarily obtain a finite model, but (as W is finite) we do obtain a model 


Modal Logic: A Semantic Perspective 31 


based on a tree with a finite branch factor, and this model satisfies y at its root. If we then 
chop off all points more than md(y) away from the root we obtain a finite model which (by the 
previous lemma) satisfies vy at its root. QO 


So every modal formula is satisfiable on a shallow tree, and we are now in a position to 
appreciate how PSPACE algorithms for modal satisfiability work. In essence, they construct 
shallow trees branch by branch. If a branch is successfully constructed (something which takes 
only space polynomial in the size of the input formula, as the length of the branch is bounded 
by md()) the branch is discarded (thus freeing up the memory) and the next branch is then 
constructed. There may be many branches, so it may take exponential time to construct them 
all, but as all branches are discarded once they are constructed, such an algorithm uses only 
polynomial space. This sketch has neglected some important issues (such algorithms require 
space for recording book-keeping details, and we need to ensure that the space used for this is 
not excessive) but it does describe, in broad terms, how many modal satisfiability algorithms 
(notably those based on tableaux or games) work. 

But we should issue a word of warning: it’s not always so easy. Yes, matters are relatively 
straightforward here, but that is because we have been working with the basic modal language 
over the class of all models. If we impose restrictions on the class of models we are working 
with (as we shall do in Section 5) or work with richer modal languages (as we shall do in Sec- 
tion 6), or both, we can easily find ourselves faced with undecidable, or even highly undecidable, 
satisfiability and validity problems. 


4.4 Other reasoning tasks 


We have discussed the big three (model checking, and satisfiability and validity checking) but 
this by no means exhausts the reasoning tasks of interest. To conclude this section, let’s briefly 
consider two others. 

Although we have stressed the locality of modal logic, some problems demand a global per- 
spective. In particular, if we view a modal formula as a general background constraint, we will 
typically want it to be globally satisfied: that is, we will be interested in models 9t such that 
MM = yw. The importance of the global satisfiability problem has been strongly emphasised by 
the description logic community. Indeed, description logic builds into its architecture the idea 
of a Terminological Box (or TBox), a collection of formulas that encode background knowledge 
about some domain (for example, that all men are mortal, that all Martians own flying saucers, or 
that each employee has a social security number). Description logicians are interested in models 
in which the TBox is globally satisfied, for these are the models that reflect all the background 
assumptions. 

Once the importance of background constraints is realised, it becomes clear that it is not 
the pure global satisfiability task itself that is of primary interest. Rather, it is the local-global 
satisfiability task: given formulas vy and 4, is there a model which locally satisfies y and globally 
satisfies Y? That is, is it possible to satisfy y subject to the global constraint 7? 

Here’s an example. Suppose we’re working in a zoological setting, and are interested in the 
interaction of maternal love and professional responsibility on the feeding of our furry ursine 
brethren. To put it another way, suppose we have the following TBox: 


bear V human bear — (MOTHER) bear 
bear — human bear — [FEDBY]|(zoo-keeper V mother) 
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Let’s call this TBox BEAR-CARE. The sort of queries we might be interested in posing are: is 
it possible to globally satisfy BEAR-CARE and, simultaneously, to locally satisfy 


(MOTHER) (bear ^ human)? 


(No, it’s not.) And is it possible to globally satisfy BEAR-CARE and simultaneously to locally 
satisfy 
(FEDBY) (“human A smother)? 


(Yes, it is: BEAR-CARE doesn’t rule out having bears as zoo-keepers. This may well be a bug in 
the TBox.) 

Local-global satisfiability problems are also natural in the setting of parsing problems. It is 
possible to encode various kinds of grammars (such as regular grammars or context-free gram- 
mars) as modal formulas (see Chapter 19 of this handbook for a discussion of such approaches). 
Then, given a string of symbols, the parsing problem is to decide whether it is possible to find 
a model which embodies all the constraints encoded in the grammar, and which simultaneously 
satisfies the formula encoding the input string. That is, we would like to globally satisfy the 
modal formula GRAMMAR and simultaneously locally satisfy INPUT-STRING. 

Unsurprisingly, both the global, and the local-global satisfiability tasks are tougher than the 
ordinary satisfiability problem: 


THEOREM 23. The global satisfiability and the local-global satisfiability tasks for basic modal 
languages are both EXPTIME-complete. 


Proof. The stated result is an immediate consequence of Hemaspaandra’s [118, 65] complexity 
results for the universal modality (we introduce the universal modality in Section 6.1). But the 
result holds for even stronger languages; see De Giacomo and Lenzerini [28] for related results 
for more expressive description logics. QO 


EXPTIME-complete problems are decidable but provably intractable: they contain problem in- 
stances that will require time exponential in the size of the input to solve (which can mean that 
they require more time than the expected lifetime of the universe). This, however, is a worst- 
case scenario. One of the most important recent developments in computational logic has come 
from the description logic community, who have shown it is possible to specify and implement 
tableaux-based algorithms for such problems that are remarkably efficient in practice. Moreover, 
interesting work exists on performing modal theorem proving via (non-standard) translations into 
first-order logic, so that optimised first-order resolution provers can be applied to the task. For a 
detailed discussion and comparison of these methods, see Chapter 4 of this handbook, and for a 
deeper examination of the complexity of modal logic, see Chapter 3. 

We conclude with a remark on the model comparison task. As bisimulation is the modally 
fundamental notion of graph equivalence, it is natural to wonder how difficult it is to determine 
when two models are bisimilar. The corresponding problems for first-order logic (namely, testing 
for graph isomorphism) is thought to be difficult: there is no known polynomial algorithm for 
testing for graph isomorphism, though the problem has not been shown to be NP-complete either. 
In fact, the problem of identifying isomorphic graphs is sometimes regarded as giving rise to a 
special complexity class of its own. 

Testing for bisimulation, however, turns out to be computationally tractable, and there are el- 
egant polynomial algorithms which work by discarding pairs of point that cannot make it into 
any bisimulation (see Dovier, Piazza and Policriti [33]). Again an expressivity result lies be- 
hind this result: the maximal bisimulation between two models 9t and St is explicitly definable 
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in a first-order fixed-point language over the disjoint union It W St of the two models. Such 
languages have been studied extensively in computer science, and they are known to have good 
computational behaviour. 

Let us summarise our discussion. For a number of tasks, the basic modal language (interpreted 
over the class of all models) is computationally better behaved than the corresponding first-order 
language (interpreted over the same models). Figure 17 summarises the relevant facts (PTIME is 
short for Polynomial Time). Of course, this better computational behaviour comes about because 


| Model Checking Satisfiability Model Comparison 
FOL | PSPACE-complete Undecidable in NP 
ML PTIME PSPACE-complete PTIME 


Figure 17. First-order logic and modal logic: computational properties summarised. 


the basic modal language is not nearly as expressive as first-order logic. Thus the pressing 
questions are: what are the trade-offs? And can this better computational behaviour be lifted to 
more expressive modal logics, and (if so) how? We shall revisit these questions in the following 
two sections. 


5 RICHER LOGICS 


Until now, we have deliberately said rather little about modal /ogics and what they are. Instead we 
have acted as if there was only one modal logic of any interest, namely the set of valid formulas 
(that is, the set of formulas satisfied at all points in all models) or, to put it syntactically, the set of 
formulas generated by the minimal proof system K (which we defined at the start of Section 2.2). 
But traditional presentations of modal logic tend to emphasise the multiplicity of modal logics, 
and devote a great deal of attention to logics richer than K, logics with such names as T, K4, S4, 
S5, GL, and Grz. Where do richer modal logics come from? 

As a first approximation (we’ll shortly see why it’s only an approximation) we might say that 
richer logics emerge at the level of frames, via the concept of frame validity. Let p(p1,..., Pn) be 
a basic modal formula built out of the proposition symbols p1,...,p,. We say that y(p1,.--, Pn) 
is valid on a frame § = (W, R) at a point w if, for each valuation V for its proposition symbols 
Pi>--+»Dn, We have that y is satisfied in the resulting model at w; in such a case we write Ẹ, w H 
p. We say ọ is valid on § if it is valid at each point in Ẹ, and we write this as Ẹ E vy. Moreover, 
we say that a modal formula is valid on a class of frames F if it is valid on each frame § in F. 
Note that a valid formula (as defined in Section 2.1) is simply a formula that is valid on the class 
of all frames. 

The starting point for this section is the observation that different applications of modal logic 
typically validate different modal axioms, axioms over and above those to be found in the mini- 
mal system K. For example, if we view our models as flows of time, it is natural to assume that 
the accessibility relation is transitive, and (as the reader should check) any instance of the schema 
po y is valid on the class of transitive frames (for example, the formula Op — pis 
valid on such frames, and O(p V q) > (p V q) is too). However no instance of this schema 
(which for historical reasons is called 4) is provable in K, so if we want a logic for working with 
temporal flows we should add all its instances as extra axioms, and doing so yields the logic 
known as K4. Or suppose we are modeling situations where the frame relation has to be treated 
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as a partial function. As the reader should check, all instances of the schema Oy — Oy are valid 
on the class of such frames, and none of them can be proved in K, so once again we should add 
them as extra axioms. Doing so yields the logic called KAIt,. 

We begin this section by briefly discussing such axiomatic extensions of K a little further. But 
our real interest is not the richer logics that arise by adding extra axioms (for an introduction to 
this topic, see Chapter 2 of this handbook) rather it centres on the following semantic questions: 
what can modal formulas say about frames, and how do they say it? As we shall see, there 
is a fundamental expressivity distinction between the level of models and the level of frames: 
whereas modal logic at the level of models is the bisimulation invariant fragment of first-order 
logic, at the level of frames it is a fragment of second-order logic. 


5.1 Axioms and relational frame properties 


One of the most attractive features of modal logic is the illumination provided by the fact that 
modal axioms reflect properties of accessibility relations. A typical modal completeness theorem 
reads like this: 


THEOREM 24. A formula is provable in S4 iff it is true in all models based on frames whose 
accessibility relation is transitive and reflexive. 


Proof. See Chapter 2 of this handbook (or indeed, virtually any introduction to modal logic). Q 


That is, the theorems of S4 are true in all graphs with a transitive and reflexive relation, 
while its non-theorems have some transitive and reflexive counter-model; the additional axioms 
reflect simple visualisable geometric conditions in the semantics. There are many techniques 
for proving such completeness results, ranging from simple inspection of the canonical model 
constructed from all complete theories in the logic (this fundamental technique is introduced in 
Chapter 2 of this handbook) to various types of model surgery (such as filtration, unraveling, and 
taking bounded morphic images). Moreover, the motivations for proving modal completeness 
theorems may differ. Sometimes we start with an independently interesting proof system and try 
to find a useful corresponding class of frames. The classic example of this is the proof system 
GL, that is K enriched with all instances of the Löb axiom schema O(Oy — p) — Oy, which 
arose via the study of arithmetical provability (see Chapters 2 and 16 of this handbook for further 
discussion of GL) and was later proved complete with respect to the class of finite trees (where 
the binary relation interpreting the modalities is the transitive closure of the one-step daughter- 
of tree relation). Sometimes, however, we might start with a natural model class — say an 
interesting space-time structure — and try to axiomatise its modal validities. The literature is 
replete with both variants. 

Nowadays a lot is known about axiomatic extensions of K. For a start, it turns out that there 
are uncountably many such normal modal logics, as they are often called. It is usual to identify 
a normal modal logic with the set of formulas it generates, and we say that a modal logic is 
consistent if it does not contain all formulas. This identification immediately induces a lattice 
structure on the set of all such logics. The cartography of this landscape is an object of study in 
its own right; here we shall only mention that, because of the following result, it contains two 
major highways. 


THEOREM 25. Let Id be the normal modal logic generated by K enriched with all instances of 
the axiom schema ip = Oy, and let Un be the normal modal logic generated by K enriched with 
the axiom O L. Every consistent normal modal logic is either a subset Id or Un. 
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Proof. See Makinson [92] for the original (algebraic) proof. After we have introduced generated 
submodels and bounded morphisms for frames we will be able to sketch the semantic ideas that 
underly this result, and we shall do this shortly. m) 


Now, as the reader should check, every instance of y «+ Uy is valid on frames which consist 
of a collection of isolated reflexive points, and O L is valid on frames consisting of a collection 
of isolated irreflexive points. Moreover, using standard techniques it is easy to show that Un 
is complete with respect to the first frame class, and Id with respect to the second. Thus the 
semantic content of Theorem 25 is that every normal modal logic is contained in the logic of one 
of these frame classes; for example, S4 lies on the first road, and GL on the second. 

But the most important fact to have emerged about normal modal logics is that not all of 
them have frame-based characterisations. In fact, frame completeness results (such as the result 
for S4 noted above) are the exception rather than the rule. Thus our earlier remark that richer 
logics emerged at the level of frames via the concept of frame validity was very much a first 
approximation: the notion of frame validity simply does not provide an adequate semantic basis 
for studying all normal modal logics. Here is a concrete example of a frame incompleteness 
result: 


THEOREM 26. Let TMEQ be the normal modal logic obtained by enriching K with all in- 
stances of the following schemas: p —> Oy (T), DOp — Oy (M), O(O~ A 04) > 
(Oy V Oy) (E), and (Oy \O(y — Ov)) — ¢ (Q). There is no class of frames that vali- 
dates precisely the formulas in TMEQ. 


Proof. See van Benthem [129]. Qn 


Such incompleteness results (which were first proved in the early 1970s by Thomason [125] and 
Fine [43]) were important in the development of modal logic. For a start, they forced modal 
logicians to examine alternative ways of semantically characterising normal modal logics, and 
this led to a renaissance in algebraic semantics of modal logic (see Chapter 6 of this handbook 
for more on this topic). But they also had another effect, one more relevant to the present chapter: 
they stimulated a wave of semantic research at the level of frames. This new wave of research 
was centred around the notion of frame definability, the topic to which we now turn. 


5.2 Frame definability and undefinability 


Before getting to work, a brief remark. There is another way of thinking about axiomatic exten- 
sions of K. Instead of viewing them as giving rise to brand new modal logics, we can simply view 
them as theories constructed over the minimal logic K in much the same way as a first-order the- 
ory (of say, linear orders) is constructed over the set of first-order validities. Nothing of substance 
hangs on this shift of perspective, but it fits more naturally with our focus on expressivity. 

So, bearing this in mind, let’s pose the first question: what can modal formulas say about 
frames? A natural way to approach this is to introduce the concept of frame definability. We 
shall say that a modal formula y defines a class of frames F iff it is valid on precisely the frames 
in F. That is, not only must y be valid on every frame in F, it must also be possible to falsify y 
on any frame that is not in F. So, what classes of frames can modal languages define? Here are 
some simple examples: 


PROPOSITION 27. 


1. Op — p defines the class of transitive frames; that is, frames such that Vayz(Ray ^ 
Ryz > Raz). 
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2. Op — Op defines the class of frames where the frame relation R is a partial function; that 
is, frames such that Yxyz( Rzy ^ Raz > y = 2). 


3. p < Op defines the class of frames which consist of isolated reflexive points; that is, 
frames such that Yxy( Rzy > x = y). 


4. L defines the class of frames which consist of isolated irreflexive points; that is, frames 
such that Vay7Ray. 


Proof. We have already asked the reader to check that these formulas are valid on the class of 
frames in question. So to complete the proofs of these definability claims we need merely check 
that each formula can be falsified on any frame that does not belong to the relevant class. 

Let’s deal with the second example. Suppose (W, R) is a frame where R is not a partial 
function. This means that there is a point w € W that has two distinct R-successors, say u and 
v. It follows that we can falsify Op — Op on (W, R) at w. For let V be the valuation that makes 
p true at u and nowhere else. Then (W, R, V), w = Op but (W, R, V), w p, since p is not 
true at v. So we have falsified Op — Op on (W, R) as required. a 


A remark on terminology. Instead of saying, for example, that Op —> p defines the class 
of transitive frames, we often simply say that Op — p defines transitivity. It is also usual to 
say that Op — p corresponds (at the level of frames) to Vryz(Ray ^A Ryz — Raz), or that 
Vaeyz(Ray ^A Ryz — Raxz) is a frame correspondent for Op — OOp. 

Now for an important question: how do we go about showing that a class of frames cannot be 
modally defined? Answering such questions is typically more demanding than proving the type 
of result noted in Proposition 27, for instead of checking that a given formula defines a given 
frame class, we now have to prove that no modal formula is capable of this. How can we prove 
such general results? By finding ways of transforming frames that preserve frame validity. For if 
we can show that a class of frames F is not closed under such a transformation, it follows that F 
is not modally definable. Let’s take a closer look. 

The first step is to find transformations that preserve frame validity. Three lie close to hand: the 
formation of disjoint unions, generated submodels, and bounded morphic images. In Section 3.2 
we defined these constructions at the level of models, and they can be lifted to the level of 
frames simply by ignoring the requirements imposed on the valuations. For example, a bounded 
morphism between frames (W, R) and (W’, R’) is a function f from W to W” that satisfies the 
morphism condition (if Rwv, then R’ f(w)f(v)) and the zag condition (if R’ f(w)v’, then there 
exists a v such that f(v) = v’ and Rwv), and we say that frame (W’, R’) is a bounded morphic 
image of frame (W, R) if there is a surjective bounded morphism from (W, R) to (W’, R’). 
Lifting these constructions to the level of frames immediately gives us three validity preservation 
results: 


THEOREM 28. For all basic modal formulas p we have that: 


1. Let {§; | i € I} be a family of frames. Then if §; = ọ for every i in I, we have that 
WS: H vy too. That is, frame validity is preserved under the formation of disjoint unions. 


2. Let $' be a generated subframe of §. Then if §  y, we have that $' = ¢ too. That is, 
frame validity is preserved under the formation of generated subframes. 


3. Let § and §' be frames and f a surjective bounded morphism from § to §’. Then if § = ¢, 
we have that §' = too. That is, frame validity is preserved under the formation of 
bounded morphic images. 
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Proof. We prove the result for bounded morphisms; we show the contrapositive. Given frames 
& = (W, R) and = (W’, R’) such that 3’ is a bounded morphic image of Ẹ under f, suppose 
that 3’ jÆ y. This means that for some valuation V’ on 3’ and some point w’ € W” we have that 
(%’, V’), w” K ọ. Let V be the valuation on § defined by V (p) = {u € W | f(u) € V'(p)}, for 
all proposition symbols p. Furthermore, let w be any point such that f(w) = w’; there must be 
at least one such point as f is surjective. Then the model (’, V’) is a bounded morphic image 
of the model (¥, V), and hence (¥,V), w E y. Q) 


Applying this theorem immediately gives rise to a crop of non-definability results. Here are 
some simple ones. Basic modal languages cannot define the class of simply connected frames, 
that is, the class of frames such that Vry(Ray V Ryx). Why not? Because this class is not 
closed under the formation of disjoint unions: taking the disjoint union of two frames with this 
property clearly results in a frame without it. As a second example, the basic modal languages 
cannot define the class of frames containing an isolated reflexive point. Why not? Because this 
class is not closed under the formation of generated subframes. For consider a frame consisting 
of two isolated points, one reflexive, the other irreflexive. This frame belongs to the required 
class, however the subframe generated by the irreflexive point does not. As a third example, the 
class of irreflexive frames is not modally definable. Why not? Because it is not closed under 
the formation of bounded morphic images (recall the bounded morphism of Figure 13 which 
collapses the natural numbers to a single reflexive point). But frame validity is preserved under 
this transformation, hence no modal formula can define irreflexivity. For more sophisticated 
applications of these validity preservation results, see van Benthem [137]. 

These results also give us insight into the semantic ideas behind Theorem 25. For consider 
a consistent normal logic. Suppose one of the frames on which it is valid contains an isolated 
irreflexive point; then (appealing to the preservation of validity under generated subframes) the 
frame consisting of just that single point validates the logic too. So suppose that no frame con- 
taining an isolated point validates the logic. But this means that in all frames that validate the 
logic, every point has at least one successor. But if we map all the points in such a frame to a 
singleton reflexive point, the mapping is a bounded morphism. Hence it follows that the logic is 
validated on frames consisting of isolated reflexive points. 

As we shall soon see, the three frame transformations just introduced all play a role in the 
Goldblatt-Thomason Theorem, a characterisation of modally definable classes of elementary 
frames. But a fourth transformation, namely the formation of ultrafilter extensions, is also needed 
to complete the statement of this celebrated result, so let’s take this opportunity to define this 
(somewhat more complex) frame construction. First we recall a standard mathematical concept. 
Given a non-empty set W, a filter F over W is any subset of 2” (the power set of W) that 
contains W and is closed under finite intersection (that is, if X,Y € F then X NY € F) and 
set-theoretic inclusion (that is, if X € F and X C Y CW then Y € F). A filter is called proper 
if it is distinct from 2. An ultrafilter is a proper filter U such that for all X € 2”, X £ U iff 
(W\X) € U. A standard result assures us that any proper filter can be extended to an ultrafilter. 
Bearing this in mind, we make the following definition: 


DEFINITION 29 (Ultrafilter Extensions of Frames). Let § = (W, R) be a frame. For any 
X C W we define 1(X) to be {w € W | for all v € W, if Rwv then v € X}. Then the ultrafilter 
extension ue(%) of § is defined to be the frame (uf(W), R"), where uf(W) is the set of all 
ultrafilters on W and R” is the relation consisting of all pairs of ultrafilters U, U” such that for 
all X C W, if l(X) € U, then X € V’. 


We can now state the required theorem. Note that the direction of validity preservation is 
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the reverse of that found in Theorem 28. That is, here frame validity is preserved from the 
transformed frame (here the ultrafilter extension) back to the original one: 


THEOREM 30. For any basic modal formula ọ, if ue(®) = y then § = ọ does too. That is, 
frame validity reflects ultrafilter extensions. 


Proof. The use of ultrafilter extensions in modal logic traces back to Goldblatt [57, 58], van 
Benthem [130], and Fine [44]. For a detailed proof of this theorem, see Proposition 2.59 and 
Corollary 3.16 of Blackburn, de Rijke and Venema [13]. m) 


Although this transformation is harder to visualise than the previous three, it too gives rise to 
some simple non-definability results. Here’s a nice example, taken from Goldblatt and Thoma- 
son [60], showing that the class of frames satisfying Vzdy(Ray A Ryy) is not modally definable. 
We can see this as follows. The ultrafilter extension of (N, <), the natural numbers in their 
usual order, looks a bit like a gigantic lolly-pop. It has an infinite handle, an isomorphic copy 
of (N, <), consisting of all the principal ultrafilters (that is, those ultrafilters which contain a 
singleton set {n}, where n is a natural number). This is followed by the lolly: an uncountable 
collection of non-principal ultrafilters which are all related to one another and reflexively related 
to themselves. Hence ue(N, <) has the property Yx3y(Rxy ^A Ryy). Why? Because every point 
in the frame is related to the reflexive points in the lolly. However this formula is clearly not 
valid on the original frame (N, <). As frame validity reflects ultrafilter extensions, it follows that 
the class of frames satisfying Vziy(Ray A Ryy) is not modally definable. For further discus- 
sion of ultrafilter extensions from a model-theoretic perspective, see Chapter 5 of this handbook. 
There is also an important algebraic perspective on ultrafilter extensions, which is discussed in 
Chapter 6. 


5.3 Frame correspondence and second-order logic 


Now that we have some idea of what basic modal languages can (and cannot) say about frames, 
we turn to the second question: how do they say it? And here we encounter something interesting. 
Note that all four classes of frames mentioned in Proposition 27 are definable by simple first- 
order formulas — and this is actually rather puzzling. After all, if you think about what it 
means for a basic modal formula y(p1,..., Pn) to be valid on a frame, we see that this concept 
is essentially second-order: we quantify across all possible valuations, and valuations assign 
subsets of frames to proposition symbols. 

We can make this second-order perspective precise with the help of the standard translation. 
Let ¥ be a frame, let M = (F, V) be any model over F, and let w be any point in §. By 
Proposition 3 we have that 


(3, V), w E v(pi,---, Pn) iff (FV) H sT2(y)(Pi,---, Pa) [e — w]. 


(Here P, ..., Pn are the monadic predicate symbols used to translate the proposition symbols 
P1,- --,Pn-) How do we lift this equivalence (which lives at the level of models) to an equiv- 
alence at the level of frames (the level where validity is the primary semantic concept)? Very 
straightforwardly. A formula is valid on a frame iff it is satisfied at any point in the frame under 
any assignment of subsets of the frame to the proposition symbols. So we only need to univer- 
sal quantify over the points that can be assigned to x (a first-order quantification) and over the 
assignments to the monadic symbols P;,..., Pa (a second-order quantification). Doing so gives 
us the fundamental correspondence between frame validity and second-order logic: 


F H v(pi,.-., Dn) iff F¥ H VP, --- PaVestz(¢). 
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In short, frame validity systematically treats modal formulas y as the universal monadic second- 
order closure of their standard first-order translations on relational models. The second-order 
upgrade of the first-order correspondence language is often called the frame correspondence 
language or the second-order correspondence language. 


Let’s look at an example. Recall that in Section 2.2 we showed that the standard translation of 
p— Op was Px —> Jy( Rzy ^ Py). So if we ask what p — Op defines at the level of frames we 
can give an immediate answer: it defines the class of frames satisfying the following monadic 
second-order formula: 


VPVa(Px > Jy(Rzy ^ Py)). 


Now, it’s certainly pleasant to be able to systematically calculate frame correspondences for 
modal formulas in this way — but the puzzle remains. Indeed, if anything it has become more 
acute. For most of the modal formulas encountered in practice correspond to simple first-order 
conditions on frames, yet these conditions are systematically expressed using rather complex 
second-order expressions. The translation just considered is a good example. As the reader 
should check, p — ©p corresponds to the first-order formula Yx Raz (that is, it defines reflex- 
ivity). And if you think about it, you will see that VPV2(Px — dy(Ray A Py)) is indeed a 
rather roundabout way of expressing reflexivity. For a start, it’s easy to see that this sentence 
is true on any reflexive frame. Conversely, if this sentence is true on a frame (W, R), then 
Px — Ay(Rxy ^ Py) must be true under any assignment to the free variables x and P. Hence, 
for any w € W, this formula is true if we assign w to x and {w} to P. This assignment makes 
the antecedent true (indeed, it is the minimal valuation required to make the antecedent true; the 
significance of this remark will become clear when we discuss the Sahlqvist Correspondence 
Theorem) so we must have that Sy(Ray A Py) is true too. But this is only possible if Rww. 
Hence, as w was arbitrary, this means that R must be reflexive, and thus the original second- 
order sentence really does express reflexivity. As we said earlier, one of the key questions we are 
interested in is how modal languages talk about frames. And now we have an answer. They do 
so via a detour through second-order logic. 


Moreover, this detour is not eliminable. That is, while experience shows that most common 
modal formulas correspond to first-order conditions on frames, some modal formulas define 
conditions that are not elementary. A famous case is Léb’s formula, O(Op — p) — Op, the 
characteristic axiom of the logic GL. This defines the conjunction of the transitivity of R with 
the converse well-foundedness of R (that is, it forbids the existence of infinite chains of related 
points w Rw2Rw3Rw,Rws;...). This condition is non-elementary, as an appeal to the Com- 
pactness Theorem for first-order logic shows. Another well-known modal axiom that defines a 
non-elementary class of frames is the McKinsey formula DOp — ©Op. This can be shown by 
appealing to the Lowenheim-Skolem Theorem for first-order logic. For full proof details for both 
the Lob and McKinsey examples, see Blackburn, de Rijke and Venema [13]. 


Summing up, we are confronted with an intriguing situation. At the level of frames, modal 
formulas systematically correspond to second-order conditions on frames. Nonetheless, in many 
common cases these second-order conditions turn out to be equivalent to first-order conditions. 
This raises some interesting questions. Are there criteria that demarcate modal formulas that are 
essentially first-order at the level of frames from the genuinely second-order ones? And can we 
characterise the elementary frame classes that are modally definable? 
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5.4 First-order frame definability 


As we have just learned, the link between first-order definable frame classes and modal logic is 
not straightforward. Nonetheless, some elegant general results are known, and we shall briefly 
discuss three of them here. We first note two results which bear upon the demarcation issue: 
the Sahlqvist Correspondence Theorem (which isolates a large class of formulas all of which de- 
fine elementary classes of frames) and a model-theoretic characterisation of the modal formulas 
which define elementary frame classes. Following this we discuss the celebrated Goldblatt- 
Thomason Theorem, a model-theoretic characterisation of the elementary frame classes that are 
basic modal definable. All three results (and others bearing on the theme of elementary frame 
definability) are discussed in greater detail in Chapter 5 of this handbook. 

Let’s start with the Sahlqvist [111] result. Upon closer inspection, first-order frame conditions 
often arise because of the syntactic shape of the defining modal formula — for example the 
quantifier shape of the first-order formula for transitivity is matched by the sequence of boxes in 
p—> p. The following theorem gives us a natural account of such correspondences. It trades 
systematically on the idea (noted when we discussed the second-order definition of reflexivity) 
of substituting minimal verifying valuations in antecedents. 


THEOREM 31 (Sahlqvist Correspondence Theorem). There is an effective method for comput- 
ing first-order equivalents for Sahlqvist formulas, that is, formulas of the form p — y% with an- 
tecedents p constructed from atoms (possibly prefixed by boxes) using conjunctions, disjunctions 
and diamonds, while consequents 1 can be any modal formula with only positive occurrences of 
proposition symbols. 


Proof. The effective method (in the form originally introduced by van Benthem [128, 131]) 
is usually called the substitution algorithm. The following example will give an idea of how it 
works. The 4 formula, Op — p, is a Sahlqvist formula and its second-order translation is 


VPV2(Vy(Raey —> Py) > Vy( Ray > Yz(Ryz > Pz))). 


Now, if we could eliminate all the occurrences of P in this formula, we would render the second- 
order quantification needed to express validity vacuous. But can P be eliminated in a semanti- 
cally sensible way? Because of the syntactic restrictions that Sahlqvist formulas conform to, it 
turns out that it can. We do so by replacing P by a first-order expression describing the minimal 
valuation needed to make the antecedent of Op —> p true. Now, the minimal way of making 
p true is to make p true at all successors of the point of evaluation x, so the required substitution 
is Pu := Reu. Performing this substitution yields the following first-order expression: 


Va(Vy(Ray —> Ray) > Vy(Rey —> Vz(Ryz > Rzz))). 
The antecedent is now tautologically true, and dropping it leaves us with the expression 
VaVy( Ray > Vz(Ryz > Raz)). 


But this is a first-order formula expressing transitivity. For a precise specification of the substitu- 
tion algorithm, and a proof that it works as required, see Blackburn, de Rijke and Venema [13]. 
The heart of the proof is to show that a Sahlqvist antecedent is true under any value for its propo- 
sition symbols iff it is true under its minimal values. m) 


The Sahlqvist Correspondence Theorem and its proof method are very powerful and can be 
extended to far stronger modal languages. Nevertheless there are also modal formulas which 
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express first-order conditions on frames that are not covered by the theorem. The K4.1 axiom 


(Op > 00p) A (Ap > Op) 


is a conjunction of the 4 axiom with the McKinsey axiom. It defines the class of frames with 
a transitive and atomic relation, that is the class of transitive frames such that Vrdy(Ray A 
Vz(Ryz — z = y)). But this first-order equivalence cannot be computed using the substitution 
method. See van Benthem [137] or Blackburn, de Rijke and Venema [13] for further discussion. 

So the Sahlqvist result doesn’t fully pin down the modal formulas that define elementary frame 
classes. However model-theoretic characterisations exist. For example we have: 


THEOREM 32. A modal formula defines a first-order frame property iff it is preserved under 
taking ultrapowers of frames. 


Proof. For the original proof, see van Benthem [131]. For an introduction to ultrapowers, 
consult Chang and Keisler [23]. m) 


Closure under ultrapowers is an abstract feature, and it is not easy to use it to recognise whether 
a given modal formula is first-order over frames. But then no simple method can be expected to 
work: Chagrova [21] shows that the problem of determining whether a modal formula expresses 
a first-order condition on frames is undecidable. 

But now for our other question: which elementary classes of frames are modally definable? 
The classic result here is the Goldblatt-Thomason Theorem. This tells us that the four frame 
preservation results noted earlier are not merely necessary, they are also sufficient to characterise 
first-order frame definability: 


THEOREM 33 (Goldblatt-Thomason Theorem). A first-order frame property is modally de- 
finable iff it is preserved under taking disjoint unions, generated subframes, bounded morphic 
images, and reflects ultrafilter extensions. 


Proof. The left-to-right direction is just a restatement of the results noted in Theorems 28 and 30. 
The real work lies in the converse. The original proof, due to Goldblatt and Thomason [60] was 
algebraic; we briefly discuss this approach in Section 7.1, and an algebraic proof is given in 
Chapter 6 of this handbook. Nowadays there are also purely model-theoretic proofs; see van 
Benthem [133] for the earliest of these. QO) 


5.5 Correspondence in richer languages 


Throughout this section we have kept our eyes firmly on the goal of understanding modal ex- 
pressivity with respect to elementary frame classes. This is an important topic (after all, we want 
to understand as much as possible about the route modal logic over frames takes from monadic 
second-order logic back to first-order logic) but it is also natural to wonder about the expressivity 
of modal logic with respect to non-elementary frame classes. Unfortunately, it is harder to come 
up with elegant answers here. In particular, we can’t expect sweeping model-theoretic character- 
isations. Model-theoretic characterisations of elementary frame definability, such as Theorem 32 
and the Goldblatt-Thomason Theorem, rest on the conceptual edifice of first-order model theory. 
Second-order model theory is nowhere near as well developed. 

Nonetheless, some interesting results are known. For example, it turns out that we can apply 
the ideas underlying the proof of the Sahlqvist Correspondence Theorem beyond the confines of 
first-order logic. Let’s briefly consider what is involved. The following discussion is based on 
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van Benthem [138]. Chapter 5 of this handbook contains a more detailed discussion of related 
material. 

The substitution algorithm for Sahlqvist formulas runs into difficulties with more complex 
antecedents; a classic example is Léb’s formula O(Op — p) — Up, which defines a non- 
elementary class of frames. But let’s reflect on why we compute the minimal antecedent values 
for Sahlqvist formulas. In fact there are two reasons. Firstly, because Sahlqvist antecedents are 
true under any value for their proposition symbols iff they are true under their minimal values. 
Secondly, because such minimal predicates are first-order definable. Now, as it happens, the Lob 
antecedent does not fulfil the first-order definability criterion, but this does not mean that all that 
can be said is that the L6b’s formula is intrinsically second-order — for, as it turns out, there is a 
smallest semantic value for the predicate P which will make its antecedent true. This is the set of 
points in the frame obtained by taking the intersection of all predicates P validating O(Op — p) 
where p is interpreted as P. Such a set must exist, because the standard translation of the Löb 
antecedent has a special syntactic form. Call a first-order formula (P) intersective if it has one 
of the forms: 


1. Va(w(P, Q,x) — Px), with P occurring only positively in w(P, Q, x). 


2. w(P, Q), with P occurring only negatively in w. 


It is easy to show that all formulas y(P) of this form have the above-mentioned intersection 
property: if (P) holds for any predicate P it holds for the intersection of all predicates P 
satisfying it. 

Thus it makes sense to talk about minP.y(P), the minimal satisfying predicate. Of course, 
such predicates need not be first-order definable, but it is not hard to show that minimal predicates 
for intersective first-order formulas are definable in a well-known extension of first-order logic, 
namely LFP(FOL), first-order logic with monotonic fixed-points (we shall introduce the idea 
of monotonic fixed-points in more detail when we discuss the modal p-calculus in Section 6). 
LFP(FOL) has many uses in computer science; it lies between first-order and second-order logic, 
and retains many useful model-theoretic properties such as invariance for potential isomorphism 
(see Ebbinghaus and Flum [35] for an introduction to LFP(FOL)). 

Now, once we have such a minimal value for the antecedent predicates, it can be substituted 
into the consequent to obtain a frame equivalent just as before — though now, of course, we 
obtain an equivalent in LFP(FOL). To return to our example, the standard translation of the Lob 
antecedent Vy((Ray AVz(Ryz — Pz)) — Py) is indeed intersective in the above sense. There- 
fore, the corresponding frame property of the Lob formula can be computed and (as we would 
expect) the result is an LFP(FOL) formula defining the property of transitivity plus converse 
well-foundedness. As a second example, consider the axiom of cyclic return: 


(Op A O(p > Op)) > p. 


Again, this is not a Sahlqvist formula. But again, the antecedent is intersective (once we have 
moved out the modal © to become a prefixed universal quantifier, as before in the substitution 
algorithm) and gives rise to a simple fixed-point computation for an equivalent frame property: 


Every point x with an R-successor y can be reached from y by a finite sequence of 
successive R-steps. 


We can express this condition in LFP(FOL) as follows. First we define the concept of transitive 
closure: 


Rtay =der minS,cy.Rry V 3z(Rzz A Szy). 
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We can then capture the stated frame condition by insisting that: 
Vay(Rry — Rtyz). 


This is the beginning of a further layering of modal formulas with respect to semantic com- 
plexity. For there are also modal formulas with frame equivalents which cannot be expressed 
in LFP(FOL). One example is the well known axiom in tense logic expressing Dedekind Com- 
pleteness of linear orders, which is not preserved under the potential isomorphism between the 
rationals and the reals. And recently, van Benthem and Goranko have shown that the McKinsey 
formula, whose antecedent is typically non-intersective, does not correspond to any LF'P(FOL) 
formula. 

We started this chapter by saying that the process interpretation is a fundamental way of 
viewing modal logic. The present discussion shows that there is a natural link between modal 
logic and a far more sophisticated logic of processes, namely LFP(FOL). We will return to the 
process interpretation in Section 6 when we examine Propositional Dynamic Logic and the modal 
p-calculus, stronger modal languages which, like LFP(FOL), can express some non-elementary 
concepts, such as transitive closure. 


5.6 Remarks on computability 


In Section 4 we contrasted the PSPACE decidability of modal logic with the undecidability of 
first-order logic. But these results concerned satisfiability and validity on the class of all frames. 
Suppose we restrict attention to particular classes of frames defined by basic modal formulas. 
There is no reason to suppose that modal satisfiability and validity problems over such frame 
classes will always be in PSPACE, or even that they will be decidable. And indeed, in many 
cases they are not not. 

In some cases, restricting attention to a certain class of frames may lower the computational 
complexity. For example, suppose we restrict attention to the frames defined by Op — Up, that 
is, the class of frames in which R is a partial function. Then the task of testing basic modal 
formulas for satisfiability becomes NP-complete, that is, no worse than the satisfiability problem 
for propositional logic. This is because (as the reader can easily check) if a basic modal formula 
y has a model based on a frame in this class, then it not only has a finite model in this class, 
but a model containing at most n + 1 points, where n is the number of modalities in y. Thus 
a non-deterministic algorithm which guesses a model, checks that it belongs to the frame class, 
and verifies that the formula is satisfied on it, runs in time polynomial in the size of ọ. 

But restricting attention to particular frame classes can easily result in undecidable problems. 
A recurring theme is the distinction between tree-like and grid-like models. We have already 
discussed why tree-like models are relevant to modal decidability over the class of all models; 
here we’ll merely add that many more modal decidability results can be proved by appealing to 
Rabin’s Theorem (see [107]), which in its simplest form shows that the monadic second-order 
theory of binary branching trees is decidable. Grid-like models, on the other hand, are (roughly 
speaking) those that contain regions that look like N x N (the product of the natural numbers with 
itself) under two orderings: the horizontal ordering (that is, (j,k) R” (j + 1, k)), and the vertical 
ordering (that is, (j, k) R” (j, k + 1)) which together give rise to the characteristic grid-like shape. 
Now, it is hard to give precise generalisations, but experience shows that while even very strong 
modal languages tend to be decidable over tree-like models, even quite weak languages can be 
undecidable over grid-like models; we shall note such an example in Section 6 when we discuss 
combinations of modal logics. Such undecidability results ultimately trace back to the possibility 
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of encoding the N x N tiling problem, which is known to be undecidable. For a detailed account 
of the tiling problem, and a proof that it is undecidable, see Berger [12]. Here we’ll simply say 
that it is essentially a geometrical puzzle. We are presented with a finite collection of square tile 
types, of fixed orientation. Each edge of each tile type is coloured. The N x N tiling problem asks: 
is it possible to write an algorithm which, when presented with such a collection of tile types, 
can correctly determine whether or not N x N can be tiled, using only tiles of the given type, in 
such a way that colours on adjacent tile edges match? That is, is it possible to place a tile (of 
one of these types) on each point of N x N, in such a way that colours match both vertically and 
horizontally? For some tile types, this is possible, for others it is impossible. However there is no 
algorithm for deciding for which tile types this can be done; it is a simple, and elegant, example 
of a computationally undecidable problem. Showing that a modal logic is strong enough to 
encode this problem is often a straightforward way of showing its undecidability; see Blackburn, 
de Rijke and Venema [13] for examples of how to use the tiling problem in this way. 

In a slogan: trees tend to be safe, but beware of grids. Somewhat poetically, we can imag- 
ine modal logic as a small boat navigating somewhere on the border between decidability and 
undecidability, as Figure 18 shows. 


all 


Decidable 


Rabin's Theorem Undecidable 


Tiling Problem 


Figure 18. Modal logic: tacking between safety and danger. 


Furthermore, it is important to realise that undecidable problems arise even when attention 
is restricted to finite frames; see, for example, Urquhart [127]. And indeed, even in the finite 
case, undecidability turns out to be the norm. It is straightforward to show that there are non- 
denumerably many distinct frame satisfiability problems over finite frame classes (an elegant 
demonstration of this, due to Spaan [118], is given as Exercise 6.2.4 of Blackburn, de Rijke and 
Venema [13]). As there are only denumerably many computable functions, undecidability is 
almost always guaranteed. 

So what about recursive enumerability? That is, if we restrict attention to a class of frames F 
that is defined by a modal formula, is the theory of this frame class (that is, the set of formulas y 
valid on all frames F) recursively enumerable? Well, if F is elementary, the answer is yes: 


PROPOSITION 34. Suppose that F is an elementary class of frames defined by a basic modal 
formula (p. Then the set of basic modal formulas that are valid on all frames in F is recursively 
enumerable. 


Proof. As F is an elementary class that y defines, y corresponds to some first-order for- 
mula a. Now a basic modal formula ~ is valid on frames for ọ iff its second-order translation 
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VP, +--+ PaY£STz (W) is true in all models of the first-order formula a, that is, iff 


en VP, Sate P,VxsTz(w), 


where }= is classical entailment. But as a is first-order, referring to R only, the predicates 
P,--++P, do not occur in a and hence this is equivalent to 


a H VasT,(w). 


But this is a first-order entailment, and as such entailments are recursively enumerable the result 
follows. Q 


However once we move beyond the elementary frame classes, even recursive enumerability is 
lost. A key result here is Thomason’s [126] reduction of the standard consequence relation for 
the second-order correspondence language to the global frame consequence relation for a basic 
modal language with one modality. A basic modal formula ¢ is a global frame consequence of 
T if for all frames §, if § = I, then ¥ | vy. It follows that global frame consequence is not 
recursively enumerable. Indeed, it is even =t-complete, which means it is as hard to decide as 
the existential second-order theory of the natural numbers under the less-than-or-equal ordering. 
To put it another way: this is an example of a highly undecidable problem. For further discussion 
of Thomasons’s work in this area, see Chapter 7 of this handbook. 


6 RICHER LANGUAGES 


So far we’ve been dealing almost exclusively with the basic modal language. We’ve seen that the 
key to its expressive power lies in the notion of bisimulation and that (at least when interpreted 
over the class of all models) it has better computational properties than first-order logic. All in 
all, the basic modal language is really rather elegant, so we might be tempted to ask: is it possible 
to lift (at least some of) its attractive properties to stronger languages? That is, can we design 
richer modal languages that retain, or even enhance, those features that make the basic modal 
language special? In fact, modal logicians have been experimenting with richer languages for 
years, and in this section we survey some of their work. As we shall see, this line of work adds a 
new dimension to our understanding of modal logic and relational semantics. 

But what should count as a richer modal language? It’s easier to explain what shouldn’t. 
Here’s an obvious example. It is straightforward to extend our basic definitions to cover polyadic 
modalities (that is, n-place diamonds and boxes). Simply work with models in which there is an 
n + 1-place relation R™ for every n-place diamond (m). We interpret (m) using the following 
satisfaction clause: 


M, w H (m)(y1,.--,%n) iff for some v1,...,0n E W such that R™ wu; ... Un 
we have M, vı H| vy, and ... and M, un FE Yn- 


Now, such n-place modalities are undeniably useful for certain purposes, especially when 
interpreted over restricted classes of frames. For example, when working with spatio-temporal 
structures, we might want to add a three place modality to capture the notion of “between”, or 
we might want to explore the logical theory of function composition, as is done in the branch of 
modal logic known as arrow logic (see Marx and Venema [94]). Nonetheless, when working with 
the class of all models, developing the basic semantic theory (standard translation, bisimulation, 
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and so on) of polyadic modal operators is essentially a matter of sprinkling our earlier work with 
additional indices. 

As we shall see, the richer languages explored in this section offer much more. Moreover, 
their richness takes us in many different directions. Sometimes the enrichment consists of taking 
a standard language and insisting that a modality be interpreted by some mathematically fun- 
damental relation (the universal modality is a good example). Sometimes the enrichment takes 
the form of more complex satisfaction definitions (both temporal logic with Until and Since and 
conditional logic are examples of this). In other cases, syntactic enhancements are introduced 
to support novel semantic capabilities (hybrid logic, propositional dynamic logic, and the modal 
p-calculus all do this) and in one case (the guarded fragment) we enrich by abandoning modal 
syntax and using first-order syntax instead. Moreover, it is also possible to enrich by combining 
logics. For example, we might combine two propositional modal logics to enable some applica- 
tion domain to be more accurately modeled, or we might combine modal logic with first-order 
logic, a move which takes us to the historical heartland of philosophical applications of modal 
logic. As we shall see, modal logicians have been extremely creative when it comes to devising 
richer languages. 

Of course, this variety raises a question of its own: what, if anything, do all these richer 
languages have in common? That is, what makes them all modal? This is not an easy question 
to answer. Nonetheless, as we work our way through this landscape a number of themes will 
recur: robust decidability, the importance of bisimulations, and characterisations of fragments 
of first- and second-order logic. As we shall see at the end of the section, the idea of restricted 
quantification that underlies the guarded fragment goes a long way towards accounting for these 
properties, for both first- and second-order enrichments. Moreover, it is possible to draw on ideas 
from abstract model theory and prove Lindstrém-style characterisation results. In short, we will 
often be able to lift much of the fundamental semantic theory for basic modal logic to a whole 
new level, a good indication that the enrichments discussed below are, in an important sense, 
genuinely modal. 


6.1 The universal modality 


Time to feed the bears again. As we said in Section 4, some problems demand a global perspec- 
tive. We sometimes want to view a modal formula as a general background constraint, something 
that must be satisfied at all points in a model. Indeed, because of the importance of background 
constraints, in many practical situations we are primarily interested in the local-global satisfia- 
bility problem, which we formulated as follows: given basic modal formulas ọ and W, is there a 
model which locally satisfies y and globally satisfies Y? Now, description logic, with its two level 
architecture of TBoxes (which impose general constraints) and ABoxes (which give information 
about particular individuals), acknowledges the importance of this problem (the information in 
a TBox has to be globally satisfied, while the information in an ABox only has to be locally 
satisfied). But the ability to impose global constraints is not incorporated into description logic 
concept languages (which are essentially notational variants of the basic modal languages we are 
familiar with) and this raises an interesting question. Is it possible to internalise the notion of 
global satisfiability in a modal language? And if so, what happens? 

Let’s introduce the universal modality and find out. To keep things simple, suppose we are 
working in a language with just one modality. We shall add a second modality, and will write E 
for its diamond form, and A for its box form. The interpretation of E and A is fixed: in any model 
M = (W, R, V), both modalities must be interpreted using the universal relation W x W. That 
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is, the satisfaction definition for these modalities is: 


M, w = Ep iff thereisau¢€ W such that WM, u = y 
M, w = Ap iff forallu € W we have M, u = ọ. 


Thus Ey scans the entire model for a point that satisfies y, while Ay asserts that p holds ev- 
erywhere. We have imported the meta-theoretic notion of global truth into our modal object 
language, or to put it another way, we have internalised the TBox. Accordingly, we call E the 
universal diamond, and A the universal box. If it is irrelevant whether we mean E or its dual, we 
simply talk of the universal modality. 

How can we be sure that adding the universal modality really increases the expressive power 
at our disposal? That is, are we certain that E and A are not already definable in the basic 
modal language? We are. One way to see this is via a bisimulation argument (see Example 2.4 
in Blackburn, de Rijke and Venema [13] for such a proof). But an easy complexity-theoretic 
argument also establishes this. Let y and w be basic modal formulas. Then the formula Aw 
expresses the global satisfiability problem (for the basic modal language) in our new language, 
and the formula y ^ Ay expresses the local-global satisfiability problem (for the basic modal 
language) again in our new language. Now, we remarked in Section 4 that both these problems 
are EXPTIME-complete. However the satisfiability problem for the basic modal language is 
PSPACE-complete. Hence (assuming that PSPACE is strictly contained in EXPTIME , the stan- 
dard assumption) our ability to express these problems in the enriched language shows that the 
apparent increase in expressive power is genuine. 

This in turn raises a new question. Because it can encode these problems, the satisfiability 
problem for the enriched language is at least EXPTIME-hard. But are some problem-instances 
even harder? No. Everything is solvable in EXPTIME. 


THEOREM 35. The satisfiability problem for the basic modal language enriched with the uni- 
versal modality is EXPTIME-complete. 


Proof. See Hemaspaandra [65], or her earlier PhD thesis Spaan [118]. m) 


But the universal modality not only gives us extra expressivity at the level of models, it also in- 
creases our ability to define new classes of frames. Moreover, an elegant variant of the Goldblatt- 
Thomason Theorem holds for the enriched language. We’ll discuss this result shortly, but let’s 
first consider two examples of newly definable frame classes. 

The class of frames of cardinality less than or equal to some natural number n (that is, frames 
in which |W| < n) is not definable in the basic modal language. Why not? Because basic 
modal validity is closed under the formation of disjoint unions. Hence any basic modal formula 
y which allegedly defined this frame class could easily be shown to fail: simply by sticking 
together enough frames we could validate y on frames of cardinality greater than n. 

But this condition is definable with the help of the universal modality: 


n+1 
N Epi > V Elp: ^ p3). 
i=1 ij 
As the reader can easily check, this formula is valid on any frame where |W| < n, and can be 


falsified on any larger frame (in essence, the formula encodes the pigeonhole principle for n + 1 
pigeons and n holes). It follows that validity in the enriched language is not preserved under the 
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formation of disjoint unions. This, of course, is as it should be. We want a genuine universal 
modality, not something that can be fooled by the addition of new components. 

Here’s a second example. The condition Vaiy Ryx (that is, every point has a predecessor) 
is not definable in basic modal logic. Why not? Because modal validity is preserved under 
the formation of generated subframes. Any basic modal formula which putatively defined this 
class would have to be valid on the frame (N, R), where Rnm iff n > m, the natural numbers 
under the reverse ordering. But (by preservation under generated subframes) it would then have 
to be valid on the subframe generated by any number n. But in any such subframe, n has no 
predecessor, hence the condition is not basic modal definable. 

But it is definable with the help of the universal modality: 


p— Ep. 


It is easy to check that this formula defines the required condition, hence it follows that validity 
in the enriched language is not preserved under generated subframes. Again, this is the way it 
should be. A genuinely universal modality will not let us throw away points: its purpose is to 
keep an eye on the entire frame. It should be intolerant of both additions (disjoint unions) and 
deletions (generated submodels). 

And now for the promised result: when it comes to defining elementary frame classes, intol- 
erance towards disjoint unions and generated submodels is precisely what distinguishes the en- 
riched language from the basic modal language. The following result is the Goldblatt-Thomason 
Theorem for the basic modal language, with closure under disjoint unions and generated sub- 
frames stripped away: 


THEOREM 36. A first-order definable class of frames is definable in the basic modal language 
enriched with the universal modality iff it is closed under taking bounded morphic images, and 
reflects ultrafilter extensions. 


Proof. See Goranko and Passy [61]. QO) 


Three comments. First, adding the universal modality also increases our ability to define 
non-elementary frame classes. For example, the class of frames where the converse of the acces- 
sibility relation R is well-founded (that is, where it is impossible to form infinite R-successorship 
chains) is not definable in basic modal logic. Löb’s formula, O(Op — p) — Op doesn’t quite 
pin this condition down (recall that it defines the conjunction of transitivity and converse well 
foundedness). But the following Lob-like formula in the enriched language does: 


A(Op > p) > p. 


(This example is from Goranko and Passy [61], the key reference on the universal modality.) 
Second, it is straightforward to extend the definition of bisimulation so that it works for the basic 
modal language enriched with the universal modality; all that needs to be done is to insist that the 
bisimulation be total, that is, that every element in each model is related to at least one point in 
the other; see de Rijke [30] for a brief discussion. Third, the universal modality has a big brother, 
the difference operator. The diamond form of this operator is written D, and Dy is satisfied at 
a point w in a model if and only if ọ is satisfied at some different point v (that is, the difference 
operator is interpreted using the Æ relation on W). The difference operator is strong enough to 
define the universal modality (Ey is just y V Dy) but D cannot be defined using E (we leave 
the proof as an exercise). The difference operator arises naturally in many settings and, like the 
universal modality, has a smooth meta-theory; see de Rijke [29] for more information. 
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6.2 Hybrid logic 


Basic modal languages have an obvious expressive weakness: they cannot name points. We 
cannot say this happened then, or that some particular individual has some property, or that two 
distinct sequences of processes take us from the current state to the same state. For example, in 
Figure 4 we let the nodes represent particular individuals such as Terry and Judy — but the basic 
modal language doesn’t let us pick out these individuals. First-order logic, of course, lets us do 
this. We use constants to name individuals of interest, and the equality symbol for reasoning 
about their identity. No analogous mechanisms exist in basic modal logic. The basic hybrid 
language is the result of adding them. 

At the heart of hybrid logic lies a simple idea, first introduced by Arthur Prior [104, 105] in the 
1960s: sort the proposition symbols, and use formulas as terms. Let’s do this right away. Take a 
language of basic modal logic (with proposition symbols p, q, r, and so on) and add a second sort 
of proposition symbol. The new symbols are called nominals, and are typically written i, 7, k, 
and l. Both types of proposition symbol can be freely combined to form more complex formulas 
in the usual way. And now for the key change: insist that each nominal be true at exactly one 
point in any model. That is, insist (for any valuation V and nominal i) that V (i) be a singleton 
set. We call the unique point in V (i) the denotation of i. A nominal ‘names’ its denotation by 
being true there and nowhere else. 

This change is far from negligible: already we have a more expressive logic. Consider the 
following basic modal formula: 


O(r Ap) AO(r Ag) > O(p Aq). 


This formula can be falsified, as the p-witnessing and g-witnessing points given by the antecedent 
may be distinct. But now consider the following hybrid formula: 


Oi Ap) AC AG > O(pAgQ). 


This is identical to the preceding formula, except that we have replaced the proposition symbol 
r by the nominal 7. But the resulting formula is valid. For now we have extra information: the 
p-witnessing and q-witnessing successors both make 2 true, so they are true at the same point, 
namely the denotation of 7. 

The addition of nominals is the crucial step towards the basic hybrid language, but we need a 
second ingredient too: satisfaction operators. These are operators of the form @;, where 7 is a 
nominal. The formula @;v asserts that ọ is satisfied at the (unique) point named by the nominal 
i. That is: 

M, w = Qiy iff M, u H p, where u is the denotation of i. 


Syntactically, satisfaction operators are modalities. And they are semantically well behaved. For 
a start, all instances of the modal distribution schema are valid: 


Qi(y > Y) > (@iy > Gy). 


Moreover, satisfaction operators also admit the modal generalisation law: if ọ is valid, then so is 
@,y (for any choice of i). Hence satisfaction operators are normal modal operators. Moreover, 
they are self-dual modalities, for all instances of @;y = =@;-y are valid. So we are free to 
regard satisfaction operators as either boxes or diamonds. 

But for present purposes, the most important point about satisfaction operators is that they 
give us a modal perspective on the equality relation. To see this, note that formulas like @;7 are 
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well formed. What does this formula assert? It says that “at the denotation of i, the nominal 
j is satisfied”, or to put it another way, “the point named 2 is identical to the point named j”. 
Hence the following schemas are valid: @;2 (reflexivity of equality), Q;j — @,7 (symmetry of 
equality), Q;j A @;k — Q;k (transitivity of equality), and Q;y A Q;j — @;y (replacement). 
As we hoped, a modal theory of equality is emerging. 

We will shortly characterise this theory, but before doing so let’s glance at what is happening 
at the level of frames. Here too there is an increase in expressivity. None of the four first-order 
definable frame conditions listed below can be defined in basic modal logic. But it is easy to 
check that each is defined by the hybrid formula written next to them: 


VanRaxx i> 7301 (irreflexivity) 

Vey(Ray —> 7Ryz) i> 300i (asymmetry) 
Vaey(Ray ^A Ryx > z = y) i > O(O1 > i) (antisymmetry) 

Vey(Raey V x = y V Ryz) @;OiV@iV@ Oj  (trichotomy). 


And now for the main result. Hybridisation has given us some sort of modal theory of equal- 
ity. But how much of the corresponding first-order theory have we captured? Of course, now 
when we talk about “corresponding first-order theory” we mean: theory in the first-order corre- 
spondence language enriched with constants and the equality symbol. 

The first step towards an answer is to extend the standard translation to cover nominals and 
satisfaction operators. So enrich the first-order correspondence language with constants and 
the equality symbol; to keep the notation uncluttered, we’ll re-use the nominals as first-order 
constants. Then add the following clauses to the standard translation: 


STz(t) = (z=i) 
STz(Qip) = ST; (y). 


That is, nominals 2 are translated into first-order constants 7, and satisfaction operators are trans- 
lated by substituting the relevant first-order constant for the free-variable x. Note that this transla- 
tion returns first-order formulas with at most one free variable x, not exactly one. This is because 
a constant may be substituted for the free occurrence of x. For example, the hybrid formula @;7 
translates into the first-order sentence 1 = 1. 

The second step is to extend the notion of bisimulation given in Definition 5 to make it suitable 
for the basic hybrid language and for the constant-enriched first-order correspondence language: 


DEFINITION 37 (Bisimulation-with-names). A bisimulation-with-names between models WM 
= (W, R, V) and W = (W’, R’, V’) is a non-empty binary relation E between their domains 
(that is, E C W x W’) such that whenever wEw’ we have that: 


Atomic harmony: w and w’ satisfy the same proposition symbols, and the same nominals. 
Zig: if Rwv, then there exists a point v’ (in WM) such that vE'v’ and R’w'v’, and 
Zag: if R’w'v’, then there exists a point v (in 9%) such that vEv’ and Rwv. 


Closure: All points named by nominals are related by E. 


It is easy to check that all basic hybrid formulas are invariant under bisimulations-with-names; 
the proof is an easy extension of Lemma 9. More interestingly, such bisimulations also give rise 
to a Characterisation Theorem: 


THEOREM 38 (Hybrid Characterisation Theorem). The following are equivalent for all first- 
order formulas p(x) in at most one free variable x: 
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1. p(x) is invariant for bisimulation-with-names. 


2. p(x) is equivalent to the standard translation of a basic hybrid formula. 


Proof. That clause 2 implies 1 is a more or less immediate. The hard direction is showing that 
clause | implies 2. The original proof can be found in Areces, Blackburn and Marx [6]. Q 


In short, basic hybrid logic is a simple notation for capturing exactly the bisimulation-invariant 
fragment of first-order logic with constants and equality, or to put it another way, basic hybridi- 
sation is a mechanism for equality reasoning in propositional modal logic. And it comes cheap. 
Up to a polynomial, the complexity of the resulting decision problem is no worse than for the 
basic modal language we started with: 


THEOREM 39. The satisfiability problem for the basic hybrid language over arbitrary models 
is PSPACE-complete. 


Proof. See Areces, Blackburn and Marx [6]. Qn 


A number of stronger hybrid languages have also been explored. One of the most interesting 
extensions is to add | (the downarrow binder). This binds occurrences of nominals within its 
scope to the point of evaluation. That is, to evaluate Mt, w =} i.p, we evaluate M, w = y but 
with all occurrences of the nominal ¿ that were bound by | now interpreted as naming w (for 
details on how to make this informal explanation precise, see Chapter 14 of this Handbook). To 
put it another way, | lets us create a name for here, and this immediately increases the expressive 
power at our disposal. For example, in any model 2M, the formula |i.~Oi is true at precisely the 
irreflexive points; as we noted earlier, no such formula exists in the basic modal language, and 
indeed, no such formula exists in the basic hybrid language either. 

Moreover, | interacts beautifully with @. Intuitively, | stores new values for nominals, and 
@ allows us to retrieve them. As an example of this interaction, consider the following formula 
which is true in any model at points with at least two successors: 


Li.O|j. QiO>j. 


This formula first names the point of evaluation 7, it then declares that 2 has a successor which 
it names 7, and then (with the help of @) it jumps back to 7 to assert that 2 also has a successor 
distinct from j. 

But this increased expressivity comes at a price: by introducing | we have sailed over the 
border into undecidability. As we remarked earlier, the ability to create grid-like models is a 
useful warning sign of undecidability, and the smooth interaction between | and @ makes it easy 
to create the unit squares required to build grids: 


lili A Ijin AZ A [b.@iO(F4 A Aj ATK A ILO). 


If you work through this formula you will see that it demands the existence of four distinct points, 
which it calls 2, j, k, and l, such that Rij, Rjk, Ril and Rik. Note the characteristic use of the 
embedded @Q; to jump us back to the original point of evaluation 7; this enables us to construct a 
second path from i to k that goes via point l. Of course, moving from this observation to a proof 
that it is possible to code the tiling problem takes more work, but it can be done, and the upshot 
is: adding | has moved us up to an undecidable fragment of first-order logic. 
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But which fragment? The answer has two natural formulations. The first has the now-familiar 
form of a Characterisation Theorem: it turns out that adding downarrow has moved us up to 
precisely that fragment of first-order logic which is invariant under generated submodels. The 
second answer has a more syntactic flavour: we have moved up to the bounded fragment of first- 
order logic. The bounded fragment consist of all first-order formulas built up from atomic formu- 
las using the booleans and bounded quantifications of the form dy(Rry A g) and Vy(Rry —> p), 
where 7 is a term that does not contain y. The bounded fragment arises naturally in set theory 
(see Levy [89]) and arithmetic (see Buss [20]). In the mid-1960s, Feferman and Kreisel [41, 40] 
characterised the bounded fragment as the fragment of first-order logic invariant under generated 
submodels. It is intriguing that hybrid logic should have arrived at the same fragment by such a 
different route. 

For full formulations and proofs of these results, see Areces, Blackburn and Marx [6]. For 
a detailed overview of hybrid logic, covering the results mentioned and much else besides, see 
Chapter 14 of this handbook. 


6.3 Temporal logic with Until and Since operators 


We turn now to another historically early enrichment: the addition of the binary U (Until) and S 
(Since) operators. These were introduced in the late 1960s by Hans Kamp [76], who added them 
to Arthur Prior’s basic (F and P based) tense logic, and proved an elegant result: U and § are 
expressively complete with respect to Dedekind complete strict total orders (we discuss Kamp’s 
result below). But, beautiful though this is, it is not what led to the present popularity of these 
operators. Rather, around 1980, Gabbay, Pnueli, Shelah and Stavi [53] observed that Until offers 
precisely what is required to state what computer scientists call guarantee properties, and this 
led to its widespread adoption for reasoning about programs. Given the number of researchers 
currently active in temporal logic for program verification, Until may well be the best known and 
most widely used modal operator of all: it plays a key role in LTL (Linear Time Temporal Logic), 
CTL (Computational Tree Logic), and CTL* (a highly expressive system that contains both LTL 
and CTL as sublogics). For an introduction to these logics, see Chapter 11 of this handbook, or 
Clarke, Grumberg and Peled [25]. 

Now, we briefly met the Until operator in Section 4 when we discussed model checking. 
There we defined it in terms of R and R*, the transitive and reflexive transitive closures of the 
underlying relation R used by the © over tree-like models. Here we shall define Until and Since 
in their most general form: 


M, w EU(y,w) iff there is av such that Rwv and M, v = g, 
and for all u such that Rwu and Ruv we have M, u = w. 
M, w H S(y,w) iff there is av such that Ruw and M, v = y, 
and for all u such that Ruu and Ruw we have M, u = w. 


Putting this in words, Until asserts that there is some point in the future where y holds, and 
that at all points between the point of evaluation and this future y-witnessing point, w holds. 
Since functions in the same way, but towards the past. Note the SV pattern of quantification in 
the satisfaction definitions. These operators are neither diamonds nor boxes; they are something 
new and (as we shall see) more powerful. 

What can we say with them? For a start, they have all the power of ordinary diamonds: 
U(y, T) has the same meaning as Oy. But now we can say more: these operators are tailor- 
made for stating guarantee properties, requirements of the form “Some event will happen, and 


Modal Logic: A Semantic Perspective 53 


until that event takes place, a certain condition will hold”. For if we represent the event by y 
and the condition by w, then U (p, w) clearly captures what is required. 

But how can we be sure that we can’t state guarantee requirements in the basic modal lan- 
guage? A simple bisimulation argument demonstrates this. Consider the two models shown in 
Figure 19. The two models are clearly bisimilar (simply link both points in the right-hand model 


Wy 


Cow 


Wo 
Figure 19. Until is not definable in basic modal logic. 


to the single point in the left-hand model; all proposition symbols are false at all points in both 
models, though this is irrelevant to the following argument). This means that the two models 
agree on the truth of all basic modal formulas at all points. But the models disagree on the value 
of U(T, L). This formula is false in the model on the left, but true at both points in the model of 
the right. We conclude that no basic modal formula can capture the effect of Until. 

But this is a little too easy. Until is typically used for temporal reasoning tasks, and the two 
models just shown have little to recommend them as flows of time. But it turns out that Until 
cannot be defined even if we work with models with more structure. For a start, even if we 
restrict our attention to transitive models, Until is not basic modal definable. For consider the 
two models shown in Figure 20; we are interested in the transitive closure of the relation indicated 
by the arrows. These models are bisimilar (link wo and w: with w’, link to and tı with t’, and so 
on). So suppose that there is some formula in the basic modal language that captures the effect 
of U (p,q). Any such formula would be true in the left-hand model at points wo and w1. For 
consider what happens at wo (the argument for w is analogous). There is a point to its future 
(namely vı) that makes p true and at all points lying in between (and there is only one, namely 
u) we have that q is satisfied. However any such formula would be false in the right-hand model 
at w’, for here there are two points between w’ and v’ (namely u’ and t’) and t does not satisfy q. 
As w’ is bisimilar to wo and w1, we conclude that no basic modal formula can capture the effect 
of Until. And this result can be strengthened. Even if we restrict ourselves to linear models, 
the basic modal language can’t define Until, and it can’t do so on the real numbers either (see 
Proposition 7.10 in Blackburn, de Rijke and Venema [13]). 


Figure 20. Even on transitive frames, Until is not definable in basic modal logic. 


So adding S and U to the basic modal language yields new expressivity — but how much? 
We shall now discuss Kamp’s Theorem, which shows that on certain classes of structures (a class 
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that includes the real numbers) these operators capture the entire one free variable fragment of 
the first-order correspondence language. This result was one of the earliest (and is still one of the 
most striking) purely semantic results in modal logic. 

First, note that Until and Since correspond to fragments of the familiar first-order correspon- 
dence language that we have been working with throughout the chapter. After all, we can trans- 
late them as follows: 


sT2(U(y, ¥)) 
ST2(S(y,¥)) = 


Incidentally, observe that we need three variables to specify this translation, whereas we only 
needed two for the basic modal language. Now, the three variable fragment of first-order logic 
is known to be undecidable, thus the translation doesn’t give us an easy decidability result for 
the enriched modal language, though its satisfiability problem over arbitrary models is in fact 
decidable. We’ll understand why a little later when we discuss the packed fragment. 

So what does Kamp’s Theorem say? First some preliminary definitions. Let M be a class 
of models. We say that a modal language is expressively complete over M, if every formula 
(in one free variable) from the first-order correspondence language is equivalent to a formula 
in the modal language (when we restrict attention to models from M). Which class of models 
is Kamp’s Theorem about? A strict total order is any frame (with one binary relation R) that 
is transitive, irreflexive, and linear (that is, Vry(Ray V x = y V Ryzx)). A strict total order 
is Dedekind complete if every subset with an upper bound has a least upper bound. Standard 
examples of Dedekind complete strict total orders are the real numbers (R, <) and the natural 
numbers (N, <) under their usual orderings. And now we have: 


THEOREM 40 (Kamp’s Theorem). The basic modal language enriched with U and S is ex- 
pressively complete with respect to models based on Dedekind complete strict total orders. 


z (Rez A ST:(9) A Yy (Rey ^A Ryz > ST,(w))) 
z (Rzz A STz(y~) A Yy (Rzy A Ryz => ST,(w))). 


Proof. The original proof is in Kamp’s thesis [76]. Elegant modern proofs, and proofs of 
stronger expressive completeness results, can be found in Gabbay, Hodkinson and Reynolds [52]. 
See also Chapter 11 of this handbook. m) 


Much more could be said about the Until and Since operators, but we will confine ourselves to 
the following remark. Because of their SV pattern of quantification, for some time it was unclear 
how best to define a suitable notion of bisimulation. However Kurtonina and de Rijke [87] and 
Sturm [120] have given definitions which enable characterisation theorems to be proved. 


6.4 Conditional logic 


Although formulas of the form y — w are often glossed as “if y then y”, the truth conditions 
that classical logic gives to the — symbol (and in particular, the fact that y — w is true when y 
is false) means that — does not mirror the more interesting meanings that conditionals can have 
in natural language. This has inspired numerous attempts to introduce conditional connectives 
(say, >) that better mimic the logic(s) of natural language conditionals. Indeed, such aspirations 
have given birth to an entire branch of logic, namely Relevance Logic, which nowadays is a 
well-established branch of the study of substructural logics (see Restall [108]). 

But there is a modal approach to conditionals too. Its motivation comes from the following 
intuition: a conditional p > w can (often) be read as an invitation to assume the antecedent 
(perhaps making some adjustments to accommodate its truth) and check if the consequent is 
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true. A characteristic inferential feature of this reading is the failure of monotonicity in the 
antecedent. “If I catch the 6.22 train at Amsterdam Central (p), I will be home on time (w)” is 
true on the most natural reading of the conditional, but adding an unusual further condition may 
make it false, as the sentence “If I catch the 6.22 train at Amsterdam Central (y), and the dikes 
break (0), I will be home on time (Y)? demonstrates. 

Models for modal-style conditional reasoning are triples Wt = (W, C, V). Here W is a non- 
empty set (whose elements are usually called worlds), V is a valuation, and C is a ternary relation 
of relative similarity , or (as it is sometimes put in the literature) a relation of relative “compar- 
ison’ or ‘preference’ between worlds. It is useful to write Cwuv as Cuuv and to read this as 
saying that “w has more in common with u than v”. It is standard to demand that each C, satis- 
fies Vuuz(C,,uv A Cyvz > Cuz), w-centred transitivity, and VuC,,wu, w-centred reflexivity. 
Moreover, some authors, most famously David Lewis, also demand w-centred comparability, 
that is, Vuv(Cw uv V Cyvu). A good way to visualise the relation Cwuv is to think of u and v as 
two concentric circles around w. If u and v are distinct, then u is a concentric circle closer to w 
than v is. 

The simplest truth condition for conditionals is the following, which come from David Lewis’s 
groundbreaking book “Counterfactuals” [90]. It fits in well with our intuitions (at least on finite 
models): 


M,wEy>w iff all minimal worlds in the w-centred ordering C,,wv at which ¢ is true 
are also worlds where ~ holds. 


This satisfaction clause can be phrased more succinctly as follows: all minimal y-worlds are 
w-worlds. 

Note that the y-minimal worlds around w are the only ones we consider. As the minimal 
worlds satisfying the stronger condition y ^ 0 need not be the ones satisfying y, in this way we 
get a semantic distinction which accounts for the failure of monotonicity in the antecedent. 

But what about infinite models? Then there need not be any minimal worlds satisfying the 
antecedent (we might have a chain of -satisfying concentric circles coming ever closer to w). 
Here’s a way of handling this: switch to the following more complex truth condition (to keep 
things readable, we shall write use y(v) as shorthand for M, v = y, and similarly for 2): 


MuwuEyp>w iff Vu(y(u) > w(Cuvu & plv) & Vz((Cuzv & p(z)) > v(2)). 


This says that the conditional y > ~ holds if, whenever y holds at some circle u, then there 
is some smaller circle v where vy holds such that all circles z within v satisfy w. This is rather 
awkward to process in first-order logic, but it can be clearly expressed in modal logic if we make 
use of a unary modality (c) (which looks inwards for a circle closer to the centre) together with 
the universal modality A. For then we can simply say: 


p> =a Aly > (lA lly > ¥)). 


This more complex truth-condition validates a minimal logic which includes such principles 
as upward monotonicity in the consequent: y > % implies y > (w V 6). Further properties of 
the similarity ordering enforce special axioms via standard frame correspondences. Assuming 
just reflexivity and transitivity yields the minimal conditional logic originally axiomatised by 
Burgess [19] and Veltman [143], while assuming also comparability of the ordering gives rise to 
the logics obtained by Davis Lewis. 
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What about complexity? A number of interesting results are known: 


THEOREM 41. The satisfiability problem for the minimal conditional logic (that is, where 
Cwuv is transitive and reflexive) is PSPACE-complete when formulas with arbitrary nestings 
of conditionals are allowed, and NP-complete for formulas with bounded nesting of condition- 
als. 


Proof. See Friedman and Halpern [50]. These authors also prove that if uniformity is assumed 
(that is, if all worlds agree on what worlds are possible) the complexity rises to EXPTIME- 
complete, even for formulas with bounded nesting. Moreover, they show that if absoluteness 
is assumed (that is, all worlds agree on all conditional statements) the decision problem is NP- 
complete for formulas with arbitrary nesting. Q 


In general, conditional logic has not been studied semantically in the same style as most 
modal languages, though there is no reason why it cannot be. For example, bisimulations could 
be defined for > in much the same spirit as they are defined for temporal logics with Until and 
Since. Likewise, issues of frame definability beyond the minimal setting can be explored; for 
example, van Benthem [137] notes correspondences between conditional axioms and triangle 
inequalities concerning concrete geometrical relations of relative nearness in space. Many recent 
technical developments in conditional logic, however, have to do with its connection with belief 
revision theory (see Gärdenfors and Rott [55]). In that setting, a conditional y > w means “if 
I revise my current beliefs with the information that y, then ~ will be among my new beliefs”; 
see, for example, Ryan and Schobbens [110]. For more on these topics, see Chapters 20 and 21 
of this handbook. 


6.5 The guarded fragment 


The richer modal languages so far examined have clearly been modal in a syntactic sense; all 
use the typical “apply operator to formula” syntax. The guarded fragment, however, arises as an 
attempt to directly isolate fragments of first-order logic that can plausibly be called modal. So 
the modal languages we shall consider here are syntactically first-order. 

The clue leading to the guarded fragment is the standard translation of the modalities. This 
treats modalities as macros embodying restricted forms of first-order quantification, in particular, 
quantification restricted to successor states: 


STz(Op~) = Jy(Rry ^ st,(¥)) 
ST,(Oy) = Vy(Ray > ST,(9)). 


As we saw earlier, it is this restricted form of quantification that lets bisimulation emerge as the 
key model-theoretic notion. And bisimulation, via the tree model property, leads to decidability. 
Thus at least one pleasant property of modal logic can plausibly be traced back to its use of 
a restricted form of quantification. So it is natural to ask whether other first-order fragments 
defined by restricted quantification have such properties. This line of enquiry leads to the guarded 
fragment and its relatives. 

The first step takes us to the guarded fragment, which was introduced by Andréka, van Ben- 
them, and Németi [5]. Guarded formulas ¢ are built up as follows: 


y = QE|-g|eAv| ee |GET, y) A 9(Z,9)) | (GET, y) > v2.9). 
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Here 7 and y are finite tuples of variables, Q is a predicate symbol (of appropriate arity for 
the tuple z), and G, the symbol used in the guard, is a predicate symbol too (thus the guard is 
an atomic formula). The key point to observe is that in the clauses for the quantifiers, all the 
free variables of y appear in the guard. The set of all guarded first-order formulas is called the 
guarded fragment. 


THEOREM 42. The guarded fragment is decidable. Its satisfiability problem is 2EXPTIME- 
complete, and EXPTIME-complete if we have a fixed upper bound on the arity of predicates. 
Moreover, the guarded fragment has the finite model property. 


Proof. See Gradel [62] for the complexity results and a direct proof of the finite model property. 
An earlier (algebraic) proof of the finite model property can be found in Andréka, Hodkinson, 
and Németi [4]. QO) 


The guarded fragment is a natural generalisation of the first-order formulas obtainable under 
the standard translation, but does it go far enough? For example, adding Until to a basic modal 
language yields a decidable logic, but the standard translation of U (p, q), namely 


Jy (Ray A Py A Yz ((Rzz ^A Rzy) > Qz)), 


does not belong to the guarded fragment, and it can be shown that it is not equivalent to a formula 
in the guarded fragment either. This suggests that it may be possible to pin down richer restricted- 
quantification first-order fragments that retain decidability, and several closely related extensions 
of the guarded fragment, such as the loosely guarded fragment (see van Benthem [135]) and the 
packed fragment (see Marx [93]) have been proposed which do precisely this. Let’s take a quick 
look at the packed fragment. 

The packed fragment allows us to use composite guards ~y instead of just atomic guards G. 
Let y be a formula whose free variables are {21,..., £k}. Then y packs {£1,..., £k} if y is 
a conjunction of formulas of the form x; = xj, R(«i,,...,2;,) or STR(xj,,--- ,x;,,), and 
moreover, for any two distinct free variables x; and xj, there is a conjunct in y in which they 
both occur free. The packed fragment is the smallest fragment of modal logic that contains all 
atomic formulas, and is closed under boolean combinations and packed quantification. That is, if 
w is a packed formula, and y packs w), and all the free variables of 7) are free in y, then Iz (y A ¢) 
and Va(7y — ¢) are packed too. 

As an example, consider again the standard translation of U (p, q), namely 


dy (Ray A Py ^A Vz ((Raz A Rzy) > Qz)). 


This is not packed as the guard of the subformula Vz ((Raz A Rzy) — Qz)) has no conjunct 
in which x and y occur together. But this is easy to fix. The following (logically equivalent) 
formula is packed: 


da (Rzy ^A Py A Yz ((Raz A Rzy ^ Rzy) > Qz)). 
And indeed, the packed fragment turns out to be computationally well behaved: 
THEOREM 43. The packed fragment is decidable. Its satisfiability problem is 2EXPTIME- 


complete. Moreover, it has the finite model property. 


Proof. The complexity result follows from results in Grädel [62]. The original proof of the 
finite model property for the packed fragment (and the loosely guarded fragment) can be found 
in Hodkinson [68]; a more elegant proof can be found in Hodkinson and Otto [69]. m) 
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In short, we have isolated two decidable fragments of first-order logic which are expressive 
enough to generalise many common modal languages. Moreover, these fragments have attractive 
properties besides decidability. Basic modal logic resembles first-order logic in most of its meta- 
properties, even those (such as Craig Interpolation, Beth definability, and the standard model- 
theoretic preservation theorems) that do not follow straightforwardly from the fact that it is a first- 
order fragment. The guarded fragment shares this good behaviour to some extent, witness the 
Los-style preservation theorem for submodels given in Andréka, van Benthem, and Németi [5]. 
But subsequent work has shown that the picture is somewhat mixed. There is indeed a natural 
notion of guarded bisimulation (see Andréka, van Benthem, and Németi [5]) which characterises 
the guarded fragment as a fragment of first-order logic. Moreover, Beth definability holds (see 
Hoogland, Marx and Otto [71]). However Craig interpolation fails in its strong form, though 
it holds when we view guard predicates as part of the logical vocabulary (see Hoogland and 
Marx [70]). 

This is a good moment to take stock of some of the first-order fragments we have encountered 
in the course of this chapter, and their interrelationships. Figure 21 summarises the relationships 


Bounded Fragment 


FOL 


ML+Until 


ML 


Figure 21. Some modally significant fragments of first-order logic. 


between first-order logic, the more restricted (but undecidable) bounded fragment, and the still 
more restricted (but decidable) guarded fragment. Also shown are the fragments of first-order 
logic corresponding to the basic modal language, and the fragment corresponding to the basic 
language enriched with Until. Here Lz and L3 indicate the two and three variable fragments 
respectively; the basic language fits into the former, but the Until enriched language spills over 
into the latter. 


6.6 Propositional Dynamic Logic 


The richer modal languages so far discussed extend the first-order expressive power available for 
talking about models: the universal modality adds quantification over W x W, hybridisation gives 
access to constants and equality, Until and Since and conditional logic add richer quantificational 
patterns, and the guarded-fragment cheerfully replaces modal syntax with first-order syntax. But 
the next two languages we shall discuss take us in a different direction: both add second-order 
expressive power. Now, in Section 5 we saw that modal languages have second-order expressive 
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power (via the concept of validity) at the level of frames. But in the languages we now consider, 
second-order expressivity arises directly: it is hardwired into the satisfaction definitions, and 
hence is available at the level of models. In particular, Propositional Dynamic Logic (henceforth 
PDL) offers us an (infinite collection of) transitive closure operators, and the modal -calculus 
offers us a general mechanism for forming fixed-points. Significantly, both PDL and the modal u- 
calculus were born in theoretical computer science. Finite structures are crucial to the theory and 
practice of computation, and basic results of finite model theory (see Ebbinghaus and Flum [35]) 
show that first-order logic is badly behaved when interpreted over finite structures. Nowadays 
it is standard practice to extend first-order languages with second-order constructs (such as the 
ability to take transitive closures or form fixed-points) when working with finite models, and in 
the languages we now consider, such ideas are put to work in modal logic. 

Let’s start by looking at the weaker of the two languages, namely PDL. The underlying idea 
(to extend modal logic with a modality for every program) is due to Vaughan Pratt [102], and 
the language now called PDL was first investigated by Fisher and Ladner [47, 48]. PDL contains 
an infinite collection of diamonds. Each has the form (7), where m denotes a non-deterministic 
program. The intended interpretation of (7) is that “some terminating execution of 7 from 
the current state leads to a state with the information y”. The dual assertion [7]y states that 
“every terminating execution of m from the current state leads to a state with the information 
œ”. Crucially, the inductive structure of programs is made explicit in PDL’s syntax, as complex 
programs are built out of basic programs using four program constructors. Suppose we have 
fixed a set of basic programs a, b, c, and so on. We are allowed to define complex programs 7 
over this base as follows: 


Choice: if 7, and 72 are programs, then so is 7; U 79. It non-deterministically 
executes either 71 or T3. 


Composition: if 7 and 7 are programs, then so is 71 ; 7. It first executes mı and 
then executes 79. 


Iteration: If 7 is a program, then so is 7*. It executes 7 a finite (possibly zero) 
number of times. 


Test: if y is a formula, then y? is a program. It tests whether y holds, and if so, 
continues; if not, it fails. 


Hence PDL makes available the following (inductively defined) algebra of diamonds. First 
we have diamonds (a), (b), (c), and so on, for working with the basic programs. Then, if (771) 
and (72) are diamonds and y is a formula, (71 U 72), (T1 ; T2), (77) and (y?) are diamonds too. 
Note the unusual syntax of the test constructor diamond: it makes a modality out of a formula. 
This means that the sets of PDL formulas and modalities are defined by mutual induction. 

How do we interpret PDL? Syntactically we’re simply dealing with a basic modal language in 
which the modalities are indexed by a structured set. So a model for PDL will have the form we 
are used to, namely 

(W, {R” | 7 is a program }, V), 


a suitably indexed collection of relations together with a valuation. Moreover, the usual satisfac- 
tion definition is all that is required: diamonds existentially quantify over the relevant transitions, 
and boxes universally quantify over them. Nonetheless, something more needs to be said. Given 
the intended interpretation of PDL, most of these models are uninteresting. We want models 
built over frames which do justice to the intended meaning of our program constructors. Which 
models are these? 
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Nothing much needs to be said about the interpretation of the basic programs: any binary 
relation can be regarded as a transition relation for a non-deterministic program (though if we 
were interested in deterministic programs, we would insist on working with frames in which 
each basic program was interpreted by a partial function). Nor need much be said about the test 
operator. Unusual though its syntax is, its intended interpretation in any model Wt is simply 


R? = {(w,v) | w =v and Mt, w H p}. 


But the three remaining constructors demand that we impose inductive structure on our frames. 
Here’s what is required: 


RmUtT2 = R™ U R™, 
Rv = Ro R™ (= {(a,y) | dz (R22 A R™zy)}), 
R™ = (R™)*, the reflexive transitive closure of R7. 


These restrictions are the natural set-theoretic ways of capturing the “either-or’ nature of non- 
deterministic choices (for R772), the idea of executing two programs in a sequence (for R7172) 
and the idea of iterating the execution of a program finitely many times (for R™). Accordingly, 
we make the following definition. Let II be the smallest set of programs containing the basic 
programs and the programs constructed over them using the constructors U, ;, and *. Then a 
regular frame over II is a frame (W, { R" | m € II}) where R° is a binary relation for each basic 
program a, and for all complex programs 7, R” is the binary relation constructed inductively 
using the above clauses. A regular model over II is a model built over a regular frame (that 
is, regular models are regular frames together with a valuation). When working with PDL over 
the programs in II, we will be interested in regular models for I, for these are the models that 
capture the intended interpretation. All very simple and natural — but by insisting that R™ 
be interpreted by the reflexive transitive closure of R™!, we have given PDL genuinely second- 
order expressive power. A straightforward application of the Compactness Theorem shows that 
first-order logic cannot define the transitive closures of arbitrary binary relations, so with this 
definition we’ve moved beyond the confines of first-order logic. Unsurprisingly, compactness 
fails in PDL. To see this, consider the following infinite set of formulas: 


{(0")p, op, (lop, [a] fr}, [a] [fe] [e]-p, - 


It is clear that every finite subset of this set has a regular model: we simply make p true at a 
state reachable by taking n + 1 (non-reflexive) 7-steps out from the current state, where n is the 
maximal level of nesting of boxes. But the entire set cannot be satisfied at any state in any regular 
model. 

So we have genuine second-order expressivity at our disposal. What can we do with it? Well, 
for a start, at the level of models, we can express some familiar algorithmic constructs: 


(p? ; a) U (=p? ; b) if p thena else b. 
a; (=p?; a)*; p? repeat a until p. 
(p?; a)*; =p? while pdoa. 


Note the crucial role played by * in capturing the effect of the two loop constructors. 
Moreover, the second-order expressivity built in at the level of models spills over into the level 
of frames. Here’s a nice illustration. Via the concept of validity, PDL itself is strong enough to 
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define the class of regular frames (something which cannot be done in a first-order language). 
Now, it is not hard to give conditions that capture choice and composition. The formula 


(mı U T2)p > (T1)p V (T2)p 


is valid on precisely those frames satisfying R™Y72 = R™ U R™, and 


(T1; %2)p > (T1) (72)p 


is valid on precisely those frames satisfying R772? = R™ o R™. 

But these are first-order conditions. What about iteration? We demanded that the relation R7” 
used for the program 7* be the reflexive transitive closure of the relation R” used for 7. This 
constraint cannot be expressed in first-order logic; how can we impose it via PDL validity? 

As follows. First we demand that 


(m)p > pV (T; m)y 


be valid. This says that a state satisfying y can be reached by executing 7m a finite number of 
times if and only if ọ is satisfied in the current state, or we can execute 7 once and then find a 
state satisfying after finitely many more iterations of 7. Second, we demand that 


[r] (Y > [r]e) > (p > [r*]¢) 


be valid too. This is called Segerberg’s axiom. Work through what it says: as you will see, 
in essence it is an induction schema. A frame validates all instances of the four schemas just 
introduced if and only if it is a regular frame. 

Summing up, at both the level of models and frames, PDL has a great deal of expressive 
power. Hence the following result is all the more surprising: 


THEOREM 44. PDL has the finite model property and is decidable. Its satisfiability problem is 
EXPTIME-complete. 


Proof. The finite model property, decidability, and EXPTIME-hardness results for PDL were 
proved in Fisher and Ladner [47, 48]. The existence of an EXPTIME algorithm for PDL satisfi- 
ability was proved in Pratt [103]. Q 


But we are only half-way through our story. With the modal jz-calculus we will climb even 
higher in second-order expressivity hierarchy, and we will do so without leaving EXPTIME. 


6.7 The modal -calculus 


The modal -calculus is the basic modal language extended with a mechanism for forming least 
(and greatest) fixed-points. It is highly expressive (as we shall see, it is stronger than PDL) and 
computationally well behaved. Moreover it has a beautiful bisimulation-based characterisation. 
All in all, it is one of the most significant languages on the modal landscape. It was introduced 
in its present form by Dexter Kozen [80]. 

The idea underlying the modal ji-calculus is to view modal formulas as set-theoretic opera- 
tors, and to add mechanisms for specifying their fixed-points. Now, a set-theoretic operator on 
a set W is simply a function F : 2” ++ 2W. But how can we view modal formulas as set- 
theoretic operators? Consider a formula y containing some proposition symbol (say p). In any 
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model, y will be satisfied at some set of points. If we systematically vary the set of points that 
the valuation assigns to p, the set of points where y is satisfied will typically vary too. So we can 
view y as inducing an operator over the points of some model, namely the operator that takes as 
argument the subset of W that is assigned to p, and returns the set of points where ¢ is satisfied 
with respect to this assignment. 

Let’s make this precise. We will work in a language with a collection of diamonds (7), so 
models have the form M = (W, {R" }remop, V). For any proposition symbol p, V(p) is the 
set of points in Wt where p is satisfied. Let’s extend V to a function that returns, for arbitrary 
formulas y, the set of points in M that satisfy y (we won’t invent a new name for this extended 
valuation, we’ll simply call it V). The required definition is a simple reformulation of the satis- 
faction definition for the basic modal language: 


V(p) =  V(p) for all proposition symbols p 
Vyp) = WW) 
Very) = VNV) 
Vi(r)y) = {w|forsome v € W, R™wv and v E V(y)}. 


Furthermore, for any proposition symbol p and any U C W we shall write Vy) for the 
(extended) valuation that differs from the (extended) valuation V, if at all, only in that it assigns 
U to p. That is, Vp—uj(p) = U, and for any q Æ p, Vip—uj(¢q) = V(q). Then the operator 
induced by a formula ¢ (relative to a proposition symbol p) is the function that maps any U C W 
to Vip—u] (p). 

Now to bring fixed-points into the picture. A subset X of W is a fixed-point of a set-theoretic 
operator F on W if F(X) = X. This is clearly a special property: which set-theoretic operators 
have fixed-points, and how do we calculate them? The Knaster-Tarski Theorem (see Knaster [79] 
and Tarski [123]) gives important answers. Firstly, this theorem tells us that fixed-points exist 
when we work with monotone set-theoretic operators (an operator F is monotone if X C Y 
implies that F(X) C F(Y )). Secondly, this theorem tells us that if F is a monotone operator on 
a set W, then F has a least fixed-point uF, which is equal to 


(Ku E W | FU) cu}, 
and also a greatest fixed-point v F', which is equal to 
(UJU cw |U c FU)}. 


That is, both uF and vF are solutions to the equation F(X) = X, and furthermore, for any 
other solution Z, we have that uF C Z C vF. The least and greatest fixed-points given by the 
Knaster-Tarski Theorem are the fixed-points the modal u-calculus works with. 

But how can we specify these fixed-points using modal formulas? By enriching the syntax 
with an operator u that binds occurrences of proposition symbols. That is, we shall write expres- 
sions like up.y, in which all free occurrence of the proposition symbol p in y are bound by pu. 
The intended interpretation of yup.y is that it denotes the subset of W that is the least fixed-point 
of the set-theoretic operator induced by y with respect to p. Fine — but how do we know that 
this fixed-point exists? If ọ is arbitrary, we don’t. However if all free occurrences of p in y occur 
positively (that is, if they all occur under the scope of an even number of negations) then a simple 
inductive argument shows that the set-theoretic operator induced by y is monotone, and hence 
(by the Knaster-Tarski Theorem) has least (and greatest) fixed-points. Accordingly we impose 
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the syntactic restriction that the u operator can only be used to bind a proposition symbol when 
all free occurrences of the variable occur positively. With this restriction in mind we define: 


Viup.p) = (HU CW | Vipeuy(y) E U} 


That is, the set assigned to up.ọ is the least fixed-point of the operator induced by y. 
What can we say with the modal p-calculus? Consider the expression 


up.(y V (mp). 


Read this as defining “the least property (subset) p such that either y is in p or (7)p is in p”. 
What is this set? A little experiment will convince you that it must be 


{w E W |M, w H ọ or there is a finite R” -sequence from w to v such that M, v = p}. 


(The reader should check that this set really is the one given to us by the Knaster-Tarski Theo- 
rem.) Note that this is exactly the set of points that make the PDL formula (z*)¢ true. 

How do we specify greatest fixed-points? With the help of the v operator. This is defined as 
follows: 

Vp. =aef “UP =P( p/p), 

where p(—~p/p) is the result of replacing occurrences of p by ~p is y. This expression is well- 
formed: if vy is a formula that we could legitimately apply the jz operator to (that is, if all occur- 
rences of p occur under the scope of an even number of negations), then so is >y(—p/p). The 
reader should check that this operator picks out the following set: 


Vvp.p) = LU E W | U C Vp_uy(y)}. 


That is (in accordance with the Knaster-Tarski Theorem) it picks out the greatest fixed-point of 
the operator induced by y. As a further exercise, the reader should check that 


vp.(p A [r]p) 
denotes the following set: 


{w € W | M, w H vy and at every v reachable from w by a finite R”-sequence, M, v H vy}. 


Note that this is exactly the set of points w that make the PDL formula [7*]¢ true. 
In view of these examples, it should not come as a surprise that PDL can be translated into the 
modal ji-calculus. Here are the key clauses: 


((71 Uta)p)™ = (m)(p)'™ V (m2) (p)™ 
((71572)p)™ = (m) (T2) p)" 
((n*)p)™ = up ((p)™ V ((m)}p)""), where p does not occur in g. 


In fact the modal j:-calculus is strictly more expressive than PDL. The simplest example of 
a construct that PDL cannot model but that the modal p-calculus can is the repeat operator. 
The expression repeat(7) is true at a state w if and only if there is an infinite sequence of R” 
transitions leading from w. Proving that this is not expressible in PDL is tricky, but it can be 
expressed in the modal p-calculus: the formula vp.(7)p does so. Moreover, the temporal logics 
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standardly used in computer science, such as LTL, CTL, and CTL*, can also be embedded in the 
modal jz-calculus. For remarks and references on this topic, see Chapter 12 of this handbook. 

All in all, the modal pu-calculus is a highly expressive language. In spite of this, it is extremely 
well behaved, both computationally and in other respects. For a start we have that: 


THEOREM 45. The modal -calculus has the finite model property and is decidable. Its satis- 
fiability problem is EXPTIME-complete. 


Proof. The original decidability proof was given in Kozen and Parikh [81]. The finite model 
property was first established in Street and Emerson [119]. The complexity result is from Emer- 
son and Jutla [36]. m) 


Furthermore, experience shows that the modal u-calculus is also well behaved when it comes to 
model checking — indeed it is widely believed that its model checking task can be performed 
in polynomial time. However, at the time of writing, this conjecture has resisted all attempts to 
prove it. 

Moreover, the modal p-calculus has an elegant semantic characterisation. Suppose we add the 
following clause to the standard translation for basic modal logic: 


STz(up.p) = YP(Vy( (STs (p) > Py) > Py)). 


This clearly captures the intended semantics of u. But note that by adding this clause we are 
viewing the standard translation as taking us to monadic second-order logic, for here we bind the 
unary predicate symbol P. This language is already familiar to us: it’s the frame correspondence 
language introduced in Section 5, but here we’re using it to express a correspondence at the level 
of models. Thus (even at the level of models) the modal ji-calculus is a fragment of monadic 
second-order logic. But which fragment? This one: 


THEOREM 46 (Modal j-Calculus Characterisation Theorem). The modal p1-calculus is the 
bisimulation invariant fragment of monadic second-order logic. 


Proof. See Janin and Walukiewicz [73]. Qn 


For more on the modal p-calculus, see Chapter 12 of this handbook. As well as giving a 
detailed technical overview, the chapter also gives an informal introduction to thinking in terms 
of fixed-points, which is often a stumbling block when the modal -calculus is encountered for 
the first time. 


6.8 Combined logics 


We now turn to what is (at first glance) one of the simplest methods of obtaining a richer modal 
language: combine two pre-existing ones. But for all its apparent simplicity, this method of 
enrichment swiftly leads to difficult territory. 

Many applications lead naturally to the idea of combined logics. A good example is planning. 
Planning involves a collection of agents who must reason about what they are going to do given 
that they know the effects of actions, and where getting more information may be important for 
solving the problem at hand. Hence Robert Moore [98] proposed a combined language for this 
task. His language offered both epistemic and action modalities, making it possible to say things 
like 

Kila] “agent i knows that doing a has the effect y” 


Modal Logic: A Semantic Perspective 65 


and 
la] Kip “doing a makes agent i know that y”. 


Actually, Moore also considered combinations of PDL with epistemic operators, as plans are 
usually complex actions with program structure. 

The fun starts when we ask how the two logics live together. For example, should they sim- 
ply live side by side, the simple fusion of the two component logics? Or are there interactions 
between them? Obviously this depends on what we are modeling. For example, should K;[a]y 
imply [a] K;y? In general, no. After all, I may know that after drinking I am boring, but unfortu- 
nately after drinking I no longer know that I am boring (that is, drinking is not an epistemically 
transparent action). Nor need the converse implication hold for actions that deliver genuinely 
new information. After consulting my account manager, I know I am broke, but I do not know 
now that after the consultation I am broke. 

If our application does not require the modeling of such interactions, then we are dealing 
with the simplest possible combination of two decidable modal logics, and the result is again 
decidable. But for some applications we might want to enforce these interactions. Let Ra be the 
accessibility relation for action a, and let ~; be the epistemic relation for agent i. The following 
frame correspondences tell us what these interactions give rise to: 


&E K;,lalp > [a] Kk; iff Veyz((Rery A y ~i 2) > Ju(a ~; uA Rauz)) 
BE la] Kiıp > Kilap iff Vryz((a@ ~i y A Rayz) > Ju(Razu ^u ~i z)). 


The first principle says that new uncertainty links between the results of an action are inherited 
from existing ones; this is a version of the game-theoretic principle of perfect recall. The other 
direction is called no learning. These are powerful interaction principles. Indeed, they impose a 
grid-like interaction between the relations interpreting the modalities, hence the possibility arises 
of showing undecidability by encoding the tiling problem. A good source of information on this 
topic is Halpern and Vardi [64]. Among other things they show that the combined modal epis- 
temic logic of agents with perfect recall, though still decidable, is highly complex, and that if a 
common knowledge operator (that is, using PDL notation, a box of the form [(~; U- - -U ~,,)*]) 
is added, the problem becomes undecidable. This is a natural example of the bad computational 
behaviour that combinations of relatively simple decidable modal logics can give rise to. More- 
over the air of mystery (“How can a description of well behaved agents get so complex?”) quickly 
gets dispelled once we realise that the behaviour of special agents may have a rich mathematical 
structure that makes their logic tough. 

In recent years there has been intensive theoretical work on combinations of modal logic. 
The goal has been to provide general transfer results: given two (or more) modal logics, and a 
method of combining them, when do properties such as decidability, finite model property, and 
finite axiomatisability transfer from the component logics to the combined logic? The simplest 
way of combining two modal logics is to take their fusion. Given two modal logics Lı and Lə (in 
languages with disjoint sets of modal operators) then their fusion Lı © Lz is the smallest logic L 
in their joint language that contains them both. Fusions of modal logic have been investigated in 
detail (key papers include Kracht and Wolter [82], Fine and Schurz [46], and Wolter [144]), and 
have some pleasant transfer properties. For example, to axiomatise the fusion logic L, it suffices 
to take the axioms for each of the components (that is, no interaction axioms involving modalities 
from both language are required). Moreover, both the finite model property and decidability 
transfer from the component logics to the fusion. 

But this good behaviour reflects the fact that fusion is a combination method designed to 
minimise the interaction between the component modalities. What of combination methods 
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which allow strong interaction between the modalities? The best studied combination tech- 
nique here is the formation of products of modal logics. Given two frames $1 = (W1, Ri) 
and $2 = (Wo, R2), their product $1 x §2 is the frame (Wi x W2, Rn, Rv). Here Rp is the 
binary relation on W x W defined by (u1, v1) Rp (ua, v2) iff ui Rıu2 and vı = v2; and R, is 
the relation defined by (u1,v1)R,(u2, v2) iff vı Rave and u; = ug. The idea of taking prod- 
ucts of modal logics is an old one (dating back to at least Segerberg [114]) and is a widely used 
combination method in many applications of modal logic. But the product construction creates 
frames which allow for very strong interactions between the modalities, and there are far fewer 
transfer results for this method of combination; indeed, there are many negative results showing 
transfer of decidability failures. 

Work on combination of logics, from both applied and theoretical perspectives, is one of 
the liveliest areas of research in contemporary modal logic. For a detailed survey of fusions, 
products, and methods of combinations between these extremes, see Chapter 15 of this handbook. 


6.9 First-order modal logic 


We turn now to what is arguably one of the least well behaved modal languages ever proposed: 
first-order modal logic. However, in one of those twists that make intellectual history so fasci- 
nating, first-order modal logic has come to be accepted (at least in philosophical quarters) as the 
most important modal logic of all. For many philosophers, modal logic is first-order modal logic. 

This is not to say that first-order modal logic is philosophically uncontroversial. Indeed, as is 
discussed in Chapter 21 of this handbook, one of the liveliest debates in 20th century analytic 
philosophy was ignited when Quine [106] questioned the coherence of the enterprise. But two 
advances led to its acceptance. The first was the development of the relational semantics of 
first-order modal logic (Kripke [83, 85] are key papers here) and the second was the publication 
of “Naming and Necessity” (Kripke [86]) which presented what is probably the most widely 
accepted philosophical interpretation of the technical machinery. While these developments did 
not dispel all the controversy, nowadays first-order modal logic together with (some form of) 
relational semantics, is generally regarded as a well understood (perhaps even boringly familiar) 
tool of philosophical analysis. 

Viewed from a mathematical perspective, however, things look rather different. Had first- 
order modal logic never existed, a logician who proposed its (now standard) syntax and relational 
semantics might have been regarded as audacious, perhaps downright careless. Why? Because, 
in essence, first-order modal logic is a combined logic. As we have just seen, combining two 
modal logics while retaining interesting properties is no easy matter. So it should not come as 
too much of a surprise that combining propositional modal logic with first-order logic is unlikely 
to be plain sailing. In what follows we shall sketch the standard syntax and semantics, and 
mention some of its problematic features. 

First the syntax (we omit some of the clauses for the booleans): 


p r= P(a1,...,tn)|e=y|-y ley] Op | Oy | Ary | Vay. 


Here P is an n-place predicate symbol and the x; are individual variables. So (given the clauses 
for the quantifiers and booleans) it is clear that we have a full first-order language at our dis- 
posal, and hence (because of the presence of the modalities) we can now search for first-order 
information at accessible states in the familiar way. But we can do more. The clauses for the 
quantifiers hide a subtlety: if a formula ọ contains free first-order variables within the scope of a 
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modality, then formulas of the form Vy and Jxọ bind variables within the scope of the modal- 
ity. This possibility is what led to Quine’s philosophical objections (“no binding into intensional 
contexts”). And from a technical perspective it means we are combining two very different styles 
of logic in a way that allows a strong form of interaction. 

The standard semantics for first-order modal logic comes in a number of variant forms. One 
basic choice concerns the domain of quantification: should the quantifiers range over some fixed 
domain of quantification (the constant domain semantics), or should each point be associated 
with its own domain (the varying domain semantics)? Here we shall present the varying domain 
semantics; for a discussion of the constant domain approach, and of equivalences between the 
constant domain, varying domain, and other approaches, see Chapter 9 of this handbook, or 
Fitting and Mendelsohn [49]. 


DEFINITION 47. A varying domain model is a tuple (W, R, D, {Ou} wew, {Vw}wew). Here 
W is a non-empty set; R is a binary relation on W; D (the domain of quantification) is a non- 


empty set; for all w € W, ôw C D; and for all w € W, V,, is a function that assigns to each 
n-place predicate symbol a subset of D”. 


That is, we have the familiar modal machinery from the propositional case (note that (W, R) 
is just a frame, and the V,, are essentially our familiar valuations upgraded to interpret first-order 
n-place predicate symbols P rather than proposition symbols p) augmented by a specification 
(the ôw) of the individuals the quantifiers at each state w range over. We interpret first-order 
modal logic by taking such a model, together with an assignment of values to variables (that 
is, a function g that maps the individual variables to elements of D), and using the following 
satisfaction definition: 


M, g, w H P(£1,...,£n) iff (g(x1),...g(an)) E VolP), 
M, g,wH=xr=y iff g(x) =g(y), 
M, g, w =-= iff notMgwkey, 
Mawkeyow iff M, g, w Ey o M, g, w = Y, 
M, g, w = Op iff forsome v € W such that Rwv we have M, g, v = ọ, 
M, g, w =O iff forallv € W such that Rwv we have M, g, v = y 
M, g, w H Iry iff forsome g' ~, g where g'(x) € 6, we have M, g',v = o, 


>) 


M, g, w |=Yxy iff forall g’ ~, g such that g'(x) € fu we have M, g',v H y. 


(Here g’ ~, g means that the assignments g and g’ are identical save possibly in the value they 
assign to the variable x.) 

This language is capable of expressing some important distinctions. Consider, for example, 
the formulas VzOy and OVay. The first asserts, of each existing entity, that it has the property 
y at all accessible states. The second asserts that, at each accessible state, each entity that exists 
at that particular state has property y. Should either of these formulas imply the other? That is, 
should we accept as valid either of the following two principles? 


Yzop — Vay Barcan formula 
Yry — Vall Converse Barcan formula 


Instead of trying to answer such tricky philosophical questions (which bear on the de dicto/de re 
distinction, discussed in Chapter 9 of this handbook) let us consider what they say in the light of 
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the relational interpretation just given. It is not difficult to see that the Barcan formula is valid in 
a varying domain model iff that model has decreasing domains, that is, if for allw,v € W, Rwv 
implies 6, C ôw. And the Converse Barcan formula is valid on precisely increasing domain 
models, that is, models with the property that Rwv implies ôw C dy. So to insist on the validity 
of both principles is to force an even stronger interaction between the quantifiers and modalities: 
it takes us to a locally constant domain semantics in which Rwv implies ôw = 6,. This is a good 
example of the clarity that relational semantics can bring to difficult conceptual issues, and shows 
why first-order modal logic can be useful in philosophical logic and natural language semantics. 

So what’s the problem? Simply this: for all its analytical utility, first-order modal logic under 
its standard semantics is not well behaved mathematically. Early signs of trouble appeared in 
Fine [45], which showed that interpolation and the Beth property fail for first-order S5 under 
the varying domain semantics, and for any first-order modal logic between K and S5 under the 
constant domain semantics. As S5 is both philosophically central (it is widely considered to 
embody the logic of “necessarily” and “possibly”) and semantically straightforward (it is the 
logic of frames in which R is an equivalence relation) these are strong negative results indeed. 
Worse was to come. It turns out that it is possible to take a propositional modal logic that is 
complete with respect to some class of frames, axiomatically extend it in the manner naturally 
suggested by the standard semantics, and yet to wind up with an incomplete first-order modal 
logic (see Ghilardi [56], Shehtman and Skvortsov [117], Corsi and Ghilardi [26], Cresswell [27]). 

Now, the issue here is not so much the incompleteness in itself (as we have already discussed, 
even in the propositional modal logic, frame incompleteness results are the norm) rather it is the 
loss of completeness in the transition from the propositional case to the first-order case that is 
worrying. To use the terminology introduced when we discussed combinations of logics: the 
standard relational semantics for first-order logic is a method of combination for which transfer 
of completeness fails. 

Such results have led to renewed technical interest in first-order modal logic. The semantics 
of first-order modal logic has come under intense scrutiny, and a number of alternative seman- 
tics have been proposed which enable completeness results to be transferred. Some of this work 
has been model-theoretic (see, in particular, van Benthem’s [132] use of functional frames) but 
most of it has been highly abstract, employing the language of category theory; for a detailed 
account of such work, see Chapter 9 of this handbook. More recently, the hybrid logic com- 
munity has pointed out that upgrading the underlying propositional modal language to a hybrid 
language is another way to repair the situation: interpolation is regained (see Areces, Blackburn 
and Marx [7]), indeed, regained constructively (see Blackburn and Marx [15]) and general pos- 
itive results on transfer of completeness can be proved (see Blackburn and Marx [14]). All in 
all, first-order modal logic is one of the most intriguing areas of modal logic: the most venerable 
system of all poses some of the most interesting questions about what it is to be modal. 


6.10 General perspectives 


Moving to richer languages better fitted for particular applications is a standard feature of current 
research. It is true that in some quarters sticking to the poorest modal base language of the found- 
ing fathers (despite its evident handicaps in expressive power and mathematical convenience) is 
still something of a religion. But the idea of designing extensions is not some new-fangled no- 
tion; its roots stretch back to the work of von Wright [145] and Prior [104, 105], and the idea was 
central to the work of the Sofia School (see, for example, Passy and Tinchev [101] for insightful 
comments on what modal logic is and why one might want to enrich it). Still, pointing to a 
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noble heritage is not enough. We need to address a tricky question: what makes these languages 
modal? Being precise here is difficult. As we have seen, there is a wide range of extensions. 
Moreover, each application imposes its own concerns and peculiarities. Nevertheless, there is a 
guiding idea that lies behind most examples of this form of language design: obtaining a rea- 
sonable balance between expressive power and computational complexity. So the question we 
should focus on is: what makes such natural balances arise? 


As we have seen, many richer modal languages are fragments of the full language of first- 
order logic over some appropriate similarity type of relations and properties. We can see this 
by translation, just as we did with the basic modal language (we saw that the complex truth 
conditions for the Until and Since are definable by first-order formulas, and the same is true for 
the conditional connective, the universal modality, and the apparatus of hybrid logic). Now, there 
have been various attempts to find general patterns explaining which parts of first-order logic are 
involved in modal languages. Gabbay [51] observed that modal languages tend to translate into 
so-called finite variable fragments of first-order logics, that is, fragments using only some finite 
number of variables, fixed or bound. For example, we have seen that the basic modal language 
can make do with only two variables, and temporal logic with Until and Since, and conditional 
logic, only require three. Finite variable fragments have some pleasant computational behaviour; 
for example, their model checking complexity is in PTIME (see Vardi [141]) as opposed to 
PSPACE for the full first-order language. On the other hand, as we have already mentioned, 
satisfiability is already undecidable for first-order fragments with three variables, so the real 
reason for the low complexity of modal languages lies elsewhere. A different type of analysis 
for the latter phenomenon was given in the paper “Why is modal logic so robustly decidable?” 
(Vardi [142]). This emphasises the semantic adequacy of the tree-like models obtainable via 
bisimulation unraveling of arbitrary graph models. This type of explanation is important as it 
transcends first-order logic; on the other hand it does not provide much in the way of concrete 
syntactic insight. For the latter, the current best explanation is the one provided by the guarded 
fragment and its relatives (which are, arguably, the strongest known modal languages). 


As we saw, guarded fragments locate the essence of modal logic in the restriction on the 
quantification performed by the modalities. One attractive property of this analysis is its logical 
resilience: it turns out that it extends beyond the setting of first-order enrichments to second- 
order enrichment too, something that was not forseen when the guarded fragment was first iso- 
lated. A striking example is the result in Graédel and Walukiewicz [63] that the extension of the 
guarded fragment with the fixed-point operators u and v remains decidable. By way of contrast, 
validity for full first-order logic extended with these operators is non-axiomatisable, indeed, non- 
arithmetical. This observation shows that the modal philosophy embodied in the idea of guarded 
fragments is not restricted to first-order extensions: often modal fragments can bear the weight 
of additional higher-order apparatus (such as fixed-point operators) which would send the full 
first-order correspondence languages into a tailspin complexity wise. Our discussion of PDL and 
the modal j-calculus has shown that this is the case for the basic modal language. Grädel and 
Walukiewicz’s result for the guarded fragment shows that this type of behaviour persists higher 
up: guarded quantification can support higher-order constructions too. 


Perhaps guarding can be a fruitful strategy in even more exotic modal settings? One setting 
worth exploring is infinitary modal logic. This logic (which was used extensively in Barwise and 
Moss [10] and Baltag [8] for investigating non-well founded set theory; see Chapter 16 of this 
handbook) provides a perfect match with bisimulation: two pointed models are bisimilar if and 
only if they satisfy the same formulas in a modal language that allows arbitrary infinite conjunc- 
tions and disjunctions. Moreover a modal characterisation theorem holds. Now, decidability is a 
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non-issue in this setting, but what about existential semantic properties such as interpolation and 
Beth Definability? It is known that interpolation holds for infinitary modal logic (see Barwise 
and van Benthem [11]), but can such results be lifted to infinitary guarded fragments? Another 
setting worth exploring in this way is second-order propositional modal logic, in which we can 
quantify over proposition symbols (see Fine [42] for some early results, ten Cate [124] for a 
more recent discussion, and Chapter 10 of this handbook for a brief overview). The equation 
“modality = guarding” should be simultaneously regarded as a hypothesis to be tested in richer 
settings, and as a useful heuristic for isolating further logics worth calling modal. 

Not that we should put all our eggs in one basket. Perhaps the notion of modality is too 
diffuse for any single approach to exhaust, and in any case it is worth looking for alternatives. 
Another approach is to apply ideas from abstract model theory (see Barwise and Feferman [9]). 
This was first done in de Rijke [30], who proved a modal analog of Lindstrém’s [91] celebrated 
characterisation of first-order logic. The original form of Lindstr6m’s theorem says that an ab- 
stract logic £ extending first-order logic coincides with first-order logic iff it has the compactness 
and Lowenheim-Skolem properties. Another way of stating the theorem is that an abstract logic 
L extending first-order logic coincides with first-order logic iff it has the compactness and Karp 
properties. (The Karp property is that all formulas are invariant for potential isomorphism, where 
a potential isomorphism is a non-empty family of finite partial isomorphisms closed under the 
usual back and forth extension properties; recall our discussion of partial isomorphisms in Sec- 
tion 3.3). We shall discuss a (slightly reformulated) version of de Rijkes’s result and a more 
recent characterisation due to van Benthem. 

What is an abstract modal logic? Here’s the conception that underlies our reformulation of de 
Rijke’s result. We give it in terms of pointed models (Mt, w), that is, a model together with a 
point of evaluation. 


DEFINITION 48 (Very abstract modal logics). Let £ be a set of formulas, and zg its satisfac- 
tion relation, that is, a relation between pointed models and £-formulas. A very abstract modal 
logic is a pair (£, =ç ) with the following properties: 


1. Occurrence property. For each y in £ there is an associated finite language L(A). The re- 
lation (M, w) Ec vy is a relation between C-formulas y and models (Wt, w) for languages 
L containing £(A,,). That is, if y is in £, and Mt is an L-model, then (M, w) Ec ¢v is 
either true or false if £(A,,) C £, and undefined otherwise. 


2. Expansion property. The relation (Mt, w) s y depends only on the restriction of M 
to L(A,). That is, if (MR, w) Ec y and (Nt, w) is an expansion of (Mt, w) to a larger 
language, then (N, v) Ec y. 


A very abstract modal logic (£, =ç) extends basic modal logic if for every basic modal for- 
mula there exists an equivalent £-formula (that is, if for each basic modal formula ¢ there exists 
an £-formula % such that for any model (M, w) we have (M, w) = y iff (W, w) Ec y). 


De Rijke’s characterisation centres on the familiar bisimulation invariance property and the 
finite depth property. A very abstract modal logic £ has the finite depth property iff for any 
£-formula y there is some natural number k such that for all models W, 


M, w = y iff M|k, w E y, 


where Mt|k is the model M restricted to just those points that can be reached from w in k or 
fewer R-steps. De Rijke builds invariance for bisimulation into the notion of abstract modal 
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logic, so his statement of his Lindstr6m-style result has the form: any abstract modal logic with 
the finite depth property that extends the basic modal language is the basic modal language. 
Reformulating his result in terms of very abstract modal logics, thereby making the bisimulation 
invariance condition explicit, results in: 


THEOREM 49. Suppose £ is a very abstract modal logic extending the basic modal language. 
Then L coincides with the basic modal language iff L has the finite depth and invariance for 
bisimulation properties. 


Proof. See de Rijke [30, 31]. For a textbook-level exposition of the proof, see Theorem 7.60 of 
Blackburn, de Rijke and Venema [13]. m) 


This is an informative result. Nonetheless, the finite depth property seems somewhat engi- 
neered to capture the basic modal language, and it is natural to look for generalisations. However, 
because of the expressive limitations of modal languages, this is not straightforward. The proof 
of the Lindström Theorem for first-order logic typically proceeds by contradiction: to show that 
an abstract first-order formula has a first-order equivalent, one typically builds a model where 
y is true in one part, —y in another, and uses the expressive power of first-order logic to link 
the two parts of the model by a chain of partial isomorphisms, thereby reaping the contradiction. 
This style of argument does not lift easily to modal languages: the basic modal language is too 
impoverished to encode the chains of bisimulations linking the two parts of the model that would 
be required to mimic this proof technique directly. However, as van Benthem [139] observed, 
there is a way around this. The key idea is to strengthen the definition of a very abstract modal 
language by demanding it fulfils the relativisation condition: 


DEFINITION 50 (Abstract modal logics). An abstract modal logic £ is a very abstract modal 
logic that has the relativisation property: for any £-formula y and proposition symbol p not 
occurring in y, there is a formula Rel(p, p) which is true at a model (IM, w) iff p is true at 
(IN\|p, w), which is the submodel of IN consisting of just those points that satisfy p. 


Relativisation is a natural property (most logics satisfy it) but the key point is to observe is 
how it is used in the proof of the following theorem: in essence, it provides a model-theoretic 
tool which enables us to give an alternative proof without resorting to explicit codings of bisim- 
ulations. This leads to van Benthem’s version of the Lindström Theorem for modal logic: 


THEOREM 51. Suppose £ is an abstract modal logic extending the basic modal language. 
Then L coincides with the basic modal language iff L satisfies compactness and invariance for 
bisimulation. 


Proof. We know that the basic modal language satisfies compactness (Proposition 4) and invari- 
ance for bisimulation (Lemma 9) so the left to right direction is clear. For the reverse direction, 
assume that £ has these properties. We claim that the following holds: in a compact abstract 
modal logic L which is invariant for bisimulations, every formula has the finite depth property. 
If we can show this, the result follows from Theorem 49. 

We prove the claim as follows. Let y be any formula in £. Suppose for the sake of a contra- 
diction that ọ lacks the finite depth property. Then for any natural number k there exists a model 
(My, w) and a cut-off version (My|k, w) which disagree on the truth value of y. Without loss 
of generality, assume that the following happens for arbitrarily large k: (My|k, w) H| y, and 
(Mg, w) = my (here we use the fact that abstract modal logics are closed under negation). Now 
take a new proposition symbol p, and consider the following set © of £-formulas: 


{ny, Rel(y, p)} U{Q"p | for all natural numbers n}. 
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(By 0” p we mean p prefixed by a sequence of n boxes.) Given our assumptions, this set is 
finitely satisfiable: we choose k sufficiently large, and make p true in the k reachable part of one 
of the above sequences of models. But then, by compactness for our abstract modal logic £, 
there must be a model (St, v) for the whole set © at once. 

But this leads to a contradiction as follows. We focus on the generated submodel (,,, v) 
consisting of v and all points finitely reachable from it. Now, the identity relation is a bisimu- 
lation between any pointed model and its unique generated submodel. Hence, by the assumed 
invariance for bisimulation, formulas of £ have the same truth value in any pointed model and 
its generated submodel. Now, given our definition of ©, ~y holds in (N, v), and hence also in 
(Ne, v). On the other hand, since (N, v) | Rel(y, p), we have (Np, v) H} p. But by the truth 
of all the formulas of the form Op, p holds in the whole generated submodel (N, , v). Therefore 
we have that y holds in (N,, v). Contradiction. Hence the claim is established and the theorem 
follows. Q 


One surprising consequence of this result is that the Modal Characterisation Theorem (Theo- 
rem 13) follows from it; see van Benthem [139] for details. 

It remains to be seen how widely applicable this technique is. For example, it is not straight- 
forwardly applicable to languages with the universal modality, as these lack the finite depth 
property. However it can be lifted to the guarded fragment. As we mentioned in Section 6.5, 
there is a notion of guarded bisimulation. And using this notion, together with the relativisation 
technique leads to: 


THEOREM 52. Suppose L is an abstract modal logic extending the guarded fragment. Then 
L coincides with the guarded fragment iff L satisfies compactness and invariance for guarded 
bisimulation. 


Proof. See van Benthem [139]. Qn 


7 ALTERNATIVE SEMANTICS 


As we said at the start of this chapter, one of the most instructive ways of thinking about modal 
logic is to view it as a tool for talking about graphs. But to view modal logic exclusively through 
the lens of relational semantics would be a mistake; interesting alternatives exist, and in this 
section we introduce three of them: algebraic semantics, neighbourhood semantics, and topo- 
logical semantics. As we shall see, each of these semantics has something new to offer. But we 
shall come across much that is familiar, for all three are linked in various ways with relational 
semantics. 


7.1 Algebraic semantics 


The basic idea of algebraic semantics is simple: view modal formulas as terms (or polynomials) 
and evaluate them in the appropriate type of algebra. So the key question is: what kinds of 
algebra are appropriate for modal logic? The answer is: boolean algebras with operators, or 
BAOs. 

A boolean algebra is a triple A = (A, +, x,—,1,0) such that both + (join) and x (meet) 
are commutative and associative binary operations, each of which distributes over the other. The 
unary operation — (complement) must satisfy the equations z + (—x) = 1 and x x (—x) = 0. 
The nullary operations (or constants) 1 and 0 must satisfy the equations x x 1 = x and x +0 = z7x. 
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Even if you have never encountered boolean algebras before, a moment’s reflection should make 
it clear that they are an algebraic mirror of propositional logic. To see this, read + as V, x as 
A, — asa, las T, 0 as L, and = as +. So it only remains to provide algebraic structure that 
mirrors the diamonds. This motivates the following definition. 


DEFINITION 53 (Boolean Algebras with Operators). A boolean algebra with operators, or 
BAO, is a pair B = (A, m), where 2 is a boolean algebra and m is a unary operator on 2 
that satisfies the equations m(x + y) = m(x) + m(y), and m(0) = 0. 


Note that the logical analogs of these two equations are O(y V y) => (Op V Ow), and 
OL e L, both of which are valid in relational semantics. Thus we now have an algebraic mirror 
for all components of the basic modal language. 

We interpret the basic modal language in BAOs in the usual algebraic fashion. That is, given 
a BAO, we view the proposition symbols as variables ranging across the elements of the algebra, 
and interpret each logical operator by its corresponding algebraic operation. More precisely, let 
%6 be a BAO, and V be a function mapping each proposition symbol to an element of 8; we 
call such a function V an algebraic valuation. We extend V to a function that gives the result of 
evaluating arbitrary basic modal formulas in % via the following recursive clauses: 


Vipvye) = V(y)+V(y) 
VipAv) = V(y) xV) 
Vy) = -V(p) 
V(O) = mV(¢) 


It is now possible to prove the following algebraic completeness result: 


THEOREM 54. A basic modal formula belongs to the minimal modal logic K iff it evaluates to 
the value 1 in all modal algebras under all algebraic valuations. 


Proof. Straightforward. The key point is to use a technique standard in algebraic logic, namely 
to create the Lindenbaum-Tarski Algebra for K. The elements of the Lindenbaum-Tarski Algebra 
are equivalence classes of K-provably equivalent formulas; the operations are defined with the 
aid of the connectives. All and only the K-provable formulas evaluate to | in this algebra, and 
hence the result follows. For a detailed discussion, see Chapter 6 of this handbook. Q 


In fact, a far stronger result can be proved: any axiomatic extension of K (that is, any normal 
modal logic) is complete with respect to some class of algebras. And the proof is not difficult. In 
essence, one replicates the completeness proof for K, but works with the Lindenbaum-Tarski Al- 
gebra which satisfies the additional axiomatic constraints. As we saw earlier (recall Theorem 26) 
there is no general completeness result for normal modal logics with respect to frames. This is 
an important difference between algebraic and relational semantics. 

Nonetheless, it is likely that some readers will feel a little cheated. Isn’t the whole approach 
really just syntax in disguise? After all, algebraic semantics matches the modal language with 
algebraic operations that transparently mirror fundamental validities of the original logic. This 
does not seem like genuine semantic analysis: it has more the flavour of linking two distinct, 
but closely related, syntactic realms. Moreover, the algebraic satisfaction definition has a global 
rather than a local flavour. 

This is true, but somewhat besides the point, for in spite of the general completeness result just 
noted, we have not yet entered the heartland of algebraic semantics. For what algebraic semantics 
really provides is a doorway to a larger mathematical universe. The power of algebraic semantics 
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comes from the wealth of ideas and techniques it enables us to bring to bear on problems in 
modal logic. Some of these techniques take us back, via a novel path, to the heart of relational 
semantics, but others take us to new territory. Let’s look a little deeper. 


An important theme in algebra is the representation of abstract mathematical structures by 
concrete set-theoretic structures. The point of a representation theorem is to show that some 
abstractly specified class of algebras picks out an intended class of concrete structures. So rep- 
resentation theorems are rather like completeness theorems: they show that the abstract (often 
equational) specification is strong enough to ensure that every abstract algebra is isomorphic 
to a concrete algebra. Two classic examples are Cayley’s Theorem, which shows that every 
finite group is isomorphic to a collection of permutations, and the Stone Representation Theo- 
rem, which shows that every abstract boolean algebra is isomorphic to a field of sets (that is, a 
boolean closed collection of subsets of some W that contains W) with x viewed as intersec- 
tion, + viewed as union, and — viewed as set-theoretic complement. Now, in 1952, several 
years before relational semantics was officially invented, Jonsson and Tarski [74, 75] proved a 
remarkable representation theorem for BAOs: they showed that every abstract BAO could be 
represented as a relational structure. Inexplicably, their paper made no mention of modal logic. 
This was unfortunate as their paper contained all the technical machinery needed to define rela- 
tional semantics and prove relational completeness results for most commonly occurring modal 
logics. In essence, their result allows relational completeness proofs to be factored into an al- 
gebraic completeness step (which makes use of the Lindenbaum-Tarski Algebra) followed by a 
representation step (which turns this algebra into a relational structure). Nowadays, the Jónsson- 
Tarski Theorem is rightly considered a cornerstone of modal logic; for a detailed proof of the 
theorem, and examples of how to put it to work, see Chapter 6 of this handbook. 


Another important theme goes under the name of duality theory. As we saw in Section 5, 
there are four key transformations on frames (disjoint unions, generated submodels, bounded 
morphisms, and ultrafilter extensions) and, as the Goldblatt-Thomason Theorem tells us, closure 
of a frame class under these model-theoretic constructions is necessary and sufficient to ensure 
its basic modal definability. But as we have already remarked (see Theorem 33) the original 
proof of the Theorem was algebraic. What’s the algebraic connection? This: each of these four 
operations on frames corresponds to an operation on classes of algebras. Viewed this way, the 
Goldblatt-Thomason Theorem can be seen as a modal version of the Birkhoff Theorem, which 
identifies equationally definable classes of algebras with those classes of algebras that are closed 
under the formation of subalgebras, homomorphisms, and products. For a detailed discussion, 
we again refer the reader to Chapter 6. 


But important as these two examples are, they merely hint at the wealth of techniques made 
available by the algebraic connection. Algebraic semantics has repeatedly proved itself a pow- 
erful analytical tool. To give another classic example, Blok [16] was able to give a detailed 
analysis of frame incompleteness by drawing on algebraic methods. In particular, he did so by 
investigating splittings (a concept from lattice theory) of the lattice of normal modal logics; for 
a discussion of Blok’s work, see Chapter 7 of this handbook. Moreover, in many cases alge- 
braic methods have been adapted to richer modal languages. A nice example is provided by the 
universal modality. In the algebraic setting, the universal modality allows us to define a discrim- 
inator term, that is, a term denoting an operator that maps 0 to 0 and all other elements to 1. 
Algebras with discriminator terms are particularly straightforward to work with (see Chapter 6 
of this handbook) thus here algebraic semantics sheds interesting light on a relationally-natural 
extension of the basic modal language. But algebraic semantics also illuminates areas where 
relational semantics has little to say. For example, it turns out that the boolean structure of the 
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underlying algebras is not particularly significant. That is, it is possible to analyse modalities 
algebraically even if we don’t have full classical propositional logic at our disposal. Such logics 
can be important in various settings, and relational semantics at present offers little in the way 
of insight. For further remarks and references on this application of algebraic semantics, see 
Chapter 6 of this handbook. 


7.2 Neighbourhood semantics 


For some applications, relational semantics is too strong. For example, O(y V Y) > (Oy V Ow) 
is valid under relational semantics. But if we read Ow as making the game-theoretic assertion 
that the player has a strategy forcing the outcome to satisfy y, we might be inclined to reject it: 
why should possession of a strategy for a disjunction imply possession of a strategy for one of 
the disjuncts? For example, suppose we play a game with the following moves: you have the 
right to decide whether we go to a movie or a concert, and I can decide which particular movie 
or concert we go to. Suppose the movie I want to see is Crash, and that my favourite music 
is Mozart. It follows that I can force Crash V Mozart, but (because it’s you who determines 
the movie/concert option) I can’t determine which of these two options will actually take place. 
Similarly, if we interpret Oy epistemically we have further grounds for objection. For a start, 
relational semantics validates the following principle: 


(p > y) > (Oy > Oy). 


Moreover, it validates the following pattern of inference: if = p then Uy. These work 
together to enforce a strong form of logical omniscience: if an agent knows y, then she knows 
all its logical consequences. 

Such considerations have led to a search for weaker semantics. Perhaps the best known of 
these is neighbourhood semantics (introduced in Montague [96, 97] and Scott [112] and explored 
in Segerberg [113]). The key idea of neighbourhood semantics has a topological flavour: each 
point w in a model is associated with a collection of subsets of the domain (the neighbourhoods 
of w) and a formula of the form Uy is true at w iff the set of points in a model satisfying y is 
a neighbourhood of w. Let’s make this precise. A neighbourhood model is a triple (W, R, V) 
where W is a non-empty set of states, V is a valuation, and R relates points w € W to subsets 
of W (that is, R C W x 2), For any w € W, let Ny be {U C W | wRU}; we call N, the set 
of neighbourhoods of w. We interpret boxed formulas as follows: 


M, w = Oy iff {u E W |M, u = vp} € Nu, 


and use the dual definition for diamonds: 


M, w = Ogy iff {u E W |M, u E v} ¢ Nw. 


Neighbourhood semantics is a generalisation of relational semantics. To see this, note that 
given any relational model M = (W, R,V) we can form a neighbourhood model M” = 
(W, R”, V) by stipulating, for each w € W and U C W, that R” wU iff U = {u € W | Rwu}. 
That is, for each w € W, N, is the singleton set containing the set of points that are R- 
accessible from w. Hence, for all w € W and all basic modal formulas p, we have that 
Mw = y iff M”,w H ọ. In short, we can turn any relational model into an equivalent 
neighbourhood model. 
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V(p) PIMQ 


Figure 22. Neighbourhood model that falsifies O(y — Y) —> (Oy —> Ow) at u. 


But we cannot do the reverse. Consider a model M = (W, R, V) such that W = {t, u,v, w}, 
V (p) = {t,u} and V (q) = {u, v}, and Nu = {V (p), PIMQ}, where PIMQ = {u, v, w}. Such 
a model is shown in Figure 22; note that PIMQ is the set of points where p — q is true. Hence 
Mu H O(p > q), as PIMQ € N,. Furthermore, M, u = Op, as V(p) € Na. However 
M, u Æ Og, for V (q) € Ny. So M, u -F O(y > Y) — (Op — Ow). As this formula is valid 
under relational semantics, no relational model equivalent to M exists. 

Moreover, the inferential principle characteristic of relational semantics (if = ọ then = Oy) 
no longer holds. To see this, it suffices to consider a model Wt consisting of a single point w such 
that N,, = 9. Then M, w = T, but M, w T. In fact, all that remains in neighbourhood 
semantics is the weaker principle: if = p = w then = Oy + Ov. Thus neighbourhood 
semantics does not enforce logical omniscience. 

Neighbourhood semantics has been criticised as under-motivated. It may banish the spectre 
of logical omniscience, but does it do so in a principled way? After all, isn’t there something 
stipulative, indeed ad-hoc, about simply asserting that certain subsets and not others are in the 
neighbourhood of a given point? There is a grain of truth in such criticisms, nonetheless we 
should not be too quick to dismiss the approach. For some applications, asserting that certain 
neighbouring regions are important is probably the best we can do in the way of semantic analy- 
sis. Furthermore, like relational semantics, neighbourhood semantics offers an entire framework 
for semantics; imposing further restrictions on neighbourhoods (for example, demanding that 
neighbourhoods be superset closed) is a mechanism which permits finer-grained semantic anal- 
yses to be attempted. See Chellas [24] for an introduction to some of the options here. 

Neighbourhood semantics has some pleasant properties. For a start (if NP # PSPACE, the 
standard assumption) it is better behaved computationally than relational semantics: 


THEOREM 55. The satisfiability problem for neighbourhood semantics is NP-complete. 


Proof. See Vardi [140]. The key observation is that if a formula ¢ is satisfiable in a neighbour- 
hood model, then it is satisfied in a model with at most |y|? states, where |p| is the number of 
symbols in ¢. 


Moreover, neighbourhood semantics meshes well with the algebraic and co-algebraic approaches 
discussed in Chapter 6 of this handbook. 


7.3 Topological semantics 


Topological semantics is one of the oldest modal semantics, and the first in which deep tech- 
nical results were proved. In 1938, Tarski [122] showed that S4 (the logic which in relational 
semantics is complete with respect to transitive and reflexive frames) is complete with respect to 
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topological spaces. Then, in 1944, McKinsey and Tarski [95] showed that S4 is the modal logic 
of the real numbers, and indeed of any metric separable space without isolated points. Since this 
pioneering work, topological semantics has been deeply (if somewhat sporadically) studied, and 
many interesting results have been proved (see for example Esakia [38] and Shehtman [115]) 
but for many years it was rather isolated from the modal mainstream. More recently, however, 
partly because of the growing interest in logics of space, there has been a revival of interest. For 
an overview of developments in topological semantics since the time of Tarski, see Chapter 16 
of this handbook; here we will introduce its basic ideas in a way that emphasises connections 
with our account of relational semantics. Our discussion is based on Aiello, van Benthem, and 
Bezhanishvili [2]. 

A topological space is a pair (W,7), where W (the domain) is a non-empty set and 7 (the 
topology) is a collection of subsets of W that contains both Ø and W, is closed under finite 
intersections (that is, if O,O’ € r then O N O’ € 7) and closed under arbitrary unions (if 
{Oi}ier E T then U;-;O; € 7). A topology T such that 7 = 2 is called discrete, and a 
topology such that r = {0, W} is called trivial. If (W, 7) is a topological space and O € 7 then 
O is called an open set. If w is a point in an open set O, then O is called an open neighbourhood 
of w. A closed set is the complement of an open set. 

A topological model is a triple M = (W, rT, V) where (W, T) is a topological space and V is 
a valuation (in the sense familiar from relational semantics). We interpret proposition symbols 
and booleans in the usual way, but what about the modalities? Boxed formulas are handled as 
follows: 


M, w H Oy iff (AO € r)(w € O and (Vu € O)(M,u = y)). 


That is, Oy is true at w iff it is true at all the points of some open neighbourhood of w. Diamonds 
are handled dually: 


M, w H Oy iff (VO € r)(w € O implies (3u € O)(M, u = ọ)). 


That is, Oy is true at w iff it is true at some point in each open neighbourhood of w. 

At first blush, this looks very different from relational semantics. And there are some obvi- 
ous semantic differences. For example, the characteristic axioms of S4, namely Op — p and 
lp p, are valid on all topological models, so the minimal logic is stronger than in rela- 
tional semantics. But a closer look reveals the similarities. For a start, like relational semantics, 
topological semantics is local: the truth value of a formula at a point only depends on what hap- 
pens inside the open neighbourhoods of that point. More precisely, suppose that w is a point 
in a topological model M, and that O is an open neighbourhood of w. Let M|O be the model 
with domain O whose open sets are all the open subsets of O in M, and whose valuation is the 
restriction of the valuation V of M to O (that is V|O(p) = V (p) N O). Then a simple induction 
shows that for all basic modal formula y, and all points w € O, M, w = ọ iff M|O,w = y. 
Nor is it hard to find other similarities. For example, the fact that S4 has the finite model property 
with respect to relational semantics is neatly matched by the fact that the basic modal language 
has the finite model property with respect to topological semantics. 

But the similarities run deeper than these examples might suggest. In particular, topological 
semantics gives rise to a natural notion of bisimulation: 


DEFINITION 56 (Topo-bisimulation). A topo-bisimulation between two topological models 
M = (W,7,V) and W = (W’,7’,V’) is a non-empty binary relation E between their do- 
mains (that is, Æ C W x W’) such that whenever ww’ we have that: 


Atomic harmony: w and w’ satisfy the same proposition symbols, 
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Zig: if w € O € 7, then there is an open set O’ € 7’ such that w’ € O’ and (Vu' € O’)(Su € 
O)(uEu’), and 


Zag: if w’ € O' € 7’, then there is an open set O € 7 such that w € O and (Vu € O)(Su’ € 
O')(uEu’). 


If there is a topo-bisimulation between two topological models Wt and N, then we say that M 
and Ò are topo-bisimilar. Moreover, we say that two states are topo-bisimilar if they are related 
by some topo-bisimulation. 


Let’s restate the zig clause informally: it says that for two points w and w’ to be topo-bisimilar, 
then for any open neighbourhood O of w it must be possible to find an open neighbourhood O’ 
of w’ such that every point u’ in O’ is topo-bisimilar to some u in O. Figure 23 illustrates this 
idea (the dotted line connecting u and u’ needs to be interpreted universally: every u’ is linked 
to some u). 


Figure 23. Zig (and zag) for topo-bisimulations 


Such bisimulations are topologically natural. Two basic concepts of topology are open maps 
and continuous maps. For any topological spaces (W,7) and (W’,7’), a function f from W to 
W” is called open if for all O € 7 we have that f(O) € 7’, and it is called continuous if for all 
O' € 7’ we have that f~'(O’) € T. It is easy to see that every open and continuous map induces 
topo-bisimulations: given a valuation on one space, take its image in the other, and the resulting 
models are topo-bisimilar. But topo-bisimulations are also modally natural. For a start, we have 
the following analog of Lemma 9: 


LEMMA 57 (Topo-bisimulation Invariance Lemma). If E is a topo-bisimulation between MN = 
(W,7,V) and W = (W’,7',V"), and wEw', then w and w satisfy the same basic modal 
formulas. 


Proof. A routine induction. m) 


As a simple illustration, we noted above that Jt and MJO (the localisation of Mt to some open 
set O) were equivalent. But this is unsurprising. The identity relation between the domains of 
the two models is a topo-bisimulation, hence the result is a special case of this lemma. 

What about the converse? Characterisation results for the general case are tricky to state (we 
would need to discuss what a suitable correspondence language for topological semantics is, and 
this would take us too far afield). But we do have an analog of Proposition 11: 
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PROPOSITION 58. Jf points w and w' from two finite topological models W and N satisfy the 
same modal formulas, then there is a topo-bisimulation E between W and N such that wEw". 

So far so good. But just how expressive is the basic modal language in the new setting? To 
pose the question a little more forcefully: what (interesting) topological conditions can the basic 
modal language enforce via the concept of validity? Here’s one example. The formula 


P © HP 


is valid on a topological model iff that model bears the discrete topology (that is, iff every subset 
of the domain is open). This is pleasant, but many fundamental properties lie beyond the reach of 
the basic language. For example, a topological space (W, T) is connected iff the only elements of 
T that are both open and closed are W and Ø. But this condition is not basic modal definable. For 
suppose for the sake of a contradiction that some formula y does define connectedness. Consider 
the topological space with domain {1, 2} under the discrete topology; this space is not connected 
as {1} and {2} are both open and closed. Hence we can define a model WM on this space that 
will falsify y at some point, say 1. But then WM|{1} will falsify y at 1 too, as Nt and M|{1} are 
topo-bisimilar. But M|{1} bears the trivial topology, hence it is a connected space, so it should 
validate y. We conclude that connectedness is undefinable. 

All in all, the basic modal language turns out to be disappointingly weak when it comes to 
standard topological conditions. But then why stick with the basic modal language? As readers 
of this chapter are well aware, there are interesting ways of augmenting modal expressivity, and 
recently these have begun to be explored in the topological setting. For example, Shehtman [116] 
and Aiello and van Benthem [1] observe that connectivity becomes definable when the universal 
modality is added to the language: 


A(Op — Op) — (Ap V Anp). 


And Gabelaia notes that the To condition (for any two points x and y there exists either an open 
neighbourhood O, of x such that y ¢ Ox or an open neighbourhood O, of y such that x ¢ O,) 
is definable in the basic hybrid language by 


Qj > (Q;O>i V @,073), 
and that the 7; condition (every singleton set is closed) is definable by 
Lo Òi. 


Gabelaia [54] proves an analog of the Goldblatt-Thomason Theorem for the basic modal lan- 
guage with respect to topological semantics, and Sustretov [121] has extended the result to the 
basic hybrid language enriched with the universal modality. However Sustretov also shows that 
the T condition (every distinct pair of points is contained in disjoint open neighbourhoods) is 
not definable in this richer language. 


8 MODAL LOGIC AND ITS CHANGING ENVIRONMENT 


Traditional motivations for and applications of modal logic came from philosophy, and dealt with 
such topics as modality, knowledge, conditionals, and obligations. Other strands dealt with more 
mathematical topics, leading to modal logics of time, space, or provability. As time went by, 
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additional influences made modal logic even more diverse. Sources included computer science 
(for modal logics of computation and general processes), Artificial Intelligence (for modal log- 
ics for knowledge representation, non-monotonic reasoning, and belief revision), linguistics (for 
modal logics of grammatical structure), and the internet (for modal logics of trees). This web of 
new interfaces is still growing. Modern computer science, with its emphasis on new information 
carriers and networks of intelligent computing agents, also brings in modal logics of image pro- 
cessing, agency and security. And the empirical social sciences are joining in too, witness current 
applications of modal logic in economic game theory, or for modeling the powers of agents in 
social choice theory. 


In the face of this diversity, the resilience of relational semantics is quite remarkable. Although 
nearly half a century old, its central ideas remain applicable, and applicable even when we enrich 
our conception of what a modal logic actually is. But what are the central ideas of relational 
semantics? In essence, this chapter has tried to make the following point clear: during the 50 or so 
years that relational semantics has existed, our understanding of it has become both broader and 
deeper. Originally conceived as a way of distinguishing and characterising logics (via soundness 
and completeness theorems) modal logicians have gradually unearthed the deeper mathematical 
themes that lie behind the seemingly modest facade of relational semantics; themes such as 
expressivity at the level of models versus the level of frames, the importance of bisimulation 
and other game-like constructions, the systematic links between the modal universe and many 
varieties of classical logic, ranging from first-order logic, through second-order logic, to the 
farther reaches of infinitary logic. Turning this perceived semantic unity into theorems is not 
always easy; work on combined modal logic still tends to be heavy on negative results, and first- 
order modal logic remains difficult territory. But unifying themes, such as guarding, and the 
possibility of applying ideas from abstract model theory, have emerged. 


Indeed, we are tempted to conclude by playing devil’s advocate: even the alternative semantics 
we have encountered indicate that something semantically central lies at the heart of relational 
semantics. For example, the Jonsson-Tarski Theorem reveals that relational semantics has an 
important algebraic core, and our excursion to the land of topological semantics revealed the 
centrality of the concept of bisimulation. Prediction is always a dangerous game (especially 
when it is about the future) but we believe that the interplay between theory and practice that 
has characterised research on modal logic throughout its history will continue to deepen our 
understanding of its semantic core. And, forced to place our bets, we would probably say: modal 
logics of games (see Chapter 20 of this handbook) will be a deep source of further insight, as 
will the co-algebraic semantics (discussed in Chapter 6). 
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1 INTRODUCTION 


We have an interest in those modal formulas that are valid, relative to some suitable 
notion of validity. But verifying directly that a formula meets a validity condition is 
generally non-constructive. In part to get around this non-constructivity, formal proof 
procedures have been created, using a rich variety of mechanisms. A formal proof is a 
finitary certificate of validity for a formula, and a proof procedure is a specification of 
the requirements for being a proof. A proof procedure is sound if only valid formulas 
have proofs—we probably would say an unsound proof procedure is simply not a proof 
procedure. A proof procedure is complete if all valid formulas have proofs. For modal 
logics, historically, proof procedures preceded semantics, so the description above is a 
little anachronistic. But this is not an historical account, and anyway relational semantics 
is now well-developed, so let us continue as if history never happened. 


It will be helpful to settle some terminology first. We assume we have an infinite list 
of propositional letters, typically P, Q, .... Formulas are built up from these in the 
usual way. For the time being we take as primitive implication (D), falsehood (L), and 
necessity (O), with negation defined by ~X = (X D L), truth by T = =L, disjunction 
by (X VY) = (~X D Y), conjunction by (X AY) = 7=(X D ~Y), equivalence by 
(X =Y)=((X DY)A(Y D X)), and possibility by OX = -OAX. We’ll use X, Y, 
... for arbitrary formulas. 


A normal modal logic is a set of formulas L meeting the following conditions. First, 
L contains all tautologies and all instances of the formula O(X > Y) > (OX > OY). 
Second, L contains Y if it contains X and X D Y. Third, L contains OX if it contains 
X. Fourth and finally, with each formula X, L also contains all substitution instances 
of X—the result of uniformly replacing propositional letters with more complex modal 
formulas. 


A large variety of formal proof procedures have been created over the years. No proof 
procedure suffices for every normal modal logic. Well then, what about semantically 
determined ones? Given any collection of frames, it is not hard to see that the set of 
formulas valid in all of them is a normal modal logic. No proof procedure suffices for every 
normal modal logic determined by a class of frames. Certain families of frames meeting 
special mathematical conditions determine normal logics that have had applications, and 
these have been given standard names—the same names are commonly used for the frame 
families and for the normal modal logics they determine. These normal logics tend to 
have proof procedures, though not every kind of proof procedure may be applicable, 
even to the most used of these logics. Table 1 shows the frame conditions that are 
most common in the literature. When traditional names are available I have employed 
them, but other naming conventions are in use as well. For instance, B is also known as 
KTB. In this chapter I will present several kinds of proof procedures, using the logics of 
Table 1 as examples. I will not attempt to say, for each proof procedure, exactly what 
range of logics it is good for. Such things are often difficult to determine. But some 
proof procedures apply to a fairly broad range of normal logics, others to a narrower 
range. Some provide proofs that humans find intuitively appealing, others are better for 
machine implementation. I merely wish to display something of the variety available. 
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Name | Frame Condition 

K none 

T reflexive 

K4 transitive 

S4 reflexive, transitive 

KB symmetric 

B reflexive, symmetric 

S5 reflexive, transitive, symmetric 
D serial 

KD4 | serial, transitive 


Table 1. Some Frame Families for Normal Modal Logics 


2 MODAL AXIOMATICS 


Axiomatic proof procedures are perhaps the easiest to explain to people. Rules are simple 
to state and motivate. Candidates for proofs are easily checked for correctness. Unfor- 
tunately, axiomatic proofs are generally hard to discover. Today, when automatibility of 
proof procedures is an important concern, axiomatic systems receive increasingly short 
shrift. Nonetheless, axiomatic characterizations often make it relatively easy to compare 
modal logics, and knowing the axioms and rules for a logic supplies a special understand- 
ing, even if one does not spend much time constructing axiomatic proofs. And there are 
modal logics with axiom systems but no decent automatable proof procedures. Let us 
begin our discussion of proof procedures with axiom systems, then. 


An axiomatic proof is a sequence of formulas, each of which is from a specified col- 
lection, called axioms, or follows from earlier terms of the sequence by a rule of deriva- 
tion. An axiomatic proof proves its last line, or equivalently, proves each of its lines. A 
proved formula is a theorem of the axiomatic system. Of course there is an effectiveness 
requirement—we should be able to tell whether a formula is an axiom or not, and whether 
a rule of inference is applicable or not. This will be obvious for the axiom systems con- 
sidered here. Axiom systems differ from each other in the choice of axioms and rules 
of derivation. They also differ in which propositional connectives and modal operators 
are taken as primitive, but this is not a deep issue. Early modal axiom systems differed 
considerably from modern ones in their choices, but this is not an historical account. All 
current axiom systems for normal modal logics follow the style introduced in [31], so this 
will be the approach here. 


Axioms are particular formulas. It is common to specify them by giving aziom 
schemes. An axiom scheme is a pattern, and any formula matching that pattern is 
an axiom. When axiom schemes are used, typically a proof procedure will have a finite 
number of axiom schemes but an infinite number of axioms. An alternative method is to 
specify a finite number of axioms, and adopt substitution of formulas for propositional 
letters as an explicit rule of inference. This tends to be more complicated, and we will 
follow the axiom scheme approach. 
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2.1 Normal Axiom Systems 


Ever since [31], modal axiom systems have been modular—whenever possible, systems 
build on other ones instead of starting over. In particular, modal axiom systems (usually) 
build on classical propositional logic. Since classical logic is well-understood, we can skip 
detailed consideration of it. Among our axioms will be the following. 


Classical Logic All tautologies, or at least enough of them to ensure the derivability 
of all the rest. 


In addition we will always assume we have the following axiom scheme. 


Normality Scheme All formulas of the form O(X > Y) > (AX > OY) 


And as rules of inference, there is the familiar modus ponens, plus the essentially modal 
necessitation rule, introduced by Gödel. 


Modus Ponens Conclude Y from X and X D> Y 


Necessitation Conclude OX from X 


The Rule of Necessitation requires some comment. It does not say X is necessary if it is 
true—it says X is necessary if it has a proof. The idea is, things that are provable are 
surely necessary—they must hold under all circumstances. 

It is standard to call the minimal axiom system in the sense above K, for Kripke—in 
fact it axiomatizes the normal modal logic K, as will be shown below. All other axiom 
systems we consider will be obtained by adding extra axioms to K. First examples of 
modal axiomatic proofs are almost always the same, so let us round up the usual suspects. 
To begin, O(X AY) > OX is a theorem of K. Better said, any formula of this form is a 
theorem, but we won’t be so precise from now on. Here is a proof. 


1. (XAY)DX tautology 

2. OU(XAY)DX) from 1 by Necessitation 
3. OUX AY) DX) Dd (A(X AY) DOX) Normality Scheme 

4. O(X AY)DOX Modus Ponens on 2, 3 


Having seen this, it should be easy for you to show that the following is a derived rule 
in the axiom system—that is, any proof making use of it can be expanded to a proper 
proof not using it. 


Regularity Conclude OX > OY from X > Y 


With Regularity, it is trivial to show that O(X A Y) > OY is a theorem, and conse- 
quently so is O(X AY) > (AX ALY), using classical reasoning. Here is an abbreviated 
proof of the converse. We thus have O(X AY) = (OX A 0OY). 


1. XD(YD(XAY)) tautology 

2. OX DO(Y D(X AY)) from 1 by Regularity 

3. OY D(X AY)) > (GY DO(XAY)) Normality Scheme 

4 XD (OY DO(X AY)) from 2 and 3 by classical logic 
5. (AX AOY)DO(X AY) from 4 by classical logic 
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Other common modal axiom systems are obtained by adding axiom schemes to K. 
The standard names for several of these schemes are given in Table 2. If scheme T, say, 
is added to K, we will call the resulting axiom system T, and similarly for the other 
cases. 


Name | Axiom Schemes 

K no additional axioms 
T XDX 

K4 XD X 

S4 T+ K4 

KB XDOOX 

B T+KB 

S5 T+ K4+ KB 

D XDOX or OT 
KD4 | D+K4 


Table 2. Some Normal Modal Logics 


Incidentally, there is a whole class of modal logics called regular that are weaker than 
the normal modal logics. They are axiomatized by replacing the Necessitation Rule by the 
Regularity Rule. They too have a semantics, and the usual variety of proof procedures, 
but we will not be considering them further here—{19] has a treatment. 


2.2 Soundness and Completeness 


Suppose we have a normal modal logic that is characterized semantically, as the set of 
formulas valid in a certain class of frames. Let us call the modal logic L, the frames L- 
frames, and models based on them L-models. So, X € L if and only if X is true at every 
possible world of every L-model. And suppose we have a candidate for an axiomatization 
of L: a collection of axiom schemes, L, which we add to the axiomatic system K. How 
might one show soundness and completeness for the axiomatization L, relative to the 
class of L-models? 

Soundness is generally a simple matter for axiom systems. One establishes that every 
line of a proof in L is valid in all L-models, and hence all theorems are valid. To do this it 
is enough to show all axioms are valid, and the rules preserve validity. That the rules of 
L (that is, of K) preserve validity is immediate. The Rule of Necessitation corresponds 
directly to one of the conditions for a normal modal logic, and Modus Ponens to another. 
All that is left is to verify the validity of the axioms. And clearly, all tautologies, and 
instances of the Normality Scheme, are valid in every model—this is simple to check. 

So soundness comes down to the following straightforward issue: is it the case that all 
instances of L axiom schemes are valid in L-frames? It is easily checked that instances 
of scheme T are valid in T-frames, instances of K4 are valid in K4-frames, and so on. 
This kind of thing gives all the ‘standard’ soundness results—in particular, for all the 
axiomatic systems of Table 2 with respect to the corresponding frame classes of Table 1. 

Completeness is more work—sometimes much more—but often the method of canoni- 
cal models works uniformly and well. Suppose, as above, that L is a set of axiom schemes. 
We construct the canonical model M for L. 
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Call a set S of formulas L-inconsistent if there is a finite subset {X1,..., Xn} of S 
such that (X1 A... A Xn) D L is a theorem of L. Call S L-consistent if it is not L- 
inconsistent, and maximally L-consistent if it is [-consistent and has no proper extension 
that is [-consistent. Lindenbaum’s Lemma applies, in the usual way, to say that every 
[-consistent set has a maximal L-consistent extension. Since the proof of Lindenbaum’s 
Lemma is by a construction that will come up several times, in various forms, let me 
remind you of how it goes. 


Lindenbaum Construction Suppose S is L-consistent. Enumerate the (countably 


many) formulas of the language, Z1, Z2, ..., and define the following sequence of 
sets. 
S=S 
g= Sn U {Zn} if L-consistent (1) 
nE = A Sa otherwise 


One then shows that Sı C Sy C S3 C ..., each Sn is L-consistent, UnSn is L- 
consistent, and Un Sn is maximally L-consistent. 


In fact, this construction is more general than it would first seem. Say a collection 
C of sets is of finite character provided S € C if and only if every finite subset of 5S is 
in C. (It is immediate from the definition above that the collection of L-consistent 
sets is of finite character.) The Lindenbaum construction can easily be adapted to 
show: if S € C and C is of finite character, then S can be extended to a maximal 
member of C. This observation makes things a little easier for us later on. 


Now, let M = (W, R, V) be the model constructed as follows. G is the set of all 
maximally L-consistent sets of formulas. For w,w’ € G, wRw’ provided {X | OX € 
w} Cw’. And finally, w € V(P) provided P € w. This is the canonical model for L. The 
chief fact concerning it is the so-called Truth Lemma: for every formula X and possible 
world w € G 


X € w if and only if M,w IF X (2) 


The Truth Lemma is proved by induction on the degree of X. The atomic case is by 
definition, and the propositional connective cases are straightforward. Here is a sketch 
of the modal case. We wish to show (2) is true for OZ under the assumption that it 
holds for simpler formulas, in particular, for Z. Half is simple. Suppose OZ € w, and let 
w’ be an arbitrary world such that wRw’. By definition of R, Z € w’; by the induction 
hypothesis, M,w’ I- Z; so since w’ was arbitrary, M,w I- OZ. The other direction 
requires more work. 

Suppose OZ ¢ w. Consider the set S = {X | OX € i U {>Z}. This is L-consistent, 
because if not, there would be a finite subset {0X4,...,OXn} of w such that 


1. (Xi A...AX,A7Z) DL definition of inconsistent 

2. (XL A...A Xn) DZ by classical reasoning from 1 
3. O(X1A...A X,) OZ Regularity on 2 

4. (OX, A...A0X,) DOZ using results shown earlier 


But each OX; € w, and it follows from the maximal L-consistency of w that OZ € w, 
which is a contradiction. Thus we know that S is Z-consistent. Extend it to a maximal 
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L-consistent set w’. By definition, w’ € G and clearly wRw’. And =Z € w' so Z ¢ w' 
and by the induction hypothesis, M, w’ If Z, hence M, w I¥ OZ. 

With the Truth Lemma established, it follows that the canonical model is a universal 
counter-model for L—it provides counterexamples for all non-theorems of L. For, suppose 
X is not a theorem of axiom system L. Then {~X} is L-consistent, and so can be 
extended to a maximal L-consistent set w. w is a world of the canonical model and, 
since X ¢ w, by the Truth Lemma, M, wI¥ X. 

If the canonical model for L happens to be an L-model, this establishes completeness 
since, if X is not a theorem of L, there is an L-model in which X fails—the canonical one. 
Since K imposes no conditions on frames, we now have the completeness of axiom system 
K relative to K. As a matter of fact, the canonical model for T is a T-model, for K4 is 
a K4-model, and so on for the various entries in Tables 1 and 2. Here is a sketch of the 
verification for one case—K4. Let M = (G, R, V) be the canonical model for K4—I’ll 
show it is transitive. Well, suppose w1, w2, w3 € G and wıRwz and w2Rw3. And say 
X € w. Since OX D X is an axiom of K4, and possible worlds of the canonical 
model are maximally consistent, hence deductively closed, it follows that X € wi. 
By definition of R in the canonical model, OX € w2, and hence X € w3. It has been 
shown that {X | OX € wı} C ws, so wıRwz, and thus we have transitivity. Pll leave 
it to you to check the other cases. Thus in one construction we have completeness for a 
large class of axiom systems, relative to a large class of frame families. 


2.8 Difficulties, and GL 


One should not go away with the impression that canonical models solve all problems. 
There are standard axiomatically formulated logics for which completeness results can 
be proved relative to a class of frames, but not by a direct canonical model technique. A 
simple example is the well-known provability logic GL, axiomatized by adding the GL 
schema O(OX > X) > OX to K4 (or equivalently, to K, though this takes some work 
to show). See [8, 9, 56] for the full story. G&L is sound and complete with respect to two 
different classes of frames. One class, call it GL”, consists of transitive, well-founded 
frames—well-founded frames are those in which there are no infinite sequences of worlds 
W1, W2, W3,---, With w;Rw;i+41. (Technically, it is the relation that is converse to R that 
is well-founded, but we can ignore the point here.) The other class, call it GL’, consists 
of frames that are transitive, irreflexive, and finite. For applications to arithmetic the 
class GL! is the more interesting, but clearly one cannot prove completeness of GL with 
respect to GL/ using canonical models for the simple reason that a canonical model is 
infinite, and hence not a member of the designated class of frames. In this section Pll 
briefly sketch how the logic can be handled axiomatically. We will see it again after 
tableaus have been introduced. 

Every GL! frame is also a GL” frame, so a soundness proof with respect to GL” 
establishes soundness with respect to both. And for this it is enough to show all instances 
of the schema O(OX > X) > OX are valid in GL” frames. Well, suppose we had a 
model M = (G, R, V}, based on a GL” frame, and a possible world w of it, such that 
M, w Ik O(OP D P) but M,wi ¥ OP. By the latter, there must be a world wz with 
wiRw2 and M,w2 If P. Of course we also have M, w2 I- OP D P. It follows that 
M,we | OP. Hence there exists a world w3 with we2Rw3 and M, w3 IY P. Since R 
is transitive, M, w3 I- OP D P. It follows that M,w3 If OP. So we can repeat the 
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argument, getting a world w4 accessible from w3, at which we have M, w4 I¥ P and 
M,wa I- OP D P, and so on. This contradicts well-foundedness of the frame. Hence 
there can be no such model M, so O(OP > P) > OP must be valid in all GL” frames. 

Once again, every GL’ frame is also a GL” frame, so a completeness proof with 
respect to GL will show completeness with respect to both. As noted above, a canonical 
model construction cannot work. But something not radically different from it does. Let 
Z be a formula that is not provable—I will construct a GL/ model, Mz, that invalidates 
it. 

Define sub(Z) to be the set of all subformulas of Z, and negations of subformulas of 
Z—a finite set. Now, let Gz be the collection of all maximally GL-consistent subsets of 
sub(Z)—again a finite set. It is easy to see that any GL-consistent subset of sub(Z) 
can be extended to a maximal such set. Next I’ll define an auxiliary relation (used 
shortly to define the actual accessibility relation): for w,w’ € Gz, set wRow” if {X,OX | 
X € w} C w. Now, here is the real thing: for w,w’ € Gz, set wRzw’ if wRow’ 
but not w’Row. Finally, let w € Vz(P) provided P € w. We thus have our model 
Mz = (Gz, Rz, Vz). 

It is obvious that Gz is finite. It is equally obvious that Rz is irreflexive. If we had 
that Rz was transitive, we would know that Mz was a GL! model. In fact, this is the 
case, but for readability Pll give the argument in a separate paragraph. 

Suppose wiRzw2 and w2Rzws3; Vl show wi Rzw3. Pll leave the key step to you: 
show that Ro is transitive. Given this, we must have wı Row3, since we have wı Row2 
and w2Row3, and Ro is transitive. If we had w3Rpw 1, since we have w Row and Ro 
is transitive, we would have w3Row2, and we do not. Thus we do not have w3Row}. It 
follows that wıR zws. 

Thus Mz is an GLS model. To show it is a counter-model to Z we need an analog of 
the Truth Lemma stated earlier as (2). The original version must be replaced with the 
following 


For X € sub(Z), X € w if and only if Mz, w l- X (3) 


The proof of (3) is almost the same as that of (2), by induction on the complexity of 
X. TI just give one step, but it is the most significant one. Suppose that (3) is known 
for the formula X, w € Gz, OX € sub(Z), and OX ¢ w. PI show Mz, w l¥ OX. 

We are assuming OX ¢ w. Let S be the set {Y, OY | OY € w} U {0X, ~X}. This is 
GL-consistent, because if not, there would be a finite subset {OY,,...,Y,,} of w such 
that 


1L. (YA... AY n AON A...ADY, ADX AnAX) DL 

definition of inconsistent 

2. (Yi A...AY,AQYA...AQY,) D (OX D X) 
by classical reasoning from 1 

3. (Y1 A... A Yn AON A... A OYn) > OOX D X) 
Regularity on 2 

4. (OY, A...A0Y, ADDY A... A 00) > OOX 5 X) 

distributing O over A (Section 2.1) 

5. (OY, ^... A 0%) > O(OX > X) 

using the K4 axiom 

6. (OY,A...A0Y,) D OX 
using the GL axiom 
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But each OY; € w, and so OX € w, a contradiction. Thus we know that S is GL- 
consistent. Extend it to a maximal GL-consistent subset w’ of sub(Z). By definition, 
w’ € Gz. Also by definition, wRgw’. And we do not have w’Row since OX € w but 
X ¢ w. Thus wRzw’. And =X € w so X ¢ w and by the induction hypothesis, 
Mz,w’' I~ X, hence Mz,w IF OX. 

With (3) established, there must be a possible world in the model M at which the 
unprovable formula Z is false (a maximal consistent extension of {=Z}). Thus we have 
completeness. 


A canonical model is a universal counter-model—it invalidates all unprovable formulas. 
The present construction, while very similar, does not produce any such thing. Each 
formula, Z, is invalidated in a counter-model, Mz, of its own. 

The construction above makes use of a variant of a technique known as filtration. A 
more standard version would begin by constructing a model in which worlds are maximal 
consistent sets, in the usual sense, and then identifying those worlds that agree on the 
subformulas of Z. This is one technique among many for constructing models when the 
canonical construction does not work. These constructions are often ingenious, often 
intricate, and beyond the scope of the present chapter. 


2.4 Sahlqvist Formulas 


Though canonical models do not solve all completeness problems, they do for the logics 
considered in Section 2.2. One naturally wonders what these logics have in common 
that makes them so nice. In [54] a remarkable answer to this question was given—see 
[6] for an insightful, elegant treatment. Sahlqvist defined syntactically a class of modal 
formulas having two important properties. First, there is an algorithm (Sahlqvist-van 
Benthem) for associating with each formula of the class a first-order condition on frames. 
These frames will validate the corresponding modal formulas. And second, the canonical 
model for a logic axiomatized by Sahlqvist formulas will satisfy the first-order conditions 
determined by the formulas. Thus, the canonical model technique must work for modal 
logics whose axioms are Sahlqvist formulas. 

All formulas in Table 2 are Sahlqvist formulas, and the frame conditions they determine 
using the Sahlqvist-van Benthem algorithm are those in Table 1. On the other hand, the 
GL scheme, O(OX > X) > OX is not Sahlqvist, the frame classes GL! and GL” are 
not first-order definable, and canonical models do not work. 

A full discussion of the fundamental Sahlqvist results (and their limitations) can be 
found elsewhere in this book, in Chapters 1 and 7, so I will say no more about them here. 


3 DEDUCTION, AND THE DEDUCTION THEOREM 


In many logics (classical logic is the classical example) one introduces a notion of deriva- 
tion, or deduction, or consequence—besides what is provable, what follows from what. 
Typically, Y follows from a set S of formulas, premises, in some axiomatic system if 
Y becomes provable when members of S are added to the system’s axioms. Then one 
connects deduction and provability by showing a deduction theorem: Y is a consequence 
of the set SU {X} if and only if X D Y is a consequence of S. Taking S to be empty we 
have the important special case: Y has a derivation from X if and only if X D Y follows 
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from Í, that is, if and only if X D Y is a theorem of the original axiomatic system. This 
is an important tool, both theoretically and practically, because it allows us to prove an 
implication X D Y by carrying out a derivation, of Y from X, and such a derivation is 
often easier to discover since we have more material to work with, namely we have X. 

Modal logic raises problems for the notion of deduction. Suppose we want to show 
X D Y in some modal axiom system by deriving Y from X. So we add X to our axioms. 
Say, to make things both concrete and intuitive, that X is “it is raining” and Y is “it 
is necessarily raining.” Since X has been added to the axiom list the necessitation rule 
applies, and from X we conclude OX, that is, Y. Then the deduction theorem would 
allow us to conclude that if it is raining, it is necessarily raining. This does not seem 
right—nothing would ever be contingent. On the other hand, if we are working in the 
modal logic K, and we want to see what happens if we strengthen it to T by adding all 
instances of the scheme LX D X, we certainly want the necessitation rule to apply to 
these instances. Things are not simple. 

In the examples above, instances of the axiom scheme OX D X are clearly intended 
to be understood as logical truths, and we would expect the necessitation rule to apply 
to them. But “it is raining” is a contingent truth, and necessitation should not apply. 
In modal logics, a proper notion of deduction must allow two kinds of premises, global, 
to which the necessitation rule applies, and local, to which it does not. The following 
definition is from [21]. 


DEFINITION 1. Let L be a set of axiom schemes for a normal modal logic—extending 
K. Let S and U be sets of formulas (not schemes) and X be a single formula (also not 
a scheme). The formula X is deducible from the set S of global premises and the set U 
of local premises in L if there is a sequence of formulas ending with X, consisting of a 
global part, coming first, and a local part, coming last. In the global part each formula is 
an instance of a member of L, a member of S, or follows from earlier formulas by modus 
ponens or necessitation. In the local part each formula is an instance of a member of L, 
a member of U, or follows from earlier formulas by modus ponens (necessitation is not 
allowed in this part). If X is so deducible, this is symbolized by SF, U > X. 


The working content of the definition above is simple: in an axiomatic derivation of 
X in L one can proceed as one does in a proof, using members of S and U as additional 
axioms, except that once we start using members of U, the necessitation rule can no 
longer be applied. 

Since we have two kinds of premises, we have two versions of the deduction theorem. 
Here they are. 


THEOREM 2 (Deduction). Let S and U be sets of formulas, X and Y be single formulas, 
and L be a set of axiom schemes extending K. 


1. SFLUU{X}—>Y if and only if SFr U > (XoY). 


2. SU{X} FL UY if and only if S Fr U U {X,0X, 0O? X, 0?X,...}—> Y. 


The proof of the theorem above is a variation on that of the classical deduction the- 
orem. Pll omit it here. The significant thing is that there are two versions. In reading 
the literature in modal logic it is important to notice, when an author talks of deduc- 
tion, whether the premises are local or global. Both versions appear, often without the 
local/global qualification, and this can lead to some confusion. 
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There is a semantic counterpart of the local/global distinction, which accounts for the 
terminology. 


DEFINITION 3. Let L be a family of frames, thus characterizing a normal modal logic. 
Let S and U be sets of formulas (not schemes) and X be a single formula (also not a 
scheme). The formula X is a semantic consequence of the set S of global premises and 
the set U of local premises in L provided, for every L-model M in which all members of 
S are valid (true at every possible world), for each possible world w of M at which all 
members of U are true, X is true. This is symbolized by S =, U > X. 


In Section 2.2 soundness and completeness issues were discussed. There is a more 
general notion, taking deduction into account. 


DEFINITION 4. Let L be a set of axiom schemes, extending K, and let L be a class of 
frames. L is strongly complete (and sound) with respect to L provided, for all sets S and 
U of formulas, and for all formulas X: 


S Fz U > X 4 S Hr U > X. 


Completeness arguments using canonical models tend to actually establish strong com- 
pleteness. This is the case for all the axiom systems of Table 2 relative to the correspond- 
ing classes of frames in Table 1. It is not always so straightforward, however. In Sec- 
tion 2.3 I mentioned axiomatically formulated GL, and a corresponding class of frames 
GL. This is an instance where completeness, but not strong completeness is the case. 
Strong completeness cannot be taken for granted. 


4 NATURAL DEDUCTION 


Someone once said that in mathematics every important theorem eventually becomes 
a definition. Well, the Deduction Theorem is sufficiently important that proof systems 
have been created with it as part of the basic machinery, rather than being a derived 
rule. Such systems are called natural deduction systems, and were originally introduced 
by Gentzen, [29], and Jaskowski, [40]. Prawitz wrote a classic study of these systems, 
[52]. Modal versions have been introduced, with those of Fitch being the best-known 
[16, 55]. Here I’ll briefly sketch a classical and several modal natural deduction systems. 


4.1 Classical Natural Deduction 


Recall that our basic classical connectives are D and L, with other connectives taken 
as defined. In particular, =X is X D L. Ill only give rules for these, though rules 
for other connectives can be introduced. In a natural deduction proof, assumptions 
are made, then eventually these assumptions are discharged using a principle like that 
embodied in the Deduction Theorem. Parts of proofs involving assumption, reasoning, 
and assumption discharge are called subordinate proofs, and are characteristic of natural 
deduction systems. Notation differs for indicating a subordinate proof. I’ll enclose it in 
a box. The rules are given in Table 3. 

There is some variety to what is called a natural deduction system in the literature. 
Sometimes proofs have a tree structure, as in [52]. Here natural deduction proofs are 
Fitch-style, [17], in which a proof is a sequence of formulas, as in axiom systems. In 


96 Melvin Fitting 


X f =X 
X : : 

: XoY X i 
Y -yý : L 
XoY i X 


Discharge Modus Ponens Repetition Negation 


Table 3. Classical Natural Deduction Rules 


addition, subordinate proofs can be started at any point—parts of a proof might be 
boxed, and boxes can be nested, but they cannot overlap. The first formula in a box 
is understood to be an assumption—a premise. Then the Discharge rule in Table 3 
incorporates the principle of the Deduction Theorem: having assumed X as a premise, 
and having deduced Y, the premise X can be discharged and X D Y concluded. Premise 
discharge is symbolized by closing off a box, thus ending a subordinate proof. Before 
explaining the other rules, one more notion is needed. Pll say that in a proof, two 
formulas, or a formula and a box, are at the same level if they are inside the same 
(nested) boxes. Modus Ponens, in Table 3, can only be applied if X and X D Y are 
at the same level (though the order of the two formulas does not matter). Likewise in 
the Repetition rule, the upper occurrence of X must be at the same level as the box 
into which X is shown being repeated. A formula is a theorem of this natural deduction 
system if it is the last line of a proof and does not occur inside a box. 

Figure 1 contains an example of a simple classical proof, in this system, of (~Q D 

P) Dd ((->Q D ~P) > Q). In this, 1, 2, and 4 are premises; 3 is from 1 by Repetition; 5 
is from 2 by Repetition; 6 is from 4 and 5 by Modus Ponens; 6’ is just 6 unabbreviated; 
7 is from 3 by Repetition; 8 is from 4 and 7 by Modus Ponens; 9 is from 6’ and 8 by 
Modus Ponens; 10 is by Negation; 11 and 12 are by Discharge. 
If we drop the Negation rule, exactly intuitionistic implication is captured. If Negation 
is replaced by a rule allowing us to conclude X from L, this gives us intuitionistic 
negation. Other intuitionistic connectives can be captured as well, but this is too far 
afield for present purposes. Also, various derived rules will probably have occurred to 
you—for instance, Repetition can involve deeply nested boxes, instead of just going ‘one 
box in.’ Conditions were stated as they were to allow the easy addition of modal rules. 
Pll leave simplifications to you. 


4.2 Modal Natural Deduction 


Recall that whether or not the necessitation rule applied to premises in an axiomatic 
deduction led us to distinguish between two kinds of premises, local and global. A 
similar point comes up with natural deduction proofs, and we are led to create two 
kinds of subordinate proofs. One kind is as before, and follows the standard rules. The 
other kind is called a strict subordinate proof. I will symbolize it by enclosing it in a 
double-walled box. Think of a strict subordinate proof as an argument taking place in 
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1. =Q DP 


2. =Q DAP 


11. (~Q D AP) DQ 


12. CQ P)> (CQ =P) > Q) 


Figure 1. Classical Natural Deduction Proof 
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an arbitrary alternative world. Equivalently, think of it as an argument taking place 
within the scope of a necessitation operator. A strict subordinate proof does not have an 
initial premise, as ordinary subordinate proofs do, and one can be started at any point. 
Whatever is shown in a strict subordinate proof has actually had its necessity established, 
consequently the Discharge rule is different. The Repetition rule is also different, since 
strict subordinate proofs involve alternative worlds. The basic rules are in Table 4. 


Y 


Strict Repetition Strict Discharge 


Table 4. Modal Natural Deduction Rules for K 


Y 


An example of a proof using the classical and the modal natural deduction rules can 


XD 


be found in Figure 2. It is a proof of O(X D Y) > 


( 


Y). 


In it, 1 and 2 are 


premises; 3 is by Repetition from 1; then a strict subordinate proof is started; 4 and 5 
are from 2 and 3 by Strict Repetition; 6 is from 4 and 5 by Modus Ponens; 7 is from 6 
by Strict Discharge; 8 is by Discharge; and 9 is by Discharge. 

The logic captured by these rules is K. Certain other logics can also be treated this 
way, by suitable additions to the rules. In fact the underlying idea serves us as a lead-in 
to other proof procedures, starting in the next section. Pll give rules for some, but not 
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1. O(X OY) 
2. OX 
3. O(X DY) 


4. X 
5. X DY 
6. Y 
7. OY 
8. OX DUY 
9. OX DY) D (OX 3 OY) 


Figure 2. Modal Natural Deduction Proof 


all of the logics from Table 1—treatments of other logics can be found in [10, 17, 55). 

If S is a set of formulas, I define a set 9? in a logic-dependent way, in Table 5. The 
motivation is, if all members of S' are true at a possible world of an L model, all members 
of SË will be true at any alternative world, for L being any of the logics listed in Table 5. 


Logic | St 

K,T,D {xX |Ox €S} 

K4,84,KD4 | {X |OX e S}uU {OX | OX € $} 

KB,B,S5 {X |OxX e S}U{OX | OX € S}U{AO-AX | X € sS} 


Table 5. Definition of S# 


For each of the logics covered in Table 5, the Strict Repetition rule of Table 4 should 
be replaced by the following. Note that the new rule for K coincides with the one stated 
in Table 4. 


Strict Repetition Rule If S is the set of formulas in a proof, that are above a strict 
subordinate proof, and at the same level as it, any member of S? can be entered 
into the strict subordinate proof. 


For K, K4, and KB, the rules given so far are complete. For T, B, S4, and S5, we 
add a rule allowing us to infer X from OX. and for D and KD4, we instead add a rule 
allowing us to infer --=X from DX. 

Figure 3 displays a proof using the rules for K4. In it, 1 and 2 are premises; 3 is from 
1 by Repetition; 4 is from 2 and 5 is from 3 by Strict Repetition; 6 is from 4 and 7 is 
from 5 by Strict Repetition; 8 is from 6 and 7 by Modus Ponens; 9 is from 8 by Strict 
Discharge, as is 10 from 9; 11 is by Discharge, as is 12. 

Completeness is easy to show. Begin by giving natural deduction proofs of all (appro- 
priate) axioms. Modus Ponens is one of the rules. And it is easy to show that theorems 
are closed under a Necessitation Rule (carry out a proof of X inside a strict box, and 
conclude OX outside it). Then natural deduction completeness follows from axiomatic 
completeness. Soundness is a bit more work; see [19] for details. 
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1. O(X >Y) 


10. 
11. OX > OOY 
12. O(X > Y) > (UX > OLY) 


Figure 3. K4 Natural Deduction Proof 


While I have been discussing proofs, these natural deduction systems encompass 
derivations as well. A local premise can be added to a derivation provided it is not 
added inside a strict subderivation. A global premise can be added at any point, even 
inside a strict subderivation. Then soundness and strong completeness can be shown for 
the logics of Table 5. 


5 SEMANTIC TABLEAUS 


Both axiom systems and natural deduction are forward reasoning systems. One starts 
with axioms and rules, and finishes with the desired theorem. Such systems, while ele- 
gant, are often difficult for proof discovery, and are not good candidates for automation. 
Various backward reasoning systems have been invented. These begin with the desired 
result and work backward from there to create a proof. For classical logic, resolution is 
such a system—it was designed for machine implementation, and over the years has been 
the basis for very efficient classical theorem provers, [22, 43]. However, resolution does 
not tend to adapt well to non-classical logics (though see [20]). Semantic tableaus, or 
tableaus for short, were introduced in [5], and took on their current form independently 
in [44] and [57]. They too have also had successful computer implementations, and have 
turned out to be more flexible than resolution in adapting to a rich variety of logics. A 
very thorough presentation of tableaus can be found in [11]. This section presents tableau 
systems for several propositional modal logics, but naturally, Pll begin classically. 


5.1 A Classical Tableau System 


Tableaus can be developed using signed or unsigned formulas. Pll present a signed 
version, and briefly discuss an unsigned one afterward. A signed formula is simply 
T X or F X, where X is a formula. Intuitively, these signed formulas assert that X is 
true or false respectively, in some context. One begins a proof search with F X, and 
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attempts to produce a contradiction, thus showing that X cannot be false under any 
circumstances. Tableaus take the form of trees, customarily written with the root at the 
top, and branching downward. Intuitively, each branch represents one ‘case.’ There are 
rules for “growing” trees—one for each connective and sign. For axiom systems it was 
convenient to have a small number of connectives, with others defined from them. There 
is no corresponding advantage for tableaus, so Pll take ~, A, V, and D as primitive from 
now on, and also T (truth constant) as well as L (falsehood constant). However, = is 
still best thought of as a defined connective. 

‘Tree growing’ rules involving negation are straightforward, and are given in Table 6. 
For each, if the signed formula above the line occurs (anywhere) on a tableau branch, the 
signed formula below can be added to the branch end. Rules for the binary connectives 
come in groups, and Pll make use of Smullyan’s unifying notation here [57]. Table 7 
defines what are called alpha and beta signed formulas and for each, two components. 
Using this, the binary connective rules are summarized in Table 8. These rules say: if 
an alpha formula occurs on a branch, its two components can be added successively to 
the branch end; if a beta formula occurs, the branch can be split, with one component 
added to each of the new branch ends. 


Tax PAX 
FX TX 


Table 6. Negation Rules 


a | a œ B |A be 
TX^AY TX TY TXVY | TX TY 
FXVY | FX FY FXAY | FX FY 
BX DY TX FY PLS | FX TY 


Table 7. Alpha and Beta Formulas 


Table 8. Alpha and Beta Rules 


Figure 4 contains an example of a tree, constructed by starting with the signed formula 
FAUX AY) D (AX VAY). In it, 2 and 3 are from 1 by a; 4 is from 2 by negation; 5 and 
6 are from 4 by 8, 7 and 8 are from 3 by a, just as 9 and 10 are, on the right branch; 
11 is from 7 by negation; 12 is from 10 by negation. Not every applicable rule has been 
used—neither 8 nor 9 has had a negation rule applied to it. 

A tableau branch is called closed if it contains T Z and F Z for some formula Z, or 
if it contains F T, or TL. A tableau is closed if every branch is closed. Intuitively, a 
closed branch represents an impossible situation, and a closed tableau tells us that every 
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FAX AY) > (AXV-AY) 1. 


T-(XAY) 2. 

FAXVaAY 3. 

FXAY 4. 

FX 5. FY 6. 

FAX 7. FAX 9. 
FAY 8. FAY 10. 
TX 11. TY 12. 


Figure 4. Propositional Tableau Example 


situation is impossible. The tableau of Figure 4 is closed, because of 5 and 11, and 6 and 
12. 

A tableau proof of X is a closed tableau beginning with F X. Thus Figure 4 con- 
stitutes a tableau proof of =—(X AY) D (~X v AY). It can be shown that exactly the 
classical tautologies have tableau proofs in this system, but I’ll postpone any discussion 
of soundness and completeness until modal rules have been introduced. A tableau version 
of consequence—deduction from premises—is easy. One says X follows from a set S of 
formulas if there is a closed tableau starting with F X, allowing the additional rule that 
for any Z € S, T Z can be added to the end of any branch. 

Finally, I have used signed formulas, but one could just as well work with an unsigned 
version. Instead of FX use =X, and instead of T X, just use X. Pll leave a full 
formulation to you (or see [22, 57]). The use of signs brings some additional power, 
however. It is easier to establish a connection with the Gentzen sequent calculus, as 
we will do in Section 7. There is a simple signed tableau system for intuitionistic logic, 
something that is not possible without signs. And one can add extra signs to create proof 
systems for many-valued logics. 


5.2 Destructive Modal Tableaus 


Modal tableaus come in more than one version. Some logics have destructive tableau 
systems, [19, 33]. These will be presented in this section—a different approach is given 
in Section 6. The terminology comes from the fact that some destructive tableau rule 
applications lose information. Destructive tableau proofs tend to be more useful metathe- 
oretically than other kinds of tableaus—for example, one can devise a simple proof of 
interpolation theorems using such tableau systems. 

To continue the uniform treatment begun with the alpha/beta grouping, two new 
categories, nu and pi, and their components are introduced in Table 9, to take care of 
the modal operators—both O and © are taken as primitive now. 

In Table 5 I gave a definition of SË for several modal logics. As it happens, logics whose 
semantics involve symmetry don’t have simple (or any) destructive tableau systems, so 
these must be dropped. And I’m now allowing more connectives and modal operators as 
primitive than before. So a definition appropriate for this section is given in Table 10— 
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V | Vo T | To 
TOX | TX TOX | TX 
FOX | FX FOX | FX 


Table 9. Nu and Pi Formulas 


connections with the earlier version should be clear. A few observations about this 
definition. First, for all six of the logics we have monotonicity: Sı C S2 implies st ie sh. 
And second, for the K4, S4, D4 group we have S? C S*. Both of these are easily 
checked, and both play a role in later soundness and completeness proofs. 


Logic | st 


K,T,D {vu |v eS} 
K4,S84,D4 | {u,v |vesS} 


Table 10. Revised Definition of S# 


Destructive tableau rules for the logics of Table 10 are as follows. First, all the classical 
rules of the previous section continue to apply. And in addition there are the rules given 
in Table 11. These rules require some comment. The second, from v to get vo, is of the 
same general kind as earlier tableau rules: a branch containing v can have vo added to 
the end. The third is slightly different since it is premiseless: at any point on a tableau 
branch we can add T OT. The first, however, is of a very different nature. Let us call it 
the m rule, though technically what is displayed is actually several rules, depending on 
the definition of S*. The ~ rule says that, given a branch containing 7, and with S as 
the entire set of (other) signed formulas on it, that branch can be replaced with a new 
one containing the members of S*, and mo. The ~ rule is the reason for the terminology 
destructive—application of this rule removes formulas. 


For all logics: et For T and S4: For D and D4: TOT 
s TO 0 


Table 11. Destructive Modal Rules 


An example of a destructive tableau can be found in Figure 5. It provides a tableau 
proof, in the K4 system, of (09X A OY) > O0O(X AY). In it, 2 and 3 are from 1, and 
4 and 5 are from 2 by a. Then a destructive m rule applies, with 3 as the a formula. 
The original branch is replaced by a new one, shown below the line, with 6 from 3, 7 
and 8 from 4, and 9 and 10 from 5; formulas 1 and 2 disappear entirely. Another m 
rule application now happens, with 8 as the 7 formula, producing the new branch shown 
below the second line. Item 11 is from 8; 12 and 13 are from 6; 14 and 15 are from 7; 16 
and 17 are from 9. Finally @ applied to 13 produces 18 and 19, and both branches are 
closed. 

Destructive rules add a level of complexity to tableaus. Tableau rules are non- 
deterministic—they say what can be done, but the order of rule application is not speci- 
fied. It can be shown that, for the classical system of Section 5.1, a kind of Church-Rosser 
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OX ADY) DOO(XAY) 1. 
OX ADY 2. 

O(XAY) 3. 

OX 4. 


D(XAY) 5. 


OX 8. 


FR >| ie ee > ae 
K 
Or 


FX 18. FY 19. 


Figure 5. K4 Destructive Tableau Example 


property applies. If a formula X is a tautology, any attempt to provide a closed tableau 
for F X will succeed, no matter in what order the rules are applied, provided only that 
on each branch, every non-atomic formula eventually has a rule applied to it. The a 
rule changes things. We might have a tableau branch containing, among other things, 
both TOX and TOY. Either could be used as m in a z-rule application, but when so 
used, it will cause the deletion of the other formula. It can happen that a proof is ob- 
tainable when one choice is made, but not the other—we can choose badly. This means 
that a systematic proof search must allow backtracking, and so will be inherently more 
time-consuming than a systematic search in the classical system—see Chapter 3 for a 
full discussion. 


5.8 Soundness and Completeness 


A proof of soundness can also serve to motivate the rules of Table 11. We’ll say a 
signed formula is realized at a possible world w of a model M if the formula is T X and 
M,w IF X, or the formula is F X and M, w If X. Let L be one of the six logics for which 
tableau rules have been provided. Call a set S of signed formulas L-satisfiable if there 
is some L model M, and some possible world, w, of it that realizes all the members of 
S. Call a tableau branch L-satisfiable if the set of signed formulas on it is L-satisfiable. 
And call a tableau L-satisfiable if some branch is. The key fact is that satisfiability is an 
invariant for tableau construction. That is, each tableau rule preserves L-satisfiability. 
Let us call a rule sound if it has this satisfiability preserving feature. It is the need to 
have sound rules that dictates some of the features of the systems we have seen—for 
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instance, this is why the version of S* that works for K4 will not serve for K. 


PROPOSITION 5. Suppose T is an L tableau that is L-satisfiable. If any L tableau rule 
is applied to T the resulting tableau is still L-satisfiable. 


Proof. Suppose branch 0 of T is L-satisfiable, say its members are realized at world w 
of model M. And say a tableau rule is applied to 7. If it is applied on a branch other 
than 6, the resulting tableau is trivially L-satisfiable, so now assume the tableau rule has 
been applied on 6. 

If the applied rule was a 8 rule, then 0 branches, technically it is replaced with two 
new branches which we'll call 0, 61 and 0, 62, using the obvious notation. Since @ was 
realized at w, a check of each case in the definition of @ shows that either 6: is realized 
at w, or B2 is. Consequently, either the branch 0, 3; is satisfied, at w, or the branch 0, G2 
is. Either way the resulting tableau is L-satisfiable. The argument if the rule application 
was an a or a negation rule is even simpler, and is omitted. 

Now suppose the applied rule was the 7 rule from Table 11. The key thing we need is 
this. For each of the logics under consideration, if members of S are realized at world w 
of an L model M, and if w’ is any world of M that is accessible from w, then members 
of SË are realized at w’. Verification of this is left to you. Now, suppose @ consists of 
the members of S, and the signed formula 7, and w realizes all the signed formulas on @. 
Since 7 is realized at w, there must be an alternate world w’ at which 7o is realized. As 
we just noted, at w’ all members of S# are realized. Then in the resulting tableau there 
is still a satisfiable branch, though its members are realized at a different world than the 
one realizing the members of the original branch. 

The other rules from Table 11 are straightforward. Q 


PROPOSITION 6. If X has a proof using the tableau rules for L, then X is L valid. 


Proof. Ill show the contrapositive. Suppose X is not L valid; so there is some world of 
some L-model at which X is false, Then {F X} is L-satisfiable. Any tableau proof of X 
must start with the tree with only F X, at its root. This is an L-satisfiable tableau, so 
Proposition 5 says only L-satisfiable tableaus will be produced. An L-satisfiable tableau 
cannot be closed. Hence X can have no L tableau proof. m) 


Next we turn to completeness. A common way of showing completeness for tableau 
systems involves devising a systematic way of applying tableau rules. Such a systematic 
approach is presented for classical logic in [57], for instance. While such a method has 
utility when computer implementations are involved, it is often hard work. Fortunately 
the method used to show completeness for axiom systems in Section 2.2 can also be 
applied, and is much simpler. 

First we need a small generalization of the notion of tableau. So far we have started 
tableau constructions with a single signed formula. From now on, if S is a finite set 
of signed formulas, a tableau for S$ will be any tableau starting with a single branch 
containing the members of S, and continuing using the usual tableau rules. Then, a 
tableau proof of a formula X is a closed tableau for the set {F X}. 

Let L be one of the logics for which tableau rules have been provided in Table 11. Call 
a set S of signed formulas L-inconsistent if there is a closed L tableau for some finite 
subset of S, and call S L-consistent if it is not L-inconsistent. Clearly this notion of 
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L-consistency is of finite character, and so the Lindenbaum construction applies, see (1). 
Every L-consistent set of signed formulas can be extended to a maximal L-consistent set. 

We construct a model M = (G,R,V) much like we did in Section 2.2. G is the 
collection of all maximal L-consistent sets of signed formulas. For w1, w2 E G, wi Rwe2 
provided wi C w2. And finally, w € V(P) provided T P € w. One cannot, at this point, 
show an exact counterpart of (2) (though it is, in fact, true). But one can show the 
following, involving an implication instead of an equivalence. For every signed formula 
X and possible world w € G 


X € w = wu realizes ¥ in the model M (4) 


The proof is by induction on the complexity of signed formulas. Since we have several 
connectives as primitive now, I’ll make use of uniform notation. Here are the cases needed 
to establish (4). 

Suppose P is atomic. If T P € w then M, w IF P by definition of V, so T P is realized 
at w. Likewise if F P € w, since w is L-consistent, T P ¢ w, and so M, w If P, and 
again F P is realized at w. 

The negation cases are straightforward, and are omitted. 

Suppose we have a 8 signed formula, 8 € w, and (4) and is known for (3; and 62. Since 
w is L-consistent, it follows from the tableau rules that one of w U {81} or wU {82} is 
L-consistent. Then it follows by maximality of w that either 3; € w or B2 € w. By the 
induction hypothesis, either 3, or bə is realized at world w of M. And an examination 
of the cases in the definition of @ formulas shows this is enough for 8 to be realized at w 
as well. 

The a case is similar, and is omitted. 

Suppose we have a v formula, v € w, and (4) is known for vo. Let w’ be any member 
of G with wRw’. For each choice of L, vp € w? and since w* C w by definition of R, 
vo E€ w’. By the induction hypothesis, w’ realizes vp. A check of cases in the definition 
of v shows that, since w’ was arbitrary, v is realized at w. 

Finally, suppose we have a m formula, 7 € w, and (4) is known for mo. Using the z rule 
from Table 11, it follows that w? U {70} is consistent. Let w’ be a maximal L-consistent 
extension of this. Then w’ € G and since To E€ w’, the induction hypothesis gives us that 
To is realized at w’. Finally, since wRw’, it follows, for each case in the definition of 7, 
that 7 is realized at w. 

Now that (4) has been established, putting the final pieces together is easy. For L being 
any of the six logics from Tables 10 and 11, one can easily check that the construction 
described above produces a model M that is, in fact, an L-model. Here is part of such 
a verification. For any of the six logics being treated, Sı C S2 implies SË € sh. For 
L being one of K4, S4, or D4, SË C S#!. Now, suppose wi Rw and w2Rw3. Then 
wi C we and wh C w3, so wi C wh C w3. So if L is one of K4, S4, or D4, wi C w3, and 
hence w;Rws3. Thus for these three logics, the model is transitive. Pll leave the other 
conditions to you. 

Now, if X is not provable by L-tableaus, {F X} is L-consistent. Extend it to a maximal 
L-consistent set w, which will be a world of the L model constructed above. It is a world 
at which X is false, by (4). Thus X is not L-valid. This establishes the following. 


PROPOSITION 7. For L being one of K, T, D, K4, S4, D4, the L tableau rules are 
complete. 
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5.4 The Logic GL 


In Section 2.3 we saw that, while a straight canonical model argument was not able to 
prove completeness for GL, still a completeness argument could be given. A variation of 
that argument works for an appropriate destructive tableau system for GL as well. Pl 
sketch this here. 

First of all, what are the GL destructive tableau rules? Use the definition of 9? for 
K4, from Table 10. In addition, the z-rule itself needs modification. Following [57], 
define the conjugate of a signed formula as follows: TX = F X and FX =T X. Thus 
conjugation amounts to switching the sign. Now, here is the curious but appropriate 7 
rule for GL, [8, 19]. 


ST 
S sTo, T 


An example of a proof in this system appears in Figure 6, of the Löb formula O(OP > 
P) > OP. In it, 2 and 3 are from 1 by a. Then a z-rule application is made, with 3 as 
the m formula. This replaces the original branch with a new one, shown below the line 
in the Figure. Formulas 4 and 5 are from 3 and 6 and 7 are from 2. Then 8 and 9 are 
from 7 by p, and both branches are closed. 


PDP)DUP 1. 


Ay 


MPAA Py) fy 
Y 
ON 


FUP 8. TP 9. 


Figure 6. GL Destructive Tableau Example 


Soundness is shown by the same method as earlier, Proposition 5, and the argument 
now is just like before, except for the new m rule. So, Pll just show the following: if 
SU {r} is GL”-satisfiable, so is SË U {70,7}. Well, suppose M = (G,R,V) is a GL” 
model in which the members of SU {7} are realized at possible world w1, but there is no 
world at which the members of $*U {79,7} are realized. Since w, realizes m there must 
be a world, wo, with w;Rwe, with we realizing Tọ. And since w, realizes the members 
of S, it is easy to see that wọ must realize the members of SË. Since no world in M 
realizes the members of SË U {7,7}, it must be that wə cannot realize 7, and hence 
must realize t—that is, w2 realizes all members of S? U {79,7}. But now, since 7 is 
realized at we, there must be a world w3 with woRw3 such that 7mo is realized at w3. 
Since S* is realized at wz then S* is realized at w3, but for the K4 definition, SË C S*, 
so all of S# is realized at w3. Then, as at wo, we must have that m is realized at w3. 
That is, at w3, just as at w2, we have all the members of 9? U {7,7} realized. This 
pattern repeats—there must be an accessible world w4 realizing this set, and so on. But 
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this contradicts the non-existence of infinite chains in GL” models. Thus if S U {7} is 
GL"-satisfiable, so is S* U {29,7}, and soundness follows. 

For completeness, a modification of the proof in Section 2.3 will work. Let Z be a 
formula with no GL tableau proof—I’ll construct a GL! counter-model. This time, let 
sub(Z) be the set of all signed subformulas of Z—all T X and F X with X a subformula 
of Z. Define consistency the way we did in Section 5.3—a set of signed formulas is 
GL-consistent if no GL tableau for a finite subset closes. Now, construct a model 
Mz = (Gz,Rz,Vz) as follows. Gz is the set of all maximally consistent subsets of 
sub(Z). A consistent subset of sub(Z) extends to a maximally consistent subset. Define 
w E€ Vz(P)ifT P € w. Set wi Rowe provided wË C wa. Then define wR zw if wi Rowe 
but not w2Row,. We now have a model Mz. Just as in Section 2.3, it is finite, irreflexive, 
and transitive. Finally, a variant of (3) holds for it. I state it as (5) and leave its proof 
to you. With it, completeness (but not strong completeness) follows in the usual way. 


For a signed formula ¥ € sub(Z), ¥ € w implies w realizes V (5) 


5.5 Tableau Remarks 


Unlike the proof procedures examined earlier in this chapter, tableau systems obey a 
subformula principle—all formulas occurring in a proof are subformulas of the formula 
being proved. Often this is expressed by saying tableaus are analytic. The modus 
ponens rule of axiom systems and of natural deduction systems is the reason they do 
not obey a subformula principle. Analyticity makes the finding of proofs a simpler thing 
and accounts for why tableau systems have frequently been automated while natural 
deduction and axiom systems have rarely been. Indeed, proofs of decidability for logics 
having tableau systems can often be based on analyticity. 

There is an important non-analytic rule that is sometimes added to tableau systems, 
the cut rule. It says, at any point in a tableau construction we can split the end of a 
branch, labeling the two new branch nodes with T X and F X, for an arbitrary formula 
X. Since X can be any formula, obviously analyticity is violated. There is a more 
restricted version of the rule, in which X is required to be a subformula of the formula 
being proved—this is called analytic cut. 

Why consider an unrestricted cut rule? Historically, it was introduced by Gentzen [29] 
in the closely related context of the sequent calculus (see Section 7). Gentzen wanted to 
constructively establish that tableau (sequent calculi) and axiom systems were equivalent 
for both classical and intuitionistic logic. The presence of a cut rule makes it easy to 
show this—cut roughly corresponds to modus ponens. Then Gentzen gave a complicated 
constructive argument that showed any application of a cut rule in a proof could be elim- 
inated. This fact, and its constructive proof, have been very influential, with important 
consequences, but it is not appropriate to go into this here. Suffice it to say that a cut 
rule can be added to any of the tableau systems of Section 5.2 without changing the 
class of provable formulas—that is, cut elimination can be proved for these systems, with 
proofs going back to [47, 48]. 

Proofs using cut, at least classically, can be significantly shorter than cut-free proofs. 
Cut elimination for classical first-order logic can introduce a non-elementary blow-up in 
proof depth. The corresponding situation for modal logics seems not to have been much 
studied, but is probably similar. There has been recent work on designing proof systems 
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making proofs of cut elimination easier to establish. These go under the name display 
logics. See [4, 58]. 

Cut elimination for our modal systems can be shown constructively by extending 
Gentzen’s argument, but the arguments are fussy. A non-constructive proof is quite sim- 
ple, however. The cut rule is easily seen to be a sound rule—it preserves L-satisfiability, 
for each L we have considered. Then the soundness proof of Section 5.3 extends—if X 
has an L-tableau proof, allowing the cut rule, X must be L valid. But by our complete- 
ness result, Proposition 7, if X is L valid it must have an L-tableau proof without cut. 
Consequently, if X is provable using L-tableaus plus cut, X is provable using L-tableaus 
without cut. 

A rule that can be added to a proof procedure without changing the class of theorems 
is called an admissible rule. What we have just shown is that cut is an admissible rule. 
Incidentally, now that we know this, it is easy to see that the implication (4) is actually 
an equivalence. This follows since, using cut, for each formula X, either TX or FX 
must be in any maximal L-consistent set, and closed tableaus using cut can be replaced 
by closed tableaus not using cut. 

Why consider analytic cut? For one thing, it can shorten proofs, and does not violate 
the subformula principle, so proof search procedures can incorporate it in a reasonable 
way. It has sometimes been included in tableau implementations for this reason. The 
reader cannot fail to have noticed that while nine representative modal logics were intro- 
duced in Table 1, tableau systems were given for only six of them. Tableau systems for 
the other three are missing, though if analytic cut is allowed, destructive tableau systems 
can be created, [33]. In this respect our representative normal modal logics are actually 
representative—more logics have axiom systems than have cut-free destructive tableau 
systems. Since tableau systems are useful for automation, a number of attempts have 
been made to augment tableaus with additional machinery so that more logics can be 
covered. We will see more of this starting in Section 6. 

Finally there is the matter of deduction, and the possibility of a strong completeness 
theorem. For the logics of Section 5.2, this is an easy matter. If a formula X is a global 
premise, one is allowed to add T X to any open tableau branch at any point. If X is a local 
premise, one can add it to any open tableau branch provided the z-rule in Table 11 has 
not yet been applied on that branch. Then our soundness and completeness arguments 
do, in fact, extend to prove strong soundness and completeness—I omit the proof. It 
should be noted that there are logics, GL is an example, that have sound and complete 
tableau systems, but which do not extend to allow these additional premise-adding rules. 
(Otherwise one could establish compactness for GL, and there is a simple example in 
[19] showing that local compactness fails.) Things must be carefully checked. 


6 PREFIXED TABLEAUS 


In a destructive modal tableau an application of a m rule corresponds to a move to an 
alternative world—this appears explicitly in the argument for the soundness of the 7 
rule. But the z rule loses information. If we are attempting to apply such a rule in a 
logic whose semantics involves symmetry, we can expect problems. With symmetry we 
can leave a world and return to it, so to speak. But in a destructive tableau, having 
lost information, there is no mechanism to regain it (except, sometimes, analytic cut). 
In order to get around this problem various mechanisms have been introduced to retain 
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information about other worlds during a proof—for instance in [37] a method of semantic 
diagrams is presented, in which multiple-world information is retained by the use of 
multiple boxes. Prefixed tableaus provide additional machinery using a device that is 
especially syntactic in nature. These tableau systems were introduced in [18, 19], but 
took on their present modular form in [46, 33]. They can also be seen as a particular 
kind of labeled deductive system, see [27]. 


6.1 A Prefixed System for K 


A prefix is a finite sequence of positive integers, which I will write using a dot as separator, 
for example, 1.2.3.2.3. The informal idea is that a prefix names a possible world, with 
1.2.3.2.1, 1.2.3.2.2, 1.2.3.2.3, and so on, all naming worlds accessible from 1.2.3.2. A 
prefixed (signed) formula is oT X or o F X, where o is a prefix and X is a formula. The 
informal idea is that a prefixed formula asserts the underlying formula is true/false at 
the world named by the prefix. 

A prefixed tableau proof of X begins with 1 F X, informally asserting that X is false 
in some world, named by 1. It continues using branch extension rules to be given in a 
moment. The goal is to produce a closed tableau, where now a branch is closed if it 
contains o T X and o F X for some formula X (note that the prefix is the same in both 
cases). A branch is also closed if it contains oT L or o FT. And a tableau is closed if 
each branch is closed, as usual. 

The branch extension rules for the propositional connectives are as before, except that 
prefixes are carried along. They are given in Table 12. 


oT AX oF AX oa ob 
oFX oT X oa ochi | oh 
O Q2 


Table 12. Prefixed Classical Rules 


The modal rules for K are given in Table 13. A prefix has been used on a branch if 
it already occurs on the tableau branch. It is new if it does not occur. The intuition 
should be fairly clear. If a m formula is true at a world named by prefix ø, then mo must 
be true at an alternative world. We want to pick a name for that world, a prefix. Since 
the world is accessible from the world named by ø, we want a prefix that extends ø by 
one number, and otherwise it should be uncommitted, hence the newness requirement. 
The v rule is similarly motivated. 


ov on 
T.N Vo O.N To 
for o.n used for o.n new 


Table 13. Modal Tableau Rules for K 


Figure 7 contains an example of a proof in this K tableau system, of (JOP A0O9Q) > 
0O(P AQ). In it, 2 and 3 are from 1, and 4 and 5 are from 2 by a, 6 is from 4 by 7, 7 
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is from 5 by v, 8 is from 7 by 7, 9 is from 3 and 10 is from 9 by v, 11 and 12 are from 
10 by 6, and 13 is from 6 by v. Closure is by 11, 13 and 8, 12. 


1 F(OOPAOQQ)> 00(PAQ) 1. 
1 TOOPADOQ 2. 

1 FOO(PAQ) 3. 

1 TOP 4. 

1 TOOQ 5 

11 TOP 6 

11 TQ 7 

1L11TQ 8. 


11 FO(PAQ) 9. 
111FPAQ 10. 


` 


111FP 1l. 1.1.1 FQ 12. 
1L.11I1TP 13. 


Figure 7. Prefixed K Tableau 


Prefixed tableaus can be used for derivations as well as for proofs, in quite a simple 
way. To use X as a global premise, one may add oT X to the end of any open branch, 
for any prefix o that appears on the branch. To use X as a local premise, one may add 
1T X only. 


6.2 Soundness and Completeness 


So far I have only given prefixed rules for K. But rules for other logics do not change the 
basic ideas very much, so I’ll prove soundness and completeness now, while things are at 
their simplest. 

Soundness is by the usual tableau argument—see Section 5.3 for details in the destruc- 
tive tableau setting. For prefixed formulas, I’ll say a set S of prefixed, signed formulas 
is satisfiable (properly speaking, K satisfiable) if there is a model M, and a mapping M 
from the prefixes in S to possible worlds in M, such that if o ¥ € S then X is realized at 
N (o) in M, where &¥ is a signed formula. As before, a tableau branch is satisfiable if the 
set of prefixed formulas on it is satisfiable, and a tableau is satisfiable if some branch is. 
PFI leave it to you to establish that each tableau rule converts a satisfiable tableau into 
another satisfiable tableau. And trivially, a closed tableau cannot be satisfiable. Now 
soundness follows exactly as in Section 5.3. 

Modal operators have strong similarities to quantifiers, and that observation plays a 
role now. For starters, the Lindenbaum construction of (1) needs to be ‘Henkinized.’ 
We'll say a set S of prefixed signed formulas is K-consistent if no K-tableau for a finite 
part of S is closed; S$ is 7-complete provided, if oa € S then for some integer k, o.k To € 
S; and S omits infinitely many integers if the set of integers that do not appear in prefixes 
in S is infinite. It is a fact that every K-consistent set S of prefixed sentences that omits 
infinitely many integers can be extended to a set that is maximally K-consistent and 
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m-complete. This can be done via the following Henkin-style modification of the earlier 
construction, (1). 


Lindenbaum-Henkin Construction Suppose S is a K-consistent set of prefixed sen- 
tences that omits infinitely many integers. Enumerate the (countably many) pre- 
fixed signed formulas of the language, o1 Xi, 02 X2, ..., and define the following 
sequence of sets. 


S,=S 
Sn U {on Xn} if K-consistent and Æ, is not 7 6 
Sn41 = $ SnU {0n 1T, 0on:-kno} if K-consistent, Xn is 7, and o,.k is new 
Sn, otherwise 


In this construction, ‘new’ means o,.k does not occur in Sn or in 7(= Xn). 


It is not hard to see that if S omits infinitely many integers, this will also be the case 
with each Sn. Also, if SU {on 7} is K-consistent, then Sn U {on T, On.k mo} will also be 
K-consistent provided o,.k is new, and if S„ omits infinitely many integers, there will be 
such a prefix that is new. Pll leave it to you to check that if S is K-consistent and omits 
infinitely many integers, then Un Sn will be maximally K-consistent and 7-complete. 

Suppose X is not provable using the prefixed K-tableau rules. Then {1 F X} is K- 
consistent, and obviously omits infinitely many integers. Extend it to a maximally K- 
consistent, 7-complete set, S, using the construction above. Let G be the set of prefixes 
that occur in S. For prefixes o and 7 in G, set oRr if T is o.n for some integer n. For a 
propositional letter P, let o € V(P) if oT P € S. This gives us a model M = (G, R, V). 
Incidentally, note that the model is constructed from a single maximally consistent set, 
rather than a family of them, as was the case with destructive tableaus. This is a key 
difference between the two types of tableaus: prefixed tableau branches keep track of 
multiple worlds; destructive tableau branches have information about a single world at 
a time. 


Now we need a truth lemma. It says: for every signed formula X, the following is true. 
aX E€ S = o realizes ¥ in the model M (7) 


Equation (7) has a straightforward proof, which I’ll leave to you. Once we have it 
completeness is immediate, since {1 F X} € S and so X is false at world 1 of the model 
M. 

The completeness proof just given is simple, but there is another way of proving 
completeness that provides additional information. One can give an algorithm that 
systematically expands K tableaus. If the algorithm is properly crafted, one can show 
that either it will produce a proof, or it will terminate with an unclosed tableau. If it 
terminates, the set of formulas on any open branch can play the role of the set S in the 
proof above; (7) can be proved for it. In this way we not only get completeness, but 
a concrete decision procedure as well. Such an algorithm is given in [19, Ch 8, sect 4]. 
With some of the other logics to be discussed in the next section, termination is not as 
simple as it is with K, and may involve loop-checking. I do not pursue this further here. 
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T ov ir onv 
O v ov 
4 ov orTūx oF OX 
onv oT OX o FOX 
B onv 
O Vo 


For prefixes o and o.n already occurring on the tableau branch: 
Table 14. Modal Tableau Rules 


6.3 Other Modal Logics 


Following [46, 33], other standard modal logics can be handled in a modular fashion. 
First, some additional tableau rules, and their names, are given in Table 14. 

Next, some common modal logics can be given prefixed tableau proof systems by 
adding various combinations of these rules to those for K. How to do this for several 
modal logics is summarized in Table 15. I omit proofs of soundness and completeness— 
they are straightforward variants of what worked for K. 


Logic | Special Rules 
T 
K4 
S4 
KB 
B 
S5 
D 
D4 
DB 


Aa 


>e 


Aa 
key 


y œ 


vbn 


Table 15. Prefixed Tableau Systems 


Note that, unlike with destructive modal tableaus, there are straightforward prefixed 
tableau systems for logics involving symmetry in their semantics. In particular, there 
is a system for S5. In this case, and this case only, there is actually a simpler version 
that will also serve—let us call it the Simple S5 System. Instead of taking prefixes to be 
sequences of positive integers, take them to be single positive integers. And replace the 
modal rules of Tables 13 and 15 with those in Table 16. Essentially, this works because 
there is an alternate Kripke semantics for S5 in which the accessibility relation holds 
between any two worlds. 

Figure 8 displays a proof using these Simple S5 Rules, of P > OOP. 
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nv nT 
k Vo k To 
for k used for k new 


Table 16. Simple Tableau Rules just for S5 


1FPDOOP 1. 
ITP 2. 
L1FOOP 3. 
2FOP 4. 
1FP 5. 


Figure 8. A Prefixed S5 Tableau Proof 


It was shown in [42] that for K, T, and S4, satisfiability is PSpace complete (more 
generally, for modal logics between K and S4). It was also shown that for S5 it drops to 
NP complete. This is reflected in the existence of the simple tableau system for S5 given 
here. On the other hand, for multi-modal logics, which will be considered in Section 9, 
satisfiability is PSpace complete, [34], even for multi-modal S5, and so we should not 
expect a simple multi-modal version for this logic, unlike in the mono-modal case. A 
thorough discussion of complexity issues can be found in this volume, in Chapter 3. 


7 GENTZEN SYSTEMS 


A sequent is written X1,..., Xn — Yj,...,Y%, where the X; and Y; are formulas. It 
is informally taken to mean the conjunction of the formulas on the left of the arrow 
has the disjunction of the formulas on the right as a consequence. Either n or k can 
be 0, with an empty conjunction treated as true, and an empty disjunction as false. A 
sequent calculus is a specification of rules for deriving sequents from sequents. But how 
something is written does not determine its mathematical properties. What actually is 
a sequent? 

A list of formulas, X1,..., Xn say, in a sequent can represent at least three different 
mathematical objects: a set, a multiset, or a sequence. In Gentzen’s original treatment, 
[29], a formula list represented a sequence. Gentzen provided rules permitting, for exam- 
ple, the permutation of members of a list, or the duplication of members. If a formula 
list is taken to represent a multiset, permutation need not be specified, but formula du- 
plication still must be provided for. If a formula list is taken to represent a set, even 
duplication rules can be omitted. Rules like permutation, duplication, and a few others, 
are called structural rules. By using a multiset or a sequence, and at the same time 
omitting various structural rules, a family of substructural logics has been created, with 
linear logic and relevance logic as the best-known representatives, [14, 50, 53]. By re- 
stricting the right side of a sequent to have at most one formula, intuitionistic logic can 
be captured. This is not the place to go into what is a very extensive subject—here we 
are interested in modal logic over a classical logic base. Consequently here lists will be 
thought of as designating sets, which means structural rules are not needed—they are 
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built into the data structure, so to speak. 


7.1 Classical Propositional Sequents 


With it understood that lists represent sets, the Gentzen system rules for classical propo- 
sitional logic will now be given. I use boldface letters, with and without subscripts, to 
denote formula lists, which represent sets. If I write S, X I mean the list consisting of 
the members of S, together with X, and similarly for other obvious notational conven- 
tions. A sequent calculus is a forward reasoning system: certain sequents are taken as 
axioms, and there are rules for deducing a sequent from others. Note that the rules each 
introduce exactly one connective, and there is one rule for an introduction on the left of 
the arrow, and one for the right. 


Axioms SŁ, X —Spr,X 
Sz, L — Spr 
Sr — Sr, T 


Negation Rules SL, X — SR 
Sr —? Sr, =X 


Sz F= Sr, X 
Sz, =X — SpR 


Conjunction Rules Sz, X,Y — Spr 
SŁ, X AY — SR 


Sr —_ Sr, X Sr =} SR, Y 
Sr — SR, X AY 


Disjunction Rules SŁ, X — Sr SŁ, Y — SpR 
SŁ, X VY — Spr 


SL — SpR, X,Y 
S, — SR, X VY 


Implication Rules Sz, Y — SpR Sz — X,Sr 
Sz, X 3 Y — Sr 


Sz, X — SpR,Y 
Sz — Sr, X DY 


A Gentzen system proof of a sequent is a tree having the sequent at its root— 
customarily the root is written at the bottom—with axioms at leaves, and with each 
non-leaf following from its children by one of the rules above. A proof of a formula X 
is taken to be a proof of the sequent —>» X. Figure 9 shows a proof in this system, of 
A(X AY) D (AX VAY). Ill leave it to you to supply reasons for the steps. 

Soundness for this sequent calculus is easily established. Define a mapping from se- 
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X — ~Y, X Y—7AX,Y 
— AX, AY, X — AX, AY, Y 
SAX VAY,X —AXVAY,Y 

— AX VAY, X AY 
A(X AY) — AX VAY 
3 AX AY) D (AX VAY) 


Figure 9. Gentzen Sequent Proof 


quents to formulas as follows. 
[Xi Xn — Va. Yel? = (X1 A A Xn) DMV VY) 
[Xi Xn —]f = (XA AXXa) DL) (8) 
[— Yi... Yk] [TD (Vi V---V ¥z)] 


II 


This mapping is in keeping with the remarks at the beginning of the section about the 
informal meaning of a sequent—conjunctions entailing disjunctions. It is easy to show 
that if images of the premises of a sequent rule are classically valid formulas, so is the 
image of the conclusion. Also, images of all sequent axioms are classically valid formulas. 
So the image of every provable sequent, under this mapping, is valid. If a formula X has 
a sequent proof, the sequent —> X is provable, hence its image is valid. But [—> X]f 
is T D X, and it follows that X is valid. 

Gentzen systems predate tableaus by many years. They were introduced as a tool 
for the analysis of proofs, while tableaus were introduced as a convenient mechanism for 
proof search. But tableaus were heavily influenced by Gentzen systems—indeed there 
is a simple correspondence between sequents and sets of signed (unprefixed) formulas. 
Define a mapping from finite sets of signed formulas to sequents as follows. 


{T Nig T Xn, F Vise F Yp} is the sequent XX — Yio Ye (9) 


Thus the mapping puts T-signed formulas on the left and F-signed formulas on the right. 
Now, a key fact is the following. 


LEMMA 8. Let S be a finite set of signed formulas. If there is a closed tableau for S 
using the classical tableau rules of Section 5.1, then the sequent S° is provable using the 
sequent rules of this section. 


Proof. Let us say S closes with depth d if d is the smallest number such that there is 
a closed tableau for S with d tableau rule applications. The proof is by induction on d. 

If S closes with depth 0, it must contain T X and F X for some X, or TL, or FT. 
In each case S° is a sequent calculus axiom. 

Now suppose S$ closes with depth d and the result is known for sets that close with 
depth less than d. Say that TX AY € S and in a d-step tableau for S the first rule 
application is to this signed formula. It follows that there must be a closed tableau 
for SU{T X,T Y} with fewer than d rule applications. By the induction hypothesis, 
the sequent image of this set must have a sequent calculus proof. Let Sz be the list 
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of formulas that occur in S with a sign of T, and let Spr be the list of formulas in S$ 
with a sign of F. Then [SU {T X,T Y} is the sequent Sz, X,Y —> Spr, and so this 
must be provable. Then by one of the two sequent rules for conjunction, the sequent 
Sz, X AY — Sp is provable, but this is S*. 

The other cases are similar. m) 


With this established, we quickly get the following. 
PROPOSITION 9. The classical propositional sequent calculus is complete. 


Proof. For Proposition 7 a completeness proof for a destructive modal tableau sys- 
tem was given. It is easy to see that a completeness proof for the non-modal part is 
extractable. Leaving this to you, we have that if X is classically valid, there must be a 
closed classical tableau for {F X}. By the Lemma above, the sequent — X must then 
be provable, and hence X has a sequent calculus proof. m) 


It is important to understand what is behind the proof of Lemma 8. In the one 
induction case given in detail, a tableau and a sequent rule for conjunction were involved. 
Here they are, side by side. 


TXAY SŁ, X,Y — SR 
TX SL, X AY — SpR 
TY 


Notice that, via the mapping from sets of signed formulas to sequents, these rules 
correspond in a fairly obvious way, except that each is an upsidedown version of the other. 
This is the case with every tableau and sequent rule. It is what makes Lemma 8 work. 
Once this correspondence is understood, it is easy to see that the sequent proof in Figure 9 
and the tableau proof in Figure 4 are just presentations, in their respective systems, of 
the same construction. The correspondence between tableaus and Gentzen system proofs 
is worked out in detail in [57], where the two systems are developed simultaneously. 


7.2 Modal Propositional Sequents 


Now that the correspondence between tableau proofs and sequent proofs is clear in the 
classical case, we have a guiding principle to follow in turning destructive modal tableau 
rules into modal sequent rules. We want them to be ‘upside down’ counterparts. If we do 
it properly we are guaranteed completeness, since we already have tableau completeness 
proofs. Here is a sequent version for K that does this. First, the definition of S* needs 
a dual version. 


st={x|OxeS} Ss” = {1X OX @S} 
And now, the additional rules needed for K are the following. 
SË, X — Sh s — S}, X 
SL, OX — SpR Sz — Srp, X 


For K4 the definitions above must be replaced with the following, though the form of 
the rules stays the same. 


st = {OX, X | OX € $} L ={0X, X| 9X €S} 
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For S4 we use the system for K4 together with the following additional rules, the T 
ones. 

SŁ, X — SR Sz — Sgr, X 

Sz, X — Sr Sz — SR, OX 


Clearly, any of the modal logics with a destructive tableau system also has a sequent 
calculus proof system. 


8 HYPERSEQUENTS 


Just as tableaus have been fitted out with extra machinery, such as prefixes, sequent 
calculi have also been enhanced. Hypersequents add machinery that makes it possible 
to provide proof systems for several well-known non-classical logics—see [3]. While they 
provide a uniform mechanism that can deal with a rich variety of logics, here I will only 
discuss the hypersequent calculus for S5. 


8.1 Hypersequents for S5 


A hypersequent is written X; — Y; | X — Y2|---: | Xn — Yn. In this expression 
each component, X; —> Yj, is a sequent (so each X; and Y; is a list of formulas), 
and the expression itself is a list of sequents. Intuitively a hypersequent should be read 
disjunctively—one of the sequents is the case—though exact details vary from logic to 
logic. Various non-classical logics can be captured by imposing special conditions on how 
lists behave, but for S5 things are rather simple. As we did in Section 7, a list will be 
thought of as designating a set, and hence permutation and repetition is built in. 

A proof of a formula X is a proof of the hypersequent with the single component 
— X, where the notion of a proof of a hypersequent is about to be defined. Much as 
with a Gentzen system, there are axioms, and rules for deducing hypersequents from 
hypersequents. 

Axioms are component-wise versions of those in Section 7.1: a hypersequent C, | C2 | 
--- | Cn is an axiom if some C; is an axiom in the sequent sense. The rules for the 
classical propositional connectives also carry over component-wise. Here are the rules for 
conjunction, as an example. In them, the C; and D; are sequents. 


Ci |---| Cn | SL, X,Y — Sr | Di |- | Dk 
Ci |- | Cn | SL, X AY — Sr | Di |- | Dk 
Ci |+ | Cn | S£ — Sr, X | D1 | -+ | De 
Ci |- | Cn | S£ — SR,Y | Di |- | Dk 
Ci |- | Cn | Sr — Sr, X AY | Di |---| Dk 


We want a proof system for S5. Since this extends S4, besides the classical rules we 
need the S4 modal rules, from the end of Section 7.2, in hypersequent form of course. 
There are four such S4 rules. First there are the K4 rules, in which S* = {OX,X | 
X € S} and 8? = {OX,X | X € S}. 
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Ci [+ | Cn | S$, X — Sh | Di |+: | De 
C1 1Cn |51 0X — Sp [Di [| Pr 
Ci Le Cn | S% — Sie X | Di |=: | Ph 
CT [Cn St —> Sr: OX [Dil [De 


And here are the hypersequent T rules. 


Ci |---| Cy | SL, X — Spr | Di |---| Dk 
Ci |- | Cr | Sz, X — Spr | Di |- | Dk 
Ci |- | Cn | Sr — Sr, X | Di |- | Dk 
Ci | [Cn [Sz — Sp, OX [Di J [De 


So far the rules have made no special use of the hypersequent mechanism; they have 
all been direct counterparts of sequent calculus rules. There is one final rule that turns 
the system into one for S5, and in it the full mechanism comes into play. First some 
terminology. Call a formula modal if it is of the form OX or OX. PI say the pair of 
sequents X; — Yı and Xz — Y- isa modal splitting of the sequent U — V if, first, 
X, UX, = U and Yı U Yə = V and, second, all formulas in X; and in Yı are modal. 
(It is not assumed that X; and Xə are disjoint, and similarly for Yı and Y2). 


Modal Splitting Rule If the sequents C} and C? are a modal splitting of C;, then: 


Ci |+ | Cer | Ci | Cisa ee | Cn 
Ci [ess [Cia | Ci | CP | Cita [+++ | Cn 


8.2 Examples 


Pll first give some useful derived rules, and then a hypersequent proof that makes use 
of them. The first derived rule is weakening, which allows the introduction of additional 
formulas into sequents. It says the following. 


Weakening Rule 


Sometimes weakening is taken as a basic rule in the sequent calculus, but in our case 
it is built in indirectly. Note that sequent axioms were not of the form X —> X, but 
allowed side formulas, Sr, X — > Spr, X, and similarly for the other two axiom forms. 
All the various rules allow us to carry side formulas along, and also the K rules allow 
for the introduction of additional side formulas. Given this, showing that weakening is a 
derived rule is an easy induction on proof complexity. 

The next derived rules are peculiar to hypersequents—there is no underlying sequent 
version. 


Derived v Rules 


Ci |---| Cn |X, ODA — Y | U, A — V | Di |+ | De 
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Derived z Rules 
G|- |X Y, OAD |- [D 


Here is a hypersequent derivation showing that the first of the v rules above is a 
derived rule. The Repetition label refers to the fact that for us lists represent sets, and 
so repeated sequents can be combined. 


Ci | | Ca |X, ODA — Y | U, A — V | Di |---| Dy P 
Cı |- | Ca | X, OA — Y | U, DA — V | Di |- | Dk eee 
Cy | | Cn | X, OA — Y | OA — | U — V | Di |---| Dk e 
Ci |- | Cn |X, ODA — Y|X,0A — Y | U — V | Di |---| Dk SeNGUIne 
Repetition 


Showing that the m rules are derived ones is simpler, and does not make use of the 
Modal Splitting rule. Here is the verification for the first one. 


K4 Rule 
IC ae ee ar 
Ci |- | Ca |X, 9A — Y|X,OA— Y | Dij g 


k 
Repetition 
Ci | | Ca |X, OA — Y |D | |D; 2 


Finally, Figure 10 displays a hypersequent proof of P > OOP, in which use is made 
of some of the derived rules. Note that it begins with a hypersequent axiom, since 
P — OOP, P is a sequent axiom. 


P — OOP,P|— P 
P —> OSP |- OP 
P— DOP 
— PDOOP 


Derived v Rule 


Derived 7 Rule 
Implication Rule 


Figure 10. A Hypersequent Proof 


8.8 Soundness and Completeness 


Equations (8) in Section 7.1 define a translation from sequents into formulas. Following 
[3] this is extended to hypersequents as follows. 


[C1 | Co |---| Cn)f =Oef vOezv... voces (10) 
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Suppose we could show all hypersequents that are provable in the S5 system just 
presented have translates that are valid in S5. If the formula X were provable, there 
would be a hypersequent proof ending in the single-component hypersequent —> X, and 
its hypersequent translate is O(T D X), which would be valid. But if O(T > X) is S5 
valid, so is X. Consequently, showing soundness for the S5 hypersequent calculus comes 
down to showing all provable hypersequents have S5 valid translates. 

It is easy to see that the translation of each hypersequent axiom is S5 valid. So if we 
can show that each of the hypersequent rules preserves validity of translation, we have 
soundness. This is straightforward for most of the hypersequent calculus rules. The only 
one needing serious work is the modal splitting rule. Let us say that component C is 
X,OY,Z — OU,0V,W, and that OX, OY — OU, QV and Z — W is a modal 
splitting of it. (I write OX to denote the list of formulas in X with O prefixed to each, 
and similarly for OY.) It is enough to show the S5 validity of the following. 


(OX, OY,Z — DU, 0V, W)f > {O0[0X, oY — 0U,oVv)i vOolzZ — wi} 


Writing this out in full, we get the following formula. 


ADX: a A 0Y: a A Z) o (V Ou v V wi v V W] > 


i i 


{TKA XiA NOY) > (V U: v Vy OVD) v [A 2 > V Wil} 


i i 


Despite the intimidating appearance of this, it has a simple proof using the Simple 
Tableau System for S5 given in Section 6.3. Pll leave this to the reader. 

A direct proof of completeness can be found in [3], but for us it is easier to show that 
Simple S5 Tableau System proofs can be translated into hypersequent proofs, and then 
rely on tableau completeness. In (9) a mapping from finite sets of signed formulas to 
sequents was given. Now that is used to define a mapping from finite sets of prefixed 
signed formulas to hypersequents as follows. For a finite set S of prefixed signed formulas 
(using positive integers as prefixes): 


S5 = Cı | Co | -++ | Cn where Ck = {¥ | kX E€ SY (11) 
Now a version of Lemma 8 can be proved for the current set-up. 


LEMMA 10. Let S be a finite set of prefixed signed formulas. If there is a closed tableau 
for S using the Simple S5 Tableau rules of Table 16 then the hypersequent S° is provable 
using the rules of this section. 


Proof. As with Lemma 8 the proof is by an induction on the depth of S, where the 
depth is the smallest number d such that there is a closed Simple S5 Tableau for S 
with d tableau rule applications. The argument for the classical connectives is just the 
hypersequent analog of what we did before. Pll consider one of the modal cases, and 
leave the others to you. 

Suppose S closes with depth d, the result is known for sets that close with depth less 
than d, the prefixed formula nT OA € S, and there is a d-step closed tableau for S$ in 
which the first rule application is to this prefixed formula, adding the formula kT A to 
the tableau branch, where k already occurs (so it must be in S). Of course there is a 
closed tableau for SU {kT A} with fewer than d rule applications. From the induction 
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hypothesis, the hypersequent image of this set must have a hypersequent proof. By 
definition, 


[SU {kTA}] =- |X,DA—> Y|- |U, A—> V|- 


where X, OA and Y are the lists of members of S U {k T A} with a prefix of n and signs 
of T and F respectively, and U, A and V are the members with a prefix of k and signs 
of T and F respectively. But then, using one of the Derived v Rules, the hypersequent 


cro pX DA= | an U aV 


will also be provable, and this is S*. m) 
PROPOSITION 11. The S5 hypersequent calculus is complete. 


Proof. If X is S5 valid, there is a closed Simple S5 Tableau for {1 FX}. By the 
Lemma, there must be a hypersequent proof of the hypersequent whose only component 
is — X, and so X has a hypersequent proof. m) 


In a clear sense, the hypersequent calculus for S5 (with the derived rules) bears the 
same relationship to the Simple S5 Tableau System that the sequent calculi of Section 7 
have to destructive modal tableau systems. 


9 LOGICS OF KNOWLEDGE 


Up to now only mono-modal logics have been considered. Things become more inter- 
esting when several modal operators are combined in a single logic. This is the first 
of several sections in which we examine such multi-modal logics, and is the simplest of 
these sections. Most proof methods adapt to multi-modal logics with varying degrees 
of difficulty, but from now on I will concentrate almost exclusively on prefixed tableaus. 
These generally make the jump to multi-modal logics with a certain grace. One natural 
multi-modal logic is a logic of knowledge, first investigated in detail in [36]; also see [15] 
for a more recent account. 


9.1 A Basic Logic of Knowledge 


In a logic of knowledge there is a set, usually finite, of knowers {k1, k2, ..., km}. Infor- 
mally Pll use a, b, ... to range over the set of knowers. For each knower a there is a 
corresponding modal operator, Ka. We read K,X as “a knows X.” Each Ka is like 
from earlier sections. It is not as common to have dual modal operators, but I will—I’ll 
use Ka for the operator dual to Ka, that is, -K,7. A dual knowledge operator is like 
© from earlier sections. Informally, K,X can be read, “X is compatible with what a 
knows.” 

Properties of actual knowledge are difficult to specify. We might know X and also 
X D Y, but not know Y simply because we never thought about it. What standard 
logics of knowledge capture is not actual knowledge, but potential knowledge—what one 
is entitled to know. The switch to potential knowledge means we drop all considerations 
of complexity—we potentially could know a tautology with 10/°° symbols, for instance. 
But the switch to an idealized point of view does simplify the theory. It is rather easy 
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to see that, under such an assumption, a knowledge modality should be a normal modal 
operator. But, what else should be required? 

Since one cannot know something that is false, we would want K,X D X, the T axiom. 
On the other hand belief (also idealized) is somewhat similar to knowledge, and if it is 
belief we are trying to examine, we would not want this axiom. Often a certain degree 
of introspection is assumed—if one knows something, that fact is also known—that is 
KaX D KaKaX. Thus we might want knowledge operators to obey the S4 conditions. 
Further, negative introspection is also often assumed—if one does not know something, 
it is known that it is not known—that is 7K, X D K,7K,X. All these together make a 
knowledge operator obey the $5 conditions. But keep in mind that lesser, or different, 
assumptions may be appropriate in particular cases. 

The semantics for a logic of knowledge is simple—a frame is a structure (G, Rk, Rk; 
...,Rk,,) where G is the usual set of possible worlds, and we have an accessibility relation 
for each knower. A model is based on such a frame in the standard way, by specifying 
which propositional letters are true at which worlds. If M is such a model, truth at 
possible worlds is defined in the usual way, but with the modal condition: M, w IF Ka X 
if and only if M,w’ I- X for each w’ € G with wR,w’. Often each Ra is taken to be an 
equivalence relation, corresponding to $5, but other assumptions can be made, and they 
do not need to be the same for each knower. 

An axiomatic treatment of a logic of knowledge is quite straightforward. One simply 
assumes the appropriate modal axioms (and necessitation rule) for each Ka. I will skip 
further discussion. Various other proof systems can be adapted to logics of knowledge, 
but prefixed tableau systems are most ‘practical,’ and quite natural. They are all that 
will be covered here. We now take a prefix to be a sequence 1.n a 1.n2a2.... where, 
except for the first item, 1, each term consists of a positive integer, n, and a knower, 
a. The idea is, o.na is intended to designate a world that is accessible from the world 
o designates, via the accessibility relation for knower a. The propositional connective 
tableau rules are as they were in the mono-modal case. Before stating the new modal 
rules, the earlier nu/pi notation must be modified, since it does not keep track of which 
knowledge operator we are dealing with. This is done in Table 17. 


a | vo Te | TO 
TKX | TX TKX | TX 
FRX | FX FK,X | FX 


Table 17. Multi-Modal Nu and Pi Formulas 


In Table 13, tableau rules for mono-modal K were given. In the multi-modal setting 
these rules are replaced by those in Table 18. Likewise the mono-modal tableau rules of 
Table 14 must be replaced with those in Table 19. 


ov" on” 
o.na vo onang 
for o.na used for o.na new 


Table 18. Multi-Modal Tableau Rules for K 
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pa ae 4ra Enan 
ovg ov 
4a ov pe oT KaX oF K,X 
o.nave oT KX oF KyX 
Be eae: 
ovg 


For prefixes o and o.na already occurring on the tableau branch: 


Table 19. Multi-Modal Tableau Rules 


To illustrate how this works, Figure 11 displays a derivation using these rules. In it 
we have a logic of knowledge with two knowers, a and b. It is assumed that the T and 4r 
rules apply to Ky while only the K rules apply to Ka. The figure presents a derivation 
of Ka7K,(X D Y) from Ky7Ky7K,7Y and K,X. In the tableau, 4 is from 3 by 7%; 5 
is from 4 by negation; 6 is from 5 by T; 7 is from 2 and 8 is from 1 by v4; 9 is from 8 by 
negation; 10 is from 9 by 7°; 11 is from 10 by negation; 12 is from 11 by 4r?; 13 is from 
12 by T; 14 is from 13 by negation; and 15 and 16 are from 6 by £. 

Pll omit proofs of soundness and completeness. They are quite straightforward exten- 
sions of the mono-modal proofs given earlier. This is so for both the tableau and the 
axiomatic treatments. 

Finally, as formulated above, knowers were independent beings. One might want to 
consider relationships between them such as, for instance, that b knows everything that a 
knows, or that if a knows something, b knows that a knows it. The most straightforward 
way of handling such things is to formulate them as axiom schemes. For instance, the 
first condition gives us the scheme Ka X D KX and the second gives us Ka X D Ky KyX. 
These can be added to an axiomatic formulation of a basic logic of knowledge, or can be 
taken as global assumptions in a tableau treatment. In many cases such assumptions can 
be reformulated as tableau rules too. For instance, the two conditions just mentioned 
correspond to the following two tableau rules. 


ov" ov" 
o.nb vo o.nbv? 
for o.nb used for o.nb used 
corresponding to Ka X D KyX corresponding to Ka X D KiKa X 


Conditions relating knowers are infinitely varied. I will not attempt to provide a 
general theory for them, but leave it to you to deal with them on a case-by-case basis. 
9.2 Common Knowledge 


A formula X is common knowledge among a group of knowers if X is true, everybody 
knows X, everybody knows that everybody knows X, and so on. If our knowers are, 
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1 T KaK oK oY 1. 
1 TKX 2. 
1 FK,7K,(X DY) 3. 


lla FxAK,(XDY) 4. 
lla TK (XDY) 5. 
lla Ee 6. 
lla TX 7. 

lla T=-K, K, Y 8. 
lla FKK, Y 9. 
1.1a.1bF =K, Y 10. 
1.1a.1bT Ky7Y 11. 
lla TKY 12. 
lla T-Y 13. 

lla FY 14. 


na 


l.laFX 15. l.laTY 16. 


Figure 11. Logic of Knowledge Tableau Example 


say, kı,..., kn, let us abbreviate Kpy A... A Kk, p by Ey, and read it “everybody 
knows y.” Then common knowledge of X is, informally, the infinite conjunction X ^ 
EX \ EEX \ EEEX ^..., which we can represent as CX. Of course this is not a 
real formula, though it can serve for motivation. Semantically, we want CX to be true 
at a state if X is true at every reachable state, where a state is reachable if there is 
some path to it along which each state is accessible from the previous one using any 
one of the accessibility relations R,,. This seems simple enough, but capturing common 
knowledge axiomatically involves a fixpoint axiom and a rule of inference that is not 
obvious, [15]. Common knowledge cannot be captured at all by a conventional cut-free 
tableau system, [1], and it seems unlikely that it can be captured by a prefixed tableau 
system either. However, common knowledge applications often fall into two categories: 
how is common knowledge obtained, and how is common knowledge used given that it has 
been obtained. Many problems and puzzles involve only the latter, and this is relatively 
simple. In terms of the illegal equivalence CX = XANEX A EEX \EEEXN..., obtaining 
common knowledge is the right-left implication, which has an infinitary antecedent, but 
using common knowledge involves the left-right implication, and this can be replaced 
with the legal, though infinite, list CX D X, CX D EX, CX D EEX .... In terms of 
tableaus using, though not obtaining, common knowledge is captured by rules that can 
deal with occurrences of C in negative positions in formulas being proved (which become 
positive positions when the formula is signed with F to begin a tableau proof). The 
rules are in Table 20. They are sound, but not complete, though they are complete with 
respect to a generalized version of common knowledge. I do not go into this here—see 
[2] for an investigation of a related system. 

To show how these rules work, Pll make use of the familiar muddy children puzzle. 
There are, say, three children sitting in a circle, call them a, b, and c. Each can see the 
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oTCX oTCX 
o.naT CX oT xX 
for o.na used 


Table 20. Common Knowledge Tableau Rules 


foreheads of the others, but not their own. Their legal guardian and designated puzzle 
person puts a spot of mud on each of their foreheads. At this point each child knows 
that the other two have muddy foreheads, but does not know the status of their own. 
Then the puzzle person announces, “at least one of you has a muddy forehead.” Note 
that they already knew this—the effect of the announcement is to make the statement 
common knowledge. Then they are asked if they know whether or not their forehead is 
muddy. They do not, and say so. They are asked again, with the same result. They are 
asked a third time, and all know their forehead is muddy. The problem is to account for 
this. 

To formalize this, let A have the intended meaning, the forehead of a is muddy, and 
similarly for B and C. At the start, each knows the set-up, so it is common knowledge 
that each knows the status of the others foreheads. That is, we have the following. 


C(KaB V Ka7B) (12) 
C(KaC V K.-C) (13) 
C(K,A V Ky77A) (14) 
CKC VIGO) (15) 
C(KeAV KenA (16) 
C(K-BV K.7B) (17) 


Let S be the formula asserting that someone knows the status of their forehead: Ka AV 
Ky7AV KiB V KeaB V K.C V K.-C. Also let P % Q abbreviate =(P > Q). Now, at 
the start it is announced that someone has a muddy forehead, A V B V C. Everybody 
hears the announcement and sees that everyone heard, and so common knowledge is 
obtained: C(A V B v C). Then it is asked if anyone knows the status of their forehead, 
and they do not, so C(A V BV C) ZS. Since everyone hears the answers, this is 
common knowledge for the next round, C(C(A V BV C) Z S). But still nobody knows, 
and so C(C(A V BV C) ZS) ZS, and this is common knowledge for the next round, 
C(C(C(AV BV C) DS) ZS). This time everybody knows their forehead is, in fact 
muddy. This is expressed by the following. 


C(C(C(AV BV C) ZS) ZS) D (KaAN KiB A^ K.C) (18) 


Formally, (18) is a consequence of (12) — (17) as local premises, assuming no more than 
T knowledge for each knower. A tableau proof can be found in Figure 12 of C(C(C(A v 
BVC) pS) ZS) D KA. In it some simple derived rules have been used. One is: 
conclude oT X and o FY from oT X % Y, which simply omits the step involving the 
definition of Ø. The other is: conclude oo’ T X from oT CX, where ao’ is any prefix 
that extends o and occurs on the branch. This is a simple combination of the two rules 
given earlier for C. In the tableau: 2 and 3 are from 1 by a; 4 is from 3 by 7°; 5 is from 
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2 by the derived C rule; 6 and 7 are from 5 by the derived % rule; 8 is from 7 by a and 
the definition of S; 9 is a premise; 10 is from 9 by the derived C rule; 11 and 12 are from 
10 by Ø; 13 is from 11 by T°; 14 is from 8 by 7°; 15 is from 12 by v°; 16 is from 15 by 
negation; 17 is from 6 by the derived C rule; 18 and 19 are from 17 by the derived Z rule; 
20 is from 19 by q and the definition of S; 21 is a premise; 22 is from 21 by the derived 
C rule; 23 and 24 are from 22 by 8; 25 is from 23 by T°; 26 is a premise; 27 is from 26 
by the derived C rule; 28 and 29 are from 27 by (; 30 is from 28 by T°; 31 is from 20 by 
n°; 32 is from 24 by v?; 33 is from 32 by negation; 34 is from 29 by vt; 35 is from 34 by 
negation; and 32 is from 18 by the derived C rule. Closure is by 4 and 13; 16 and 25; 14 
and 30; and 31, 32, 33, 35 and applications of the 8 rule. 

In the version of the puzzle embodied in (18) the assumption was that everybody had 
a muddy forehead. If only two do, say a and b, those who have muddy foreheads know 
this on the second round. Here is an expression of this. 


-=C D [C(C(AV BV C) Z S) D (Ka A^ K,B)] (19) 


This, too is provable using the tableau rules given above, but now we must assume the 
S5 rules for knowers a and b. On the other hand, the two children a and b can see the 
forehead of c, know it is not muddy, and can see each other and so know that they both 
know it, and so on. That is, ~C is not just true, it is common knowledge between a 
and b. If the antecedent ~C in (19) is replaced by this relativized common knowledge 
assumption, whose proper formulation IIl leave to you, S5 rules are not needed. 

The methods extend to n children with k muddy, but you doubtless get the general 
idea. 


10 CONVERSE 


Suppose we have a model M = (G,R,V) with a single accessibility relation, but two 
modal operators, say O and O7}. Let us say O has its usual interpretation, M, w I- OX if 
M,w’ I- X for all w’ € G with wRw’, but suppose O7! is understood via M, w Ik O71X 
if M,w’ I- X for all w’ € G with w’Rw. The difference is easy to miss: O uses R, but 
~! uses the relation converse to R, often written R~!. This gives us a natural multi- 
modal logic, but with the modalities intimately connected. One place where such things 
come up is temporal logic—future and past are converse in this sense. Another place is 
CPDL, propositional dynamic logic with converse. I don’t want to get into these topics 
here (see [32, 35]) but if we assume a simple underlying modality, K, T, or something 
of this sort, a tableau system capable of dealing with converse is not complicated. I 
will discuss it briefly in this section—it is based on the treatment in [30]. See [6] for an 
axiomatic version. 

The simplest way to approach the subject is to build on earlier work. Suppose we use 
a logic of knowledge with two knowers, a and b, and from now on identify Ka with O and 
K, with O7}. Then, for starters, we want the tableau rules from Table 18, or perhaps 
from Table 19 too if more complex assumptions about O are being made. Converseness 
is a relationship between our two knowers, of the sort discussed at the end of Section 9. 
It can be captured by the following tableau rules. 


ona v? o.nbv®’ 


b a 
O Vo o Vo 


Modal Proof Theory 127 


1 FC(C(C(AVBVC)ZS)ZS)DKaA 1. 
1 TC(C(C(AVBVC)ZS)ZS 

1 FKA 3. 
llaFA 4. 
1.laTC(C(AV BV C) 
l.laTC(C(AV BV C) 
llaFS 7. 
llaFK-C 8. 

1 TC(KeAV Ke7A) 9. 
llaT K.AV K.7AA 10. 


AUA 
uu 
W 

DW 

ol 


llaTK.A 11. lla TKA 12. 

11laTA 13. llaleFC 14. 
llaleTAA 15. 
llalceFA 16. 
llalcTC(AVBVC)ZDS 17. 
llalcTC(AVBVC) 18. 
llalcFS 19. 
llalcF k,B 20. 
1 TC(KpAV Ky7A) 21. 
1.la.1cT kK, AV Ky7A 22. 


ae 


l.lalcT K, A 23. 1.la.1cT Ky7A 24. 
llailcTA 25. 1 TC(KyC V Ky7C) 26. 
1.la.1cT KC V Kpa 27. 


Zs 


1.la.l1cT KC 28. l.lale TK =C 29. 

1.la.l1cTC 30. 1.la.1c.1bF B 31. 
l.la.lelbT AA 32. 
llalelbF A 33. 
Ll.lalelbT AC 34. 
l.lalelbFC 35. 
1.la.1c.1bTAVBVC 32. 


Figure 12. Muddy Children Puzzle 
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I think we’re at a point where I can omit soundness and completeness arguments. 
Table 21 shows a simple proof in this system, of P > K,K,P. In it, 2 and 3 are from 1 
by a, 4 is from 3 by a in Table 18; 5 is from 4 by a v rule above. 


FP>K,KaP 1. 
TP 2. 


Table 21. Converse Modality Tableau Example 


11 THE UNIVERSAL MODALITY AND THE DIFFERENCE MODALITY 


Logics of knowledge combine many ‘ordinary’ modal operators, but there has been con- 
siderable investigation of the effects of adding special, expressive, modal operators to a 
standard modal logic. Two of these that are especially powerful and interesting are the 
universal modality, also called the global modality in [6], and the difference modality. 
Discussion of, and axiomatization for both can be found in [6]. 

Suppose we have a multi-modal logic L of the kind considered in Section 9, in which 
the individual modal operators are among those of Table 15, or K of course. That is, we 
have a prefixed tableau system for L. The universal modal operator, written E, is a kind 
of possibility operator that can be read “somewhere.” That is, EX informally asserts 
that X holds at some possible world. Note that the accessibility relation plays no role 
in this. The dual necessity-like operator is written A. In a model M for L with these 
operators added, we want the following conditions. 


M,wl+ EX 4 M,w’ IF X for some w’ € M 
M,w lk AX <=> M, w' IF X for every w € M 


To provide prefixed tableau rules for these operators, we need a small extension of the 
system in Section 9. There a prefix was a sequence of the form 1.n,a1.n2a9...., beginning 
with 1. From now on prefixes can begin with any positive integer. The nu/pi definition 
is extended in the obvious way, in Table 22. 


V | Vo T | To 
TAX | TX TEX | TX 
FEX | FX FAX | FX 


Table 22. Universal Modality Nu and Pi Formulas 


The tableau rules for E and A are given in Table 23. These are to be added to the 
rules for the other modal operators of L. 

Soundness and completeness proofs are not difficult, and I omit them. I make one 
observation, however. It is easy to see that models produced by earlier completeness 
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ov oT 
a’ vo NT 
for a’ used for n new 


Table 23. Universal Modality Tableau Rules 


proofs for prefixed tableau systems all have a tree structure, since that is the syntactical 
structure of prefixes. This is no longer the case when the universal modality is present. 
Instead models are more like forests—sets of trees. 


The difference modality, also read as elsewhere, is a possibility-like operator, too. The 
formula DX informally can be read as asserting that X holds somewhere else. There is, 
of course, a dual operator, but since the tableau rules take a somewhat more complex 
form, I won’t consider it. Once again, a discussion and axiomatization for this operator 
can be found in [6]. As to prefixed tableau rules, the addition to L given in Table 24 will 
do. 


To DX Fo DX 
TnxX |ToX | To.X]--- | To, X Fol X 
In the T rule: n is a new integer, and o1, ..., Ck are all prefixes used on the branch 


other than ø. In the F rule: o’ is any prefix used on the branch other than ø. 


Table 24. Difference Modality Tableau Rules 


Figure 13 displays a sample proof using these rules, of DDP D> (P v DP), which is 
one of the axioms for D in [6]. In it, 2 and 3 are from 1 by a; 4 and 5 are from 3 by a; 
6 is from 2 by the TD rule (note that at this point there are no prefixes on the branch 
other than 1, and 2 is new); 7 and 8 are from 6 by the TD rule (3 is new, and 1 is the 
only prefix on the branch other than 2); 9 is from 5 by the FD rule. 


1FDDP>D(PVDP) 1. 
1TDDP 2. 

1FPV DP 3. 

1FP 4. 

1FDP 5. 

2TDP 6. 


7 <% 


3TP 7. ITP 8. 
3FP 9. 


Figure 13. Prefixed Difference Modality Tableau 
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12 WHAT ARE THE LIMITATIONS 


Going beyond the logics we have looked at so far are those using a fixpoint construction. 
That is, in the semantics some modal operator is modeled by a device that involves 
minimizing (or maximizing) some monotone operator on the set of possible worlds. Such 
logics are very powerful, and very resistant to tableau methods. It is an area needing 
further research. Here is a brief rundown of the most common fixpoint logics. 

Propositional dynamic logic is, perhaps, the original example, see [35] for a thorough 
treatment. In this multi-modal logic, modal operators correspond to computer programs. 
The semantical treatment of the while operator requires a fixpoint construction. From 
early on there was a tableau system for the logic, [51]. It is, however, of a specialized 
nature that so far has not lent itself well to treatment by the general methodologies of 
this chapter. 

Propositional dynamic logic was extended to the propositional -calculus in [41], with 
modal operators in the language corresponding directly to fixpoint constructions. I do 
not know how to bring tableau methods to bear. 

Finally, common knowledge was discussed above, in Section 9.2. It was made clear 
that the tableau rules given were only for using common knowledge, and could not handle 
its acquisition. Common knowledge is yet another example of a fixpoint modality, and 
another example of one for which satisfactory tableau rules do not exist. 


13 QUANTIFIED MODAL LOGIC 


As if propositional modal logic wasn’t complicated enough, each one can be extended 
to a first-order version in a multiplicity of ways [28, 37, 26]. For starters, domains of 
quantification can be different at different worlds, or the same at all worlds, or related 
in ways that depend on relative accessibility. When each possible world has its own 
domain of quantification, one can think of these domains as representing what exists 
at each world. In this case quantifiers are actualist—they quantify over what actually 
exists. When the domain of quantification is the same for all worlds, one can think of 
the common domain as the realm of possible existents. Then quantifiers are possibilist. 
These two versions correspond to well-established philosophical positions, but this is not 
the place to discuss them. As it happens, constant domain, possibilist quantification 
is the easiest to capture using prefixed tableaus. And, as it happens, varying domain 
semantics can be embedded into a constant domain version easily and naturally. So, in 
this section Pll briefly sketch prefixed tableau systems for constant domain, possibilist 
versions of the propositional modal logics that were treated earlier, and then say a little 
about other versions of quantified modal logic. 


13.1 Syntax and Semantics 


We need a first-order language. Pll assume we have relation symbols of arity 1, 2,.... 
In the interests of simplicity, there will be no constant or function symbols. Pll also 
assume there is an infinite list of variables. Atomic formulas are expressions of the form 
P(v1,..., Un) where P is a relation symbol of arity n, and v1, ..., Un are variables. 
Formulas are built up from atomic formulas in the usual way, using modal operators ( 
and ¢ only, for the time being), propositional connectives, and quantifiers. PI take both 
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Y and J as primitive in this section. Pll assume the notion of free and bound variable is 
understood, and so the notion of closed formula, or sentence. 

A constant domain model is a structure M = (G,R,D,T) where: (G, R} is a frame as 
before; D is a non-empty set, the domain of quantification; and Z is an interpretation, 
assigning to each n-ary relation symbol P and each possible world w an n-place relation 
T(P,w) on D. We are primarily interested in the behavior of sentences, but formulas with 
free variables come into things, so we need one more piece of machinery. A valuation in 
a model M = (G,R,D,T) is a mapping v from the set of variables to the domain, D, of 
the model. 

The chief semantic notion is symbolized M,w lF X and is read: formula X is true 
at world w of model M with respect to valuation v. The definition follows. In it, a 
valuation v’ is an z-variant of a valuation v if the two valuations agree on all variables 
except possibly x. 


Atomic M,w lF, P(a1,...,%n) if and only if (u(x1),...,v(an)) E€ T(P, w) 
Negation M,w IF, ~X if and only if not-M,w IF, X 


Propositional Connectives M,w |F, XAY if and only if M, w IF, X and M,w lk, Y, 
and similarly for the other connectives. 


Necessity M, w IF, OX if and only if M, w IF, X for every w € G with wRw’. 


Possibility M, w IF, OX if and only if M, w’ IF, X for some w’ € G with wRw'. 


Universal Quantifier M, w lF, (Vx)y if and only if M, w |. ọ for every valuation v’ 
that is an x-variant of v. 


Existential Quantifier M, w IF, (dx) if and only if M, w IF, p for some valuation 
v’ that is an z-variant of v. 


As might be expected, if X has no free variables, M, w IF, X for some valuation v if 
and only if M,w lF, X for every valuation v. Consequently we can speak of the truth 
or falsity of a sentence at a world in a model without mentioning the valuation. Pll say 
a sentence X is L valid, where L is some normal modal logic determined by a class of 
frames, if X is true at every world of every model (G, R, D,T} such that (G, R} is an L 
frame, for every non-empty domain D and every interpretation Z. 


13.2 Constant Domain Tableaus 


The goal is to extend the tableau systems of Section 6 to take constant domain quan- 
tification into account. As it happens, this is accomplished easily by a combination of 
modal rules and standard tableau quantification rules, [22, 57]. 

Tableau proofs will be of sentences only. As usual in treatments of first-order logic, 
there will be a version of existential instantiation—if (Ar) P(x) is true then P(x) is true 
for some value of x, so we introduce a symbol intended to designate such a value. For this 
purpose there is a second list of variables, disjoint from the first. These new variables 
are called parameters. Formulas with parameters as free variables play a role in proofs, 
but they have no part in what we are trying to prove. From now on, by sentence I mean 
a closed formula none of whose variables are parameters. 
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Let L be one of the propositional modal logics for which a prefixed tableau system 
was given in Section 6. For a constant domain, first-order version of this we use the 
propositional rules for L from before, and add to them rules for quantifiers. To make it 
easier to state the new rules, two new formula classifications are introduced, following 
[57]. In giving them, Pll adopt the following convention. If I write y(x) it is intended 
to represent a formula in which at most x may occur free; then a subsequent occurrence 
of y(p) represents the result of substituting the parameter p for every free occurrence 
of x in y(x). Note that since parameters cannot be quantified, we needn’t worry about 
‘accidental’ capture of p in such a substitution. Now, Table 25 contains the new formula 
cases, and Table 26 gives the new tableau rules. The y rule allows any parameter to be 
used, while the 6 rule requires a parameter that is new to the branch. 


y | (p) 6 | _d(p) 
T (Vx)y(x) | T (p) T (x)(x) | T y(p) 
F (Jx)y(x) | F y(p) F (Va)p(x) | F(p) 


Table 25. Gamma and Delta Formulas 


oy a6 
a y(p) a ô(p) 
for any p for p new 


Table 26. Quantifier Rules 


Figure 14 displays a proof of (vx)OP(x) > O(Vx)P(x), an instance of the Barcan 
formula, using the propositional K rules. In it, 2 and 3 are from 1 by a; 4 is from 3 by 
m; 5 is from 4 by ô (p is a new parameter); 6 is from 2 by 4; 7 is from 6 by v. 


> O(V2)P(x) 1. 


Figure 14. Prefixed K Barcan Formula Proof 


13.3 Soundness and Completeness 


By now several soundness and completeness arguments for tableau systems have been 
given. I think we are at the point where we can be somewhat more terse. A set S' of 
quantified formulas is satisfiable if there is a model M = (G,R,D,Z), a valuation v, and 
a mapping n from the prefixes in S to possible worlds in M, such that if o T X € S then 
M,n(o) lF, X and if o FX € S then M,n(c) If, X. A tableau branch is satisfiable if 
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the set of formulas on it is, and a tableau is satisfiable if some branch is. A proof that 
tableau rule applications preserve satisfiability can be left to you. The new thing here 
is the quantifier rules, and they are handled exactly as with standard classical tableau 
arguments. Once this is established, soundness is by the usual argument. 

Completeness is a mix of modal and classical techniques. To keep the discussion 
uncluttered, Pll assume the underlying logic is K; adapting the argument to other logics 
that have prefixed tableau systems is straightforward. 

For starters, the Lindenbaum construction of (1) and (6) needs to be ‘doubly Henk- 
inized,’ to take care of both prefixes and quantifiers. Pll work with formulas that can 
contain free variables, but they must all be parameters. Call a set S of prefixed signed 
formulas 4-complete provided, if o ô € S then for some parameter p, o 6(p) € S. The no- 
tion of 7-completeness was defined in Section 6.2, as was the notion of omitting infinitely 
many integers. S omits infinitely many parameters if the set of parameters not occurring 
in formulas of S is infinite. We still say a set S is K-consistent if no K-tableau for a finite 
part of S is closed (though now the tableau rules include those for quantifiers). Every 
K-consistent set S of prefixed formulas that omits infinitely many integers and omits 
infinitely many parameters can be extended to a set that is maximally K-consistent, 7- 
complete, and 4-complete. This can be done via the following modification of the earlier 
construction, (6). 


Double Lindenbaum-Henkin Construction Suppose S$ is a K-consistent set of pre- 
fixed sentences. Enumerate the prefixed signed formulas of the language, o1 æ, 
02 X2, ..., whose only free variables are parameters, and define the following se- 
quence of sets. 


S,=8 
Sn U {on Xn} if K-consistent and Æ¥n is not 7 or ô 
Sn U {0n n, Oon-kro} if K-consistent, Xn is 7, and o,.k is new 
Sn+1 = $ SnU{on6,on5(p)} if K-consistent, Xn is 6, 
and p is a new parameter 
Sn, otherwise 


(20) 


Pll leave it to you to check that Un Sn is maximally K-consistent, and both 7-complete 
and +-complete. Now tableau completeness follows easily. Suppose the sentence X is not 
provable using the constant domain K-tableau rules. Then {1 F X} is K-consistent, omits 
infinitely many parameters (all of them), and omits infinitely many integers. Extend 
it to a maximally K-consistent, 7-complete, 4-complete set S. Define a model M = 
(G,R,D,T) as follows. G is the set of prefixes in S. For o and 7 in G set oR7 if T = o.n 
for some n. This much is exactly as in Section 6.2. Let D be the set of parameters. For 
an n-place relation symbol P, T(P, o) = {(p1,..., Pn) | oT P(pi,.--, Pn) € S}. 

Now that we have a model, we need a version of the truth lemma, which for proposi- 
tional prefixed tableaus took the form of (7). The version we need now is the following. 


oT Z € S = M,clr, Z for some v 


21 
oF ZES=M,clF, Z for some v oe. 


This is proved by induction on Z. I leave the argument to you. But the consequence 
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is that the unprovable sentence X is falsified in this model, at world 1. Thus we have 
completeness for quantified K. Extending the argument to other logics is an exercise. 


13.4 Variations 


In the previous section I presented, in some detail, prefixed tableaus for constant domain 
K, and in outline versions for other constant domain logics. The other extreme is to have 
a semantics with varying domains, with no special conditions imposed on these domains. 
Thus, domains from different possible worlds might be disjoint, overlap, coincide, what- 
ever. Recall, varying domain semantics is appropriate for actualist quantification, while 
constant domain semantics corresponds to possibilist quantification. 

One way of developing prefixed tableaus for varying domain semantics is to introduce 
a different set of parameters for each prefix. This approach is worked out in detail in 
[26]. There is, however, a much simpler approach, one that builds directly on what 
has already been done here. Let us introduce a special one-place relation symbol, E, and 
read E(x) informally as x actually exists. And let us also introduce relativized quantifiers: 
(VEx)y abbreviates (Vr) [E(x) D y], and (A*x) yp abbreviates (4x) (E(x) Ay]. If we use these 
relativized quantifiers, with the prefixed tableau rules given above, the result corresponds 
exactly to varying domain semantics. Loosely speaking, it is the interpretation of the 
E predicate, which can change from world to world, that gives us the effect of varying 
domains. 

What was just said is not entirely accurate. One generally takes domains of quantifica- 
tion to be non-empty. The approach outlined above does not impose such a requirement, 
since the interpretation of E at a world might, in fact, be empty. But there is a simple 
way around this. Recall how local and global premises were used in propositional pre- 
fixed tableaus—see the end of Section 6.1. The same thing works even with quantifier 
rules added. So, if we want only non-empty domains, we just take (3x)E(x) as a global 
premise, which means o T (3x)E(x) can be added to any tableau branch, for any prefix 
already present. 

Other conditions are sometimes imposed on varying domains. Monotonicity is a com- 
mon assumption: if wRw’ then the domain associated with world w is a subset of that 
associated with world w’. Anti-monotonicity is also used occasionally, if wRw’ then the 
domain associated with w’ is a subset of that associated with w. Both can easily be 
incorporated into the present approach. For monotonicity, take (Vx)[E(x) > OE(x)] as a 
global premise. For anti-monotonicity, use (Vx)[OE(a) D E(x)]| as a global premise. 

As an example, in Figure 14 there is a proof of the Barcan formula, using possi- 
bilist quantification. Try and prove the corresponding actualist quantification version, 
(VEx)OP(x) > O(VFx) P(x). You can’t, with or without (4z)E(x) as a global premise. 
But it is provable if we assume anti-monotonicity, taking (Yx) [QE(x) D E(x)] as a global 
premise. A proof can be found in Figure 15. In this, 2 and 3 are from 1 by a; 4 is 
from 3 by 7; 4’ is 4 unabbreviated; 5 is from 4’ by 6; 6 and 7 are from 5 by a; 2’ is 2 
unabbreviated; 8 is from 2’ by y; 9 and 10 are from 8 by 8; 11 is a global premise; 12 is 
from 11 by 7; 13 and 14 are from 12 by 8; 15 is from 13 by v; 16 is from 10 by v. Closure 
is by 6 and 15, 9 and 14, 7 and 16. 

In the same way that possibilist quantifiers and quantification rules were added to 
mono-modal logics, they can be added to a multi-modal logic such as one of the logics 
of knowledge discussed in Section 9. Indeed, one could even introduce an actually exists 
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predicate for each knower, E,, and give each modality its own domain of quantification 
at each world. But I think we have taken things far enough. 


1 F(V2)OP(x) > O(VEx)P(2) 1. 
1 T(vFe)OP(z) 2. 
1 FO(VEx)P(x) 3. 


1FE(p) 9. 1 TOP(p) 10. 
1T (Vx)[OE(x) > E(x)] 11. 11TP(p) 16. 
1T OE(p) D E(p) 12. 


a, 


1 FOE(p) 13. 1TE(p) 14. 
1.1 FE(p) 15. 


Figure 15. Anti-Monotonicity and Barcan Formula 


14 CONCLUSION 


We have reached the end of the chapter, but not the end of the subject. The literature 
on modal proof theory is vast, and there are many different approaches besides what 
was covered here. Here is a select list of pointers (for which I thank the reader for 
this chapter, Heinrich Wansing). There are higher-arity sequent systems, [7]; higher- 
level sequent systems, [13]; higher-dimensional sequent systems, [45]. There are display 
sequent systems, [4, 12, 53, 58, 60], which are particularly appropriate for temporal 
systems. See [61] for the relationship between these and hypersequents. In addition, 
there are relational proof systems, [49]; and multiple-sequent systems, [38, 39]. And for 
general treatments, see [59, 62]. 

Quantified classical logic generally admits constant and function symbols, and equality. 
Adding these to quantified modal logic requires choices. Are constant and function 
symbols to be rigid—having the same designation at each world—or non-rigid? If non- 
rigidity is the choice, a device called predicate abstraction can be added to help sort out 
ambiguities that arise. How does one deal with the contingent equality of the number 
9 and the number of the planets, but not their synonymy? Such things can, in fact, be 
dealt with, and prefixed tableau systems exist that can help sort things out. See [26] for 
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a thorough discussion, and [23] for an abbreviated one. Also [25] contains a presentation 
of a rich first-order system along these lines. 

After first-order comes second-order, and full type theory. This tends to get enor- 
mously complex. Tableau systems for a version of modal type theory can be found in 
[24]. 

To a certain extent I have followed my own interests in this chapter. I’ve tried to keep 
it in control, but I think my biases show. The reader should keep in mind that this is 
an enormous subject, and my tastes may not be that of others. Start here, don’t finish 
here. 
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1 INTRODUCTION 


This chapter is a basic introduction to the field of computational complexity in modal logic. We 
are mostly concerned with the following question: given a formula A and a set of formulas C, 
does there exists a model in which all of C is true at every world and A is true at some world? 
In other words, is C = ~A or C jÆ —A the case? This is the complement of the (global) 
consequence problem: C — A (is A true in every model in which all of C is true at every world). 
The special case of the consequence problem in which C is the empty set is called the validity 
problem, and its complement is the satisfiability problem. For finite C’, the local consequence 
problem reduces to the validity problem, because of the deduction theorem. 
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For many modal logics, these problems are decidable. Here we look at the difficulty of de- 
ciding them. This is the topic of the theory of computational complexity. As Wikipedia has 
it: 


Computational complexity theory is part of the theory of computation dealing with 
the resources required during computation to solve a given problem. The most com- 
mon resources are time (how many steps it takes to solve a problem) and space 
(how much memory it takes). Complexity theory differs from computability theory, 
which deals with whether a problem can be solved at all, regardless of the resources 
required. 


Standard references to this field are [27] and [32]. 


Organization. The current section introduces common decision problems in modal logic and 
derives three useful properties of modal logics. In Section 2 we discuss the basic methods of 
establishing decidability and complexity results for the satisfiability problem in modal logic. In 
Section 3 we review the basic notions of computational complexity theory and after that we re- 
duce several tiling problems to modal satisfiability problems in order to obtain lower complexity 
bounds. These say roughly that —up to a polynomial— one cannot give a better algorithm for the 
problem at hand. Throughout the text, we hardly give references. We end with some historical 
notes. 


Links to Wikipedia. This chapter contains a lot of terminology with which the average logician 
might not be familiar. We have used links to the relevant Wikipedia entries to facilitate the reader. 
When viewing this document in a PDF reader, clicking on the highlighted terms should open the 
relevant Wikipedia page in a browser. 


1.1 Examples of decision problems in modal logic 


This chapter is about solving problems in modal logic. What is a problem? A problem for us is 
a yes/no question. These problems are typically formalized as set-membership problems. Here 
are some examples. 

Suppose first that a logic L is presented as a set of wffs (well formed formulas), as in Chapter 2 
of this handbook. Then membership in L is the same as being valid. Thus the validity problem 
equals the L membership problem. 

Alternatively, we can define a modal logic as a triple (Wffs, Struc, |=), a set of wffs, a class 
of models, and a relation between the two. (To be precise, - is a relation between a model M, 
a world w and a wff A.) This is essentially the way logics are defined in abstract model theory; 
see Chapter 1 of this handbook for further discussion. 

In this richer setting, more natural decision problems show up: 


Model checking 


1. Given a finite model M, is M a member of Struc? 


2. Given a finite model M in Struc, a world w in M and a formula A € Wffs, does 
M,w H A hold? 


Satisfiability Given a formula A € Wffs, does there exists a model M in Struc and a world w 
in M such that M, w = A hold? 
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Consequence Given a set of wffs C and a wff A, does M H C implies M — A for every 
model M? 


Model comparison problems Given two finite models, does there exists a bisimulation between 
the two? 


Definability Given a set of wffs T and a propositional variable p, does T define p? The lat- 
ter means that in any model of T, the interpretation of p is uniquely determined by the 
interpretation of the accessibility relations and the other propositional variables in T. 


Proof Given a sequence s of wffs ending in A, is s a Hilbert style proof of A in some given 
axiom system? 


Note that all these problems can be casted as set membership problems. There are also other 
types of problems whose complexity can studied, for example, 


e Given that A — B is a validity, find a Craig interpolant C. 


e Given a first order formula y(x) which is invariant for bisimulation, find the equivalent 
modal formula. 


In the next subsection we have a closer look at the satisfiability problem, the model checking 
problem and the consequence problem. The wish to compute with models and wffs leads to 
certain desirable properties for logics. We collect three of these and derive some basic results 
for logics satisfying these properties. We finish this introduction with an example showing how 
different the satisfiability problem and the consequence problem may behave. 


1.2 A simple and a hard problem 


Consider a logic L presented as a set of wffs, as in Chapter 2 of this handbook. Then (1) is a 
natural problem. 


(1) Given a string s, is s an element of L? 

On close inspection (1) consists of two rather different problems: 
(2) Given a string s, is s a wff? 

(3) Given a wff s, is s an element of L? 


Problem (1) is often called the validity problem, the set L being the set of valid wffs. Usually it 
is stated as (3). One can blur the distinction between (1) and (3) because logics are designed in a 
certain way. Namely it is assumed that problem (2) is much simpler than problem (3). In fact it 
is assumed that problem (2) can be solved in a practically feasible manner. Before we make this 
last notion precise let us look at an example. The wffs of the basic modal language were given 
by the grammar: 


gu=pi| =e | (p Ag) | Oy. 


We can see this as shorthand for the following recursive definition, given as a Prolog program: 


wff (pI) :— integer(I). 
wff (=F) :— wff(F). 

wff((F A G)) :— wff(F), wff(G). 
wff (CF) :— wff(F). 
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The set of wffs computed by this program is the least fixed point of this recursive definition. 
In other words it is the smallest set of strings s such that wf f (s) succeeds. Now suppose we run 
a computer with this program and ask it to determine whether wff(s) is true, for an arbitrary 
string s. Does it always terminate? And if so, can we estimate beforehand —based solely on the 
input s— when it will terminate? The first question is answered positively, and we can prove it 
by induction on the length of the input string. From this proof follows also a positive answer to 
the second question: The number of recursive calls is bounded by the number of symbols in s. 
This number is closely connected to the amount of time. For our purposes, it is not really relevant 
to measure time in seconds. For one thing, computers are getting faster every day, so that would 
make the results quickly outdated. But however fast a machine, it still has to do a number of 
“basic computation steps”, given a program. Now, depending on the granularity of our analysis, 
we determine ourselves what a basic computation step is and what not. In the above example for 
instance, we may assume that for each string s it takes one computation step to match s with the 
argument of a head in one of the clauses. Then by induction on the length of s (notation |s|), 
we can show that the machine needs at most |s| steps to find the answer (exactly |s| in case s 
happens to be a wff). We say that the time required by the machine is linear in the length of the 
input, or more informally we say that the program is in linear time. The notation which is often 
used is O(|s|) (read this as “of the order |s|”). The big O notation is a way of stating bounds that 
ignores multiplicative constants and low order terms. This is an example of a computation which 
is practically feasible: the amount of time necessary grows proportionally with the length of the 
input. 

Now we look at a program which is not practically feasible. Suppose you are given a propo- 
sitional formula and the question is whether it is a tautology. This is a typical example of a task 
that one would like a computer to solve. From a theoretical point of view, the problem is clearly 
solvable. One can answer the question by writing out the truth table and checking whether the 
last column contains true in every row. This procedure just tries out all possible truth assign- 
ments to the propositional variables and checks whether each of them makes the formula true. 
The reader should convince him/herself that this check is easy: once a truth assignment is cho- 
sen, the check can be done using at most as many steps as the number of subformulas of the 
input formula. But unfortunately the number of checks grows exponentially with the number of 
propositional variables in the input. For a formula with n variables, 2” checks have to be made. 
With some patience (on our side) a computer can carry this out for us. But each time the input 
formula contains just one more propositional variable, the time we may have to wait doubles. 
Very rapidly patience alone is not sufficient anymore: even on the fastest computers now avail- 
able, we would need to wait longer than the lifetime of the universe for input strings containing 
as many variables as there are characters in this sentence. Thus the procedure is not practically 
feasible, as it takes time 20n), for n the number of variables. 

We have seen two examples, a linear and an exponential procedure. The practically feasible 
algorithms are commonly taken to be the procedures which on any input s terminate in at most 
p(|s|) steps, where p(x) is a polynomial function in z. 

So, returning to the beginning, we wanted to solve problem (1) and showed that it splits into 
two subproblems (2) and (3). We really want to pay attention to problem (3). (In the case of 
propositional logic, we just saw that (3) seems much harder to solve than (2).) Now if a logic 
satisfies the following, we can safely ignore (2). 


Desirable property 1. There exists a practically feasible algorithm which decides for any string 
whether it is a wff of the logic. 
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One can view the wffs as the data of the logician. In case of logics presented as a set of 
strings, they are the only data he has. The property states that access to the data is easy. 


1.3 The model checking problem 


As discussed above, a modal logic can also be defined as a triple (Wffs, Struc, =), a set of 
wffs, a class of models, and a relation between the two. (To be precise, = is a relation between 
a model M, a world w and a wff A.) Given these data, there is one obvious problem: 


Given a finite model M in Struc, a world w in M, and a wff A, does M, w H 
4) A hold? 


This is often called the model checking problem. In Chapter 1, two procedures are presented 
which decide this problem for the basic modal language. It was assumed that wffs and models 
can be encoded as input to a computer program. But it was also assumed that the encodings were 
correct! That is, they really encoded models and wffs. But just as in the case of problem (1) 
deciding this is part of the problem. Let’s see in detail how this works. The input of problem (4) 
consists of three parts 


1. a string sm encoding the model M; 
2. a string Sw encoding the world w; 
3. a string s4 encoding the wff A. 
To count as an admissible input to the problem (4) these strings have to satisfy certain properties: 


(5) sm encodes a model M and M is an element of Struc; 
(6) Sy is the encoding of a world in M; 
(7) s4 is the encoding of a wff. 


Problem (7) gave rise to our first desirable property. It sounds reasonable to ask the same for 
problem (5): thus we ask for a procedure which takes at most p(|s m|) steps, for some polynomial 
function p to decide whether 1) the string encodes a model, and 2) whether the model belongs 
to Struc. The first part is not problematic; if we use reasonable encodings (cf. [1] or [10]) this 
step is practically feasible. The second part, checking whether the model belongs to Struc, is 
quite a different matter. Here we do not check a simple property, like whether a string is a wff, 
or encodes a model. Here we check whether the model belongs to a class of models. This is a 
problem for which it is not even clear that it is decidable in general. In fact [4] (exercise 6.2.4) 
asks the reader to create a logic for which this problem is undecidable (a simple cardinality 
argument suffices to show that there must be classes for which membership is undecidable). 

In modal logic it is common to define the class of models Struc as the class on which a finite 
set of modal formulas is valid. That means —if the truth definition is first-order— that the class 
is defined by a sentence from monadic second-order logic of the following shape: 


block of universal quantifiers ranging over sets followed by a first order formula in 
the signature of the accessibility relations of the logic. 


Intuitively, the language in which we define the class of models influences the complexity of de- 
ciding membership in that class: the greater expressivity the language offers, the more difficult it 
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can be to decide membership. This intuition is made precise in the field of descriptive complex- 
ity theory [23]. Starting with Fagin’s Theorem [12] it turned out that classes of models which 
are defined by their complexity in deciding membership correspond exactly to classes defined in 
certain well-known logical formalisms. Fagin’s Theorem states that the following are equivalent, 
for C a class of finite structures, 


e membership in C can be decided in non deterministic polynomial time in the size of the 
input structure; 


e C is definable by a sentence of existential second-order logic. 


Problems which can be decided in non-deterministic polynomial time are said to be in NP. 
Boolean satisfiability is the most prominent example of a problem in NP. As stated above some 
NP problems are generally believed not to be practically feasible. For more about NP, see Sec- 
tion 3. A class of structures defined by a universal second-order sentence is the complement of 
a class of structures defined by an existential second-order sentence. The complexity class co- 
NP consists of all problems whose complement is in the complexity class NP. (In computational 
complexity theory, the complement of a decision problem is the decision problem resulting from 
reversing the yes and no answers.) Thus Fagin’s Theorem also connects the complexity class 
Co-NP with universal second-order definability. It is also generally believed that Co-NP hard 
problems cannot be solved in a practically feasible manner. 


Desirable property 2. 
e The class of models of a logical system is definable by a universal second-order sentence. 


e Equivalently, the class is defined such that checking membership for finite models is in 
co-NP. 


The most natural way of defining classes of structures in modal logic —by giving a number 
of modal axioms— leads in general to an impractical decision procedure. But of course this 
is the general case. For instance, it is easily seen that checking whether a model satisfies the 
axiom ©T is practically feasible. In fact, it turns out that most well-known modal logics have a 
practically feasible model recognition problem, for instance all logics axiomatized by Sahlqvist 
axioms. This is because for first-order definable classes the membership problem is decidable in 
polynomial time. In fact this even holds for a powerful second-order extension of it [23]: 


THEOREM 1 (Immerman—Vardi). Let C be a class of finite structures. If C is defined by a 
sentence in first-order logic expanded with a least fixed point operator (in notation FO(LFP)), 
then checking membership in C can be done in polynomial time in the size of the input structure. 


Compared to Fagin’s Theorem, Theorem 1 only states one (the easy) direction, and not an 
equivalence. In fact it is still an open problem to find the language corresponding to polynomial 
time. (Though it is solved on ordered structures: i.e., models which come with a linear order 
on their domain. Restricted to classes of ordered structures the converse of Theorem 1 holds as 
well, which is the full Immerman-Vardi Theorem.) 

In the rest of this chapter we will only deal with modal systems whose class of models is 
definable in FO(LFP), which implies that membership is decidable in polynomial time. 
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The complexity of =. 


Having settled the hairy details, we can finally look at the problem (4). What we really ask here 
is the complexity of the relation =. As models and formulas are the data of logic we must be 
able to access the data, thus we insist that (4) is decidable. How difficult it is to decide (4) in a 
particular case is a topic carefully studied in finite model theory and in database theory [1, 10]. 
Note that in the formulation of (4) the complexity is solely due to the expressive power of the 
language. There is something particular about the design of many modal languages which cause 
(4) to be practically feasible. We explain that now. As indicated in Chapter 1, the definition 
of — is given in terms of first-order logic. As we can see from the standard translation, the 
basic modal language corresponds to a fragment of first-order logic which contains only two 
variables. Obviously this is also true when considering more than one modality, but fails when 
considering polyoadic modalities; see Chapter 5, Section 1.5. But still the meaning of an n-ary 
modality is defined there using n + 1 variables. So each modal similarity type 7 which has a 
bound n on the arity of its operators corresponds to a n + 1 variable fragment of first-order logic. 
Note that the definition of modal similarity type is general enough to allow a type with infinitely 
many modalities, each having a different arity. Such modal languages do not correspond to finite 
variable fragments. Being a bounded variable fragment seems to be a distinguishing feature of 
modal languages. There is also a nice complexity theoretic argument for requiring boundedness 
in terms of variables: the model checking problem for each bounded variable fragment of first 
order logic is practically feasible, while it is not for full first order logic [38]. 


THEOREM 2 (Immerman-Vardi). Given a first-order formula (T) in a fixed bounded variable 
fragment, a first-order model M and a sequence @ of elements from the domain of M, it is 
decidable in polynomial time in \p(&)| and |M| whether M = (@). 


This gives us the third desirable property: the definition of = must be given in terms of a 
bounded variable fragment of first-order logic. Note that = could alternatively be defined as the 
standard translation. 


Desirable property 3. The definition of |= is given as a polynomial time computable function 
from the set of wffs to a bounded variable fragment of first order logic. 


We immediately obtain that in favorable cases the model checking problem is practically 
feasible. 


THEOREM 3. Let L be a logical system satisfying the desirable properties I and 3. Let its class 
of models be defined by a FO(LFP) sentence. Then the model checking problem is decidable in 
polynomial time. 


1.4 The consequence problem 


The consequence problem C | A is the central problem in logic. Here we restrict to finite C 
and study its complement: 


(8) Given wffs C and A, can A be satisfied on a model M € Struc which globally satisfies 
C? 
Recall that M globally satisfies C if M,w |= C holds for all worlds w in M. We call this 


problem satisfiability under constraints. Without C we call it simply the satisfiability or local 
satisfiability problem. 
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There is no reason to believe a priori that this problem is decidable for a given modal system, 
even if it satisfies all design criteria. However there exists a sufficient condition which yields 
decidability in a straightforward manner. 


DEFINITION 4. Let f be some computable function. A logical system (Wff, Struc, |) is 
said to have the f—bounded model property if for all wffs C, A, it holds that whenever A is 
satisfiable in a C model (in Struc) it is satisfiable in a C model (in Struc) whose size is bounded 
by F(ICI, |Al). 

THEOREM 5. For any logical system having all three desirable properties, and having the f- 
bounded model property, problem (8) is decidable. 


Proof. Consider arbitrary wffs C and A. Then by the bounded model property the answer to (8) 
is yes if and only if there exists a model M in Struc whose size is bounded by f(|C], |A|) which 
globally satisfies C and locally satisfies A. Up to isomorphism there are finitely many structures 
of that size, so we can write a procedure which lists all of them (using some representation). 
By property 2 we can decide whether a structure is in Struc. By Theorem 2 we can check in 
polynomial time in f(|C]|,|A]), |C| and |A| whether a structure globally satisfies C and locally 
satisfies A. So we have to make a finite number of such checks, which yields the theorem. UO 


The procedure sketched in the last proof highlights a particular feature of algorithms designed 
to solve a problem in which one asks for the existence of a certain object. Note that this is the 
distinguishing feature between problems (4) and (8). In problem (4) we are given three objects, 
a model, a world and a wff and we have to determine whether they stand in the — relation. In 
problem (8) we are just given the constraint C and the wff A and we asked for the existence of 
a model. The algorithm for problem (8) uses the algorithm for problems (4) and (5) every time 
it “tries” a model from its long list of candidates. So the algorithm for (8) naturally divides into 
two parts: 


e a (difficult) search for the right candidate model; 


e an (easy) check that the candidate is correct (i.e., the model is in Struc, it globally satisfies 
C, and locally satisfies A). 


For these kind of problems a special computational model has been designed which reflects 
the sketched division of labor. These are called non-deterministic computations. For a non- 
deterministic computation, the search for the right candidate takes no more time than required 
to write it down plus the time it takes to check whether a potential candidate is a real candidate. 
This discussion is captured in the next theorem: 


THEOREM 6. Let the logical system (Wff, Struc, =) satisfy all desirable properties. If Struc 
is defined by an FO(LFP) sentence and the system has the f—bounded model property, then there 
is some polynomial p such that (8) is decidable by a non-deterministic algorithm taking time 


P(F(IC], IAI), ICI, |A). 


The proof of Theorem 18 in Chapter 1 can be extended to show that the basic modal logic has 
the 2(CI1+1A) bounded model property; see Proposition 10 below. Thus (8) can be decided by 
a non-deterministic algorithm which takes exponential time in the length of the input. Later on 
we see that we can do better, the non-determinism is not necessary. We finish the introduction 
by giving an example of a logic for which (8) is undecidable in general but decidable in non- 
deterministic polynomial time in the special case when the set of constraints is empty. 
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1.5 A tiling logic 


We present an undecidable problem which is particularly well-suited for modal logics. Moreover 
finite variants of it exist which are useful in proving complexity results as we will see later on. 
These are the tiling problems. A tile is a one-by-one square which has a ‘color’ on each of its 
sides; these colors are given by four functions ‘right’, ‘left’, ‘up’ and ‘down’. Given a set T of 
tiles containing one special tile To, a tiling of the grid N x N by T is a map t from N x N to T 
satisfying, for all n, m € N: 


t(0,0) = To, 
right(t(n,m)) = left(t(n+1,m)), 
up(t(n, m)) = down(t(n,m + 1)). 


Tiles are assumed to be fixed in orientation, so the above conditions say that colors of adjacent 
tiles match. (We note that it is not required to use all tiles of T in a tiling of N x N.) If such a 
tiling exist, we say that T can tile N x N. 

The following problem is undecidable. 


N x N tiling: Given a finite set T of tiles, can T tile N x N? 


We will now define a modal system Tile which is tailored to encode the above tiling problem. 
The language of Tile contains two unary modalities (right) and (up). In a model of the form 
(W, R,, Ru, V), these modalities receive their meaning in the usual way: 


M,s = (righthy <= M,tE ọ forsomet with Rrst, 
M, s H (upy <> M,t y for some t with R,,st. 


The class Struc of models of Tile consists of all models (W, Ry, Ru, V) in which R, and R, are 
(the graphs of) two commuting total functions. In particular, grid models satisfy the following 
condition: 


(9) Yrzyz((Rrey ^A Ryxz) > Iw( Rr zw A Ruyw)). 
THEOREM 7. Problem (8) is undecidable for the logic Tile. 


Proof. We reduce the N x N-tiling problem to the satisfiability problem for Tile. We present a 
procedure that outputs for every instance T of the tiling problem, wffs Cr and Ar such that the 
following are equivalent 


e T can tile N x N; 
e there exists a model M in Struc which globally satisfies Cr and locally satisfies Ar. 


Take for any set T = {To, T1, ..., Tk} of tiles a corresponding set {to, t1, . . . , tk} of proposi- 
tional variables. Let Ar be tọ. Define Cr as the conjunction of the following formulas (where i 
ranges over 0,...,k): 

Al Vo <i<k ti 

A2 No<i<k E z Nizi aty] 

A3 Nocicn [ti > (right) V{t; | right(Z;) = left(7;) }] 

A4 Nosice [ti > (up) Vtty | up(Ti) = down(T;)}] . 

It is almost immediate that T tiles NxN if and only if there exists a Tile model where Cr holds 
throughout and to is satisfied at some world. (The reader should verify that in hard direction of 
the proof property (9) of grid models is crucial.) Thus we have reduced the undecidable tiling 
problem to problem (8) for the logic Tile. Q 
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We hasten to remark that the undecidability of this system has nothing to do with the fact that 
we are dealing with more than one modality here; one can easily transform this example into an 
undecidable modal system in the basic modal language. 

It is interesting to note that without constraints which hold globally these grid logics become 
quite harmless. In fact, the grid—like nature of their models ensures that every locally satisfiable 
formula A is satisfiable in a model whose size is at most (|A| + 1)? + 1. 


THEOREM 8. Every locally Tile satisfiable formula A is satisfiable in a Tile model of size at 
most (|A| + 1)? + 1. As a corollary, Tile has a local satisfiability problem which is decidable in 
non-deterministic polynomial time. 


Proof. Let M satisfy A at s. Let k be the modal depth of A. Thus k < |A|. Let M’ be 
the smallest substructure of M which contains s together with all states reachable in at most k 
(R,- or R,,-) steps from s and which satisfies property 9. By Lemma 21 in Chapter 1, A is still 
satisfied in the model M’. The size of the universe of M’ is at most (k + 1)?. Unfortunately 
M’ is not yet a Tile model, because not every state has a R, and R, successor. In order to 
mend this, add one dummy state x to the universe of M’ and put a link from w to x for all 
states w (including zx itself) that do not have a successor yet. That is, define Wt = W’ U {x}, 
Rý = R! U {(w, x) | Rwy for no y in M’}, and likewise for R}. Let the valuation stay the 
same, i.e., define V*(p) = V’ (p) for all p. 

The resulting model M* is a Tile model. Clearly A is still satisfied at s in this new model, 
since x is ‘too far away’ to have any effect on the truth of A. (The k-bisimulation between M 
and M’ is also a k-bisimulation between M and M*.) This proves the first part of the theorem. 
The complexity result follows from Theorem 6. m 


2 DECISION ALGORITHMS 


We have seen some very general results and some very basic desirable properties. Now we 
look at actual algorithms for deciding the satisfiability problem under constraints and the local 
satisfiability problem for a number of typical cases. 

All presented decision algorithms are based on the following idea: show that for each wff A, 
the following are equivalent: 


(10) Ais satisfiable on a Struc model. 
(11) There exists a finite structure M 4 satisfying 


e a finite number of decidable properties, and 
e the size of M 4 is bounded by some function f(|A]). 


From the discussion in the previous section it should be clear that decidability of the local sat- 
isfiability and the validity problems follow from this. A similar reduction will be given for the 
satisfiability problem under constraints. Note that an upper bound on the time used by the algo- 
rithm follows from 1) the function f and 2) the difficulty of checking the properties on M 4. 

First let’s look at the kind of structures M 4 we are after and what kind of properties we can 
expect. In the simplest case we just ask that M 4 belongs to Struc and M 4, w |= A for some 
world w. Often this is either not possible (for instance, if the logic does not have the finite model 
property) or M 4 gets unnecessarily large. 
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For the first case, consider the basic modal language interpreted on models (w, succ, V), hence 


nH OA = n+1 EA. 


Obviously this logic does not have the finite model property as Struc consists of infinite models 
only. Still using the technique from the proof of Theorem 8 we can show that each satisfiable 
A is satisfiable at world 0 in a model ({0,1,..., modal_depth(A), dummy}, succ’, V), which is 
linear in |A|. Here succ’ is the set {(n,n + 1) | n < modal_depth(A)} U {(modal_depth(A), 
dummy), (dummy, dummy) }. 

For the second case consider the same language but interpreted on finite binary trees. Let 
© be interpreted by the first_child relation. By the same reasoning as above any satisfiable A 
can be satisfied at the root of a tree of depth modal_depth(A). But a binary tree of this depth 
contains 2™°dal-depth(A) many leaves! This model contains a lot of useless information. The 
only important part for the satisfiability of A at the root is its left most branch. 

So in both cases we could do with a pseudo-model and that is what M 4 is in general. The 
relation with some real model can be the identity, it can be a modal_depth( A) bounded bisim- 
ulation or a more intricate or ad hoc relationship. In principle everything is fine as long as the 
equivalence between (10) and (11) holds. 

We will now review the most popular techniques to create structures M 4. We interleave the 
analysis with examples of formulas enforcing large models. 


2.1 Selection of points 


Let A be a satisfiable basic modal wff. Then, by Theorem 22 in Chapter 1, A is satisfiable at the 
root of a tree of depth at most modal_depth(A). This looks like a good candidate for a finite 
model, the only problem is that it can be infinitely branching. Here selection of points comes in. 
We first need an important concept: the set of A relevant formulas. 

All relevant formulas will be subformulas of A; we need a bit extra though. Given a formula 
B, let ~B denote the formula C if B is of the form ~C; otherwise, ~B is the formula ~B; we 
say that a set © of formulas is closed under taking single negations if ~B € X whenever B € X. 
This notion enables us to pretend that a finite set is closed under taking negations by treating ~B 
as if it were the real negation of B. Now given a set of formulas }, let Cl(X) be the smallest set 
of formulas that extends X and is closed under taking subformulas and single negations. When 
A is a formula, we denote the set Cl({A}) of relevant A formulas by Cl(A); it is easy to see that 
the cardinality of Cl(A) is linear in the length of A. We call Cl(A) the closure of A. 

Now let M be the chopped tree of finite depth which satisfies A at the root. For any world w 
in M define the A theory of w (notation: 64,(w)) as the set {B € Cl(A) | M, w H B}. Now 
if we can create a model M 4 C M such that 


root the root of M is still in M 4, and 
suce for each w in M 4, Bây (w) = 0X, (w), 


then A is still satisfied at the root of M4. We create M 4 by selecting for each world w just 
enough successors in order to ensure that 04 (w) = COE Starting at the root, choose, for 
every subformula of A of the form Oy, a successor of the root at which y is true (if such a 
successor exists at all). Obviously, at most b successors need to be chosen, where b is the number 
of diamond subformulas of A. Hence, by deleting all successors that were not chosen and their 
descendants from the model, we obtain a tree model whose branching degree at the root is at 
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most b. A simple verification shows that A still holds at the root. Now repeat this process at 
each of the chosen successors of the root and continue until the leaves of the tree are reached. 
Obviously A is still satisfied at the root. The result is our desired M 4. Clearly conditions root 
and succ are satisfied and we have shown 


PROPOSITION 9. Any satisfiable modal formula A can be satisfied at a the root of a finite tree 
model with the following properties: 


e the depth is bounded by the modal depth of A, and 


e the branching degree is bounded by the number of diamond subformulas of A. 


The number of worlds in this model is exponential in the modal depth of the formula A. It seems 
that in the worst case such a size is unavoidable. We now show a formula which exemplifies this 
worst case behavior. We define, for each natural number n, a satisfiable formula A(n) with the 
following two properties 


e the size of A(n) is quadratic in n, and 


e when A(n) is satisfied in any model M at state s, then M contains as a substructure an 
isomorphic copy of the binary tree of depth n whose root is s. 


Thus the size of the smallest model satisfying A(n) is exponential in | A(n)|. The idea underlying 
the definition of A(n) is very simple: take n propositional variables po,...,p,—1 and write a 
formula which when satisfied forces a binary branching tree in which every possible valuation 
on {po,.--,Pn—1} occurs at some leaf. Thus the model certainly contains 2” different states. 
The formula is constructed using two macros: branch(p;) and store(p;) defined as follows: 


branch(p;) := Op; AOnp; 
store(pi) := (pi > Op;) A (“pi > O-p,). 


The formula A(n) then is given as 


(12) branch(po) A VAN "| branch(pi) ^ \ store(p;) | , 


1<i<n 0<j<i 


in which O’ abbreviates a sequence of i many boxes. The formula works as follows. Suppose 
M,s H A(n). Then the branch part of A(n) states that every node t reachable in i R-steps 
from s has two different successors, one forcing p; and another forcing —p;. The store part 
of the formula states that successors of t created by the branch part satisfy precisely the same 
proposition letters po, . . . , pi—1 as does t. We leave it to the reader to verify that the interplay of 
the branch and store macros forces a binary tree of depth n, as desired. 


2.2 Filtration 


Let C, A be wffs. Assume that there exists a model M and a world wo such that M |= C and 
M,wo = A. Now if C contains for instance the formula OT, then M cannot be a finite tree. So 
the selection of points method does not work in the presence of global constraints. Instead we 
will choose enough worlds from the model M to create a new small model. 
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We will show that there exists a model M’ containing 20(/Cl+!4) many worlds such that 
M’ = C and M’,w = A. The model M’ is defined from the theories Ou (w), for worlds w 
in M. Thus the domain of M’ is the set 


{O° (w) | w in M}. 


Note that the worlds in M’ are sets of formulas. We want to create a model such that each world 
describes which relevant wffs are true in it. I.e., we want a 


Truth Lemma For all wffs B € Cl(A, C), for all worlds Oe (w), 


B € 6° (w) if and only if M’, 04; (w) E B. 


The desire to have this truth lemma puts three constraints on the model M’: 


valuation V” is defined such that for all propositional variables p;, 
pi € ONS (w) if and only if ONS (w) E€ V' (pi). 
Relation R’ is defined such that 


min For all worlds x, if OB € zx, then there exists a world y such that R’(x, y) and B € y. 


max For all worlds xz, y in M’, for all OB € CI(A,C) if R'(x,y) then B € y only if 
OBE x. 


The truth lemma can be shown by induction on the length of the wff. It holds for every model M’ 
satisfying these three constraints. The first constraint determines the definition of V’. For R’, we 
have more freedom. Any relation satisfying both min and max will do. For instance, R’ can be 
defined as follows: R’(x, y) if and only if for all OB € Cl(A,C), B € y only if OB € x. Note 
that when proving the truth lemma we use two properties of the sets ONS (w) which together 
state that these sets of formulas do not contain blatant propositional inconsistencies: 


and For B A D € Cl(A,C), BAD € OX" (w) <> B e ORO (w) and D € 4° (w). 
not For B € CI(A, C), ~B € 0&0 (w) <= B g OU (w). 


The model M’ thus obtained is called the filtration of the model M through the set of formulas 
CI(A, C). Note that —by the truth lmma— M’ = C, and —because O° (wo) is a world in 
M'— M', ee (wo) = A. Thus we have shown 

PROPOSITION 10. IfA is satisfiable in a model which globally satisfies C, then A is satisfiable 
in a model which globally satisfies C and whose set of worlds is bounded by 20\C1+14)), 


2.3 Hintikka set elimination 


We now give an algorithm which constructs the model whose existence was just shown. The idea 
comes straight from the proof of the truth lemma. That inductive proof shows that if we can find 
a set G of subsets of Cl(A, C) such that 


HS1 every element of G contains C; 


HS2 there is an element of G which contains A; 


152 Maarten Marx 


HS3 every element of G satisfies the properties and and not 


HS4 for every element X of G, for every formula OB € CI(A,C), if OB € X, then there 
exists a Y € G such that 


1. Be Y,and 
2. forall OD € C(A, C) if D € Y then ODE X. 


then, we can prove the truth lemma, and A is satisfiable in a model which globally satisfies C. 
The filtration described above shows the other direction: if A is satisfiable in a model which 
globally satisfies C', then a set G satisfying HS1-HS4 exists. So we describe a procedure which 
tries to create that set G. 

Let So consists of all sets A C Cl(A,C) which contain C and which satisfy properties and 
and not. Thus conditions HS1 and HS3 hold for Sọ. Clearly So can be effectively computed 
and |Sp| < 20‘\4I+ICD We now inductively construct a sequence of sets of sets of formulas 
So 2 S1 2 S2 2 S3---. During this construction we try to find witnesses for diamond formulas. 
We say that a set X € S; is ready if only for the set X, condition HS4 holds with G replaced 
by S;. In other words, the set S; contains witnesses for all diamond formulas in X. If every set 
in S; is ready and S; satisfies HS2, then return ’ A is satisfiable in a global C' model’. If there 
is no set in S; containing A, then return the negation of the last statement. Otherwise, let 5;44 
consists of all ready sets in S; and continue the construction. Since S; 2 S;41, the construction 
is guaranteed to terminate in at most 20{/4|+ICl) stages. 

Why is this algorithm correct? If the algorithm answers ’satisfiable’, then it has found a set 
of subsets of Cl(A, C) satisfying the four HS conditions. But then we can create a model out 
of them, just as we did in the filtration. For instance, we can define R to be minimal. Now we 
use the conditions to show that the truth lemma holds. Conversely, suppose that A is locally 
satisfiable in a C model M. Let G be the set ied (w) | win M}. It is easy to show that G 
satisfies the four HS conditions, and that the algorithm will never delete any element in G in any 
of its stages. Thus it will return ’satisfiable’. 

How many computation steps does this procedure take? It lasts at most DONATED stages. 
At every stage we check whether S; satisfies properties HS2 and HS4. How can we find out 
how long each check takes? The simplest way is to formalize the whole procedure in terms of 
first-order logic and use the results about first-order model checking. We can view the power set 
of CI(A, C) as the domain of a first order model, which has unary predicates for each formula in 
Cl(A, C). Then the conditions HS1-HS4 become just first-order conditions on that model. For 
instance, we have 


Vz(P g(x) = 4Pp(2)). 


with Pg the unary predicate corresponding to the modal formula B. We have to write as many 
of such first-order conditions as there are subformulas of A and C. Also note that they can all 
be written using just two first-order variables. But we know that given a model and a first-order 
formula in a fixed number of variables, checking whether that formula is true in that model can 
be done in time polynomial in the size of the model and the formula. But the size of each model 
corresponding to a set S; is bounded by QOl\AI+ICl) So each check can be done in a polynomial 
number of steps in 20(l4I+IC)), which is just 20(4I+IC) many steps. We must make at most 
20(IAI+ICl) many such checks, so the whole algorithm takes 20{/4!+ICl) many steps. 

Subsets of Cl(A, C) satisfying HS3 are called Hintikka Sets after Jaakko Hintikka who first 
employed them. 
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2.4 Hintikka set elimination without constraints 


The last algorithm is very impractical: it takes exponentially many steps for every input. This is 
because in the first step it already creates all possible candidates for worlds in the model. When 
the set of constraints is empty we can do better using a non-deterministic algorithm. The idea is 
the following. Let A be the formula for which we want to decide whether it is locally satisfiable. 
Guess a set X C CI(A) and check whether it satisfies HS2 and HS3. Suppose it does. Then it 
is a candidate for the root of a model for A. Now we must check HS4 for X. Instead of finding 
the witnesses Y in some set of candidates, we create them on the fly. Now the important point 
is what the structure of these Y should be. As the Y will be placed in a model one step away 
from the root, it is wasteful to prove the truth lemma for Y for all formulas in CI(A). In order 
to prove the truth lemma at the root X, we only need that it holds at Y for the set of formulas 
Cl{B|OB € Cl(A)}. And so forth for every next level. (We urge the reader to verify this.) This 
is the idea behind the next algorithm: the further we are away from the root, the less diamond 
formulas we have to find witnesses for. In fact, the recursion depth of the algorithm is bounded by 
exactly the modal depth of the input formula A. What the algorithm is really doing is searching 
for the tree model that we constructed in the selection of points proof given above. 

The algorithm presented in Figure 1 implements this search for a tree model. We claim that for 
sets of formulas A and © such that © is closed under taking subformulas and single negations, 
K—World(A, =) will be true iff there exists a tree model M such that at the root s, for all B € X, 
(M,s | B <> B €A). This function can be used to solve satisfiability for the basic 
modal system, since A is satisfiable iff there exists a set A C CI(A) such that A € A and 
K—World(A, CI(A)) is true. 

Note that with each recursive call of K-World, the size of the set £ decreases, since we include 
formulas of smaller modal depth only. Thus the recursion depth is bounded by the modal depth 
of the input formula A. That the function is correct can be shown by induction on the size of 
X; we leave this to the reader. Now what about the complexity of this algorithm? Obviously, if 
we feed it the binary-branching tree formula given below Proposition 9 it needs as many steps as 
there are nodes in the tree, 2”, for n the number of propositional variables in the formula. But 
besides the number of steps, we also measure the amount of memory space a machine needs for 
a specific algorithm. In the Hintikka set elimination algorithm the space used was exponential 
in the input formula, as the set of all candidates had to be stored. At first sight, the K-World 
algorithm needs just as much space, as it will create a complete tree model, if it can. But K- 
World can be implemented in such a way that it only needs to store at most one complete branch 
of the tree model plus a little storage for administration. The idea is that once it has checked that 
it can create certain desired witnesses, it can remove those witnesses from memory. It just needs 
to remember not to do that check again, which is easily implemented. As the length of each 
branch is bounded by the modal depth of A, the whole algorithm needs a polynomial amount in 
|A| of memory space. This argument is made precise in Chapter 4. 


2.5 Forcing exponentially deep paths 


Now we will see that global constraints destroy the polynomially bounded depth of paths of the 
satisfying models for the basic modal system. In particular, we create a globally satisfiable con- 
straint which, when satisfied, forces a branch in the model containing an exponential number of 
different Hintikka sets. The algorithm sketched in the previous subsection used only polynomial 
space because the paths in the satisfying model could be kept “short”. 
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Assume that A and © are finite sets of formulas such that A C © and 
X is closed under taking subformulas and single negations. 


K—World(A, =) if and only if 
e A satisfies properties and and not with respect to X, that is, 
not For B € X, either ~B E Aor BEA. 
and Fr BADEX, BADEA = BeA^AadDEA. 
e for each formula OB € A there is a set Ap C © such that 
- Be As, 


- (YOD € X£): DE Ag > ODE A, and 
- K-World(Ag, Cl({D | ©D € £}). 


Figure 1. The function K-World decides K satisfiability. 


A simple way of forcing the existence of exponentially deep R-paths is to employ binary 
counters. By a binary counter we will understand a device that can have natural numbers as 
values, represented as binary strings of Os and 1s; one should also be able to increment this 
value by one. We will use a set {po, . . . , Pn—1 } of propositional variables to implement an n-ary 
binary counter (n-ary means that the counter is reset to zero after reaching 2” — 1). We use 
these variables to encode the n bits of the counter, with po encoding the least significant and 
Pn—1 the most significant bit. The variable p; being true in a given state, encodes the fact that 
the ith bit of the counter is 1 in that state. The key idea to an encoding into the modal language 
lies in the following characterization of adding 1 to a binary counter. If a = an-ı ...ao and 
b = bn—1 - - - bo are two n—bit counters, then b =a +1 (mod 2”) precisely when the following 
holds: either b; = 0 and a; = 1 for all ¿ (this is when we start counting at 0 again), or, for some 
k < n — 1 we have that 

(1) ak = 0, and bx = 1, 

(2) aj = 1 and b; = 0 for all j < k, and 

(3) a; = b; forall i > k. 

In a picture: 


10110 0 11l a 

00000 O 0001 

10110 1 0000 b=a+1. 
k 


We want to write wffs A(n) and C(n) which force a counter to take on all values from 0 to 
2” — 1, in consecutive states. In particular, we want that if M = C(n) and M, so = A(n), then 


M contains an R-path of length 2” — 1 starting at sọ. Moreover all sets gree ect for 
si lying on this path, are different. We take care that the formulas have length only O(n”). The 
formula A(n)expresses the fact that the counter is initially set to 0: 


“mpo Naw IN 7DPn-1- 
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The formula C(n) will be a conjunction of three wffs which should hold globally in a model. 
The first conjunct expresses that every state has a successor: 


OT. 


The next two conjuncts take care of addition. They express that whenever an /-transition is 
made in the model the binary counter is increased by one. First the simple case of resetting the 
counter: 


(po Nias Pn-1) > O(=po An seh pyar): 


Finally, the last conjunct of C (n) covers the case when we have to ‘carry one’. This conjunct will 
itself be a conjunction, having a conjunct of the following form for every k such that 0 < k < n: 


(pr ^ N p) — O(pk ^ \ =p) ^ TAN store(pi), 


j<k j<k i>k 


with store(p;) as defined above and the empty conjunction set to true. 

We leave it to the reader to check the correctness of this formula. Note that Proposition 9 
states that a wff in the basic modal language can only force models with R—paths at most its 
modal depth. Now the modal depth of C (n) is just two for every n, while the minimal R-depth 
of models satisfying C (n) is 2” — 1. The difference is that C'(n) is a constraint which should 
hold globally. 


2.6 Tree automata 


The simplest way to see if a formula is satisfiable is to try to construct a model for it. This is 
what the K-World algorithm does. In fact it constructs a tree model if it can. Having constraints, 
constructing a tree model has to be done with care as it can become infinite (e.g., if the constraint 
is OT). In effect one has to detect looping. Looping will occur as the tree is labeled with sets 
of relevant wffs (the Hintikka Sets) and there are just finitely many of them. We can see the 
Hintikka Set elimination algorithm as a particular way to implement this. Tree automata (in 
particular Biichi tree automata) are yet another way of dealing with infinite models. We describe 
those here and relate them to the other approaches. But before we go into them, we briefly look 
at a related problem: satisfiability on finite trees. Suppose we ask, given A and C, is A locally 
satisfiable in a finite tree that globally satisfies C? It seems not easy to adjust the Hintikka set 
elimination algorithm. We can use a tableaux approach (because we can compute a bound on the 
depth of the trees) but the complexity of it seems horrendous. As it turns out, a tree automaton 
approach has the right level of abstraction to deal with both infinite and finite trees in a unified 
manner. Chapter 17 describes the automata-theoretic approach to temporal reasoning. 

A finite state automaton is a device to recognize (finite or infinite) strings in a given finite 
alphabet. Every automaton defines a language (a set of strings). The key result about these 
automata is a characterization theorem: a language L can be defined by a finite state automaton 
if and only if it can be defined by a regular expression. Recall the model (w,succ, V) of the 
logical system from the introduction of this section. Let V be restricted to X, a finite set of 
propositional variables. Then we can view this model as an infinite string in the alphabet P(X), 
indicating which variables are true at which worlds. The idea of model checking by automata is 
that for every formula A one creates an automaton A 4 which accepts exactly those “models as 
strings” in which A is true at the origin. 
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But we can do more with A4. We could try to check if A, can accept any string at all. In 
other words, if A is locally satisfiable. This is called the emptiness problem of an automaton and 
for Büchi automata this problem is practically feasible. 

Now finite state automata are fine for linear models, but in general models in modal logic 
are graphs. A number of interesting modal systems though have the tree model property. Tree 
automata generalize sequential automata in that they recognize ranked trees. So we can use 
the same idea as sketched above to decide satisfiability for the basic modal system using tree 
automata. In fact, tree automata might be used in any situation in which the models have a 
tree like property. Arguably the most powerful complexity results in modal logic —in particular 
for systems in which = has a second-order definition— have been obtained by employing tree 
automata. 

We sketch the idea in a simple situation, satisfiability under constraints for the basic modal 
system. First come the technical notions. Let [n] denote the set {1,...,n}. An n-ary X-tree T 
is a labeling of the set [n]* by letters from an alphabet ©. That is, T : [n]* — £. The empty 
sequence € is called the root of the tree. 

A (non-deterministic) Biichi automaton on n-ary trees is a tuple A = (£, S, p, So, F) where 


e isa finite alphabet. 
e S is a finite set of states. 


e p: S x X — P(S”) is the transition function. For each state s € S and letter o € X, it 
yields the set of possible S' labellings of the n successors of state s. 


e So C S is the set of initial states. 
e F C Sis the set of final states. 


A run of an automaton A on a tree T is a labeling of the nodes of T (notation r : T — S) by 
states © such that 


e the root is labeled by an initial state (that is r(€) € So), and 


e the transitions obey the transition function p. That is, for each node x we have (r(x - 
1),...,r(@-n)) € p(r(), T(@)). 


A runr : T — S is accepting if every branch of r visits F infinitely often. That is, for every 
branch root, x1, 22,... of T there are infinitely many i’s such that r(x;) € F. 

We will now show how Biichi automata relate to our earlier notions and how they are used to 
decide satisfiability. Let A, C be basic modal wffs. We have seen the following equivalences: 


1. A is locally satisfiable in a model which globally satisfies C'. 
2. There exists a set Œ C P(CI(A, C)) satisfying conditions HS1—-HS4. 


3. Ais satisfiable at the root of an n-ary tree which globally satisfies C. Here n is determined 
by the number of © subformulas in A and C. 


We can think of the tree in the last item as being labeled by elements of G (telling us immediately 
which subformulas of A and C are true in which worlds, without having to apply the truth 
definition). We call this tree model with the extra labels a Hintikka tree for A, C, if the root is 
labeled with a Hintikka set containing A. So we can add a fourth equivalent statement: 
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(iv) There exists a Hintikka tree for A, C. 
Now our strategy must be clear. Given A and C we must build an automaton A4,c which takes 


n-ary trees labeled by subsets of Cl(A,C) as input and accepts if and only if the input is a 
Hintikka tree for A, C. Then we have a fifth equivalent statement: 


(v) The set of trees accepted by A 4c is not empty. 


As checking emptiness can be done in polynomial time (in the size of the automaton), the com- 
plexity of the algorithm based on (v) depends on the complexity of the function creating A 4 ¢ 
from A and C. As we will see this takes time bounded by an exponential in |A| and |C|. Thus 
the size of A 4,c is similarly bounded and we obtain an exponential time decision algorithm. 

We create A 4,c as follows. Let G7 be the set of subsets of CI( A, C) satisfying HS1 and HS3. 
For simplicity we assume that C implies OT, so that every model is infinite. This is easily lifted. 
Let the number of © subformulas in A and C be n. A4,c is a Biichi automaton (£, S, p, So, F) 
on n-ary trees with 


eY=S=F=G. 
eS={xEeG |Aexz}. 
e pis defined as follows. p(X, X) is the set of all sequences (X4, ..., Xn) such that 


1. for all OB € X, there is an X; such that B € X;, and 
2. for all OD € C(A, C), for all X;, if D € X;, then OD € X. 


On all other inputs, p returns the empty set. 
With all machinery developed so far it is straightforward to show that 
Aa,c accepts a tree T if and only if T is a Hintikka tree for A, C. 


Thus the decision algorithm based on checking emptiness of A 4,c is correct. 

Now we show how we can check for finite tree satisfiability. Clearly we do not assume that 
C implies ©T otherwise the problem is already solved. But we do add OT to the set Cl(A,C). 
Then we create A 4 ¢ as follows: 


eS=S=G. 
e So is as before. 
e F={xeG |oOT €z}. 


e pis defined for X containing OT as before and for X € F as p(X, X) = (X,...,X). 
That is, the automaton gets into a self-loop once it reaches a state which should not have 
successors. 


Now, this automaton accepts a tree if and only if T is a Hintikka tree for A, C and every node 
has a descendant which is the root of a subtree all of its nodes are labeled by one and the same 
set from F. In a real model we just cut off these subtrees leaving only their roots (which after all 
say that they do not have successors). 


Vardi [39] has argued that the tree model property of modal logic is the reason for its robust 
decidability. Robust means here that expansions of the basic modal language with powerful pos- 
sibly second-order operators does not destroy decidability. One way to show this is to show that 
the language is a fragment of the monadic second-order logic of trees, and use the decidability 
of the latter, which is proved using automata. 
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2.7  Pseudo-models 


The models we constructed so far were not really pseudo-models, in fact they could all be con- 
sidered as ordinary models. Now we look at two examples in which we shall be working with 
structures which look very much different from the intended models of the logics. 


Two dimensional modal logic 


The first logic that we consider here is —just as the tiling logic— also based on grid-like struc- 
tures, but here we only require that the models are two-dimensional in nature, there will be no 
functions around. The language has two diamonds, © and ©1, with the standard truth definition. 
The models are of the form M = (W, =o, =1, V), where we require that (W, =o, =1) is in fact 
a square over some set U. That is, W consists of the set U x U of all pairs over U, while s =; t 
holds if s; = t;: the i-th coordinate of s and the i-th coordinate of t should be the same. Denote 
the resulting system as S57. 

As a modal system, S5? might look rather obscure, but as a logic it is well-known. In fact 
it is the exact modal counterpart of a restricted fragment of first-order logic with two variables 
in a signature having a binary relation symbol R for every propositional variable r. This is 
seen as follows. First observe that the S5? model M = (W, =o, =1, V) with W = U x U is 
uniquely determined by the set U and the valuation V. Note that for any propositional variable r, 
V(r) CU x U, i.e., a binary relation. Thus V can also be seen as an interpretation of the set of 
binary relation symbols R corresponding to each propositional variable, and we can view (U, V) 
as an ordinary first-order model. Also observe that we may identify assignments s mapping 
the two variables xo and zı to U with pairs (s(x), s(xo)) E€ W. Thus viewing the states of the 
modal models as assignments, we may read the statement ‘y holds in (U, V) under assignment s’ 
modally as ‘in model (U x U, =o, =1, V), ọ is true at state s’. Because S5? models are squares, 
the truth definition of the diamonds can be rewritten exactly as the definition of the first-order 
existential quantifiers: 


M, (a,b) =| Oop 4 there exists a’ such that M, (a’,b) = y. 


Thus ©; is another way of writing Jx;. In a related way, one can define modal systems S5” 
corresponding to first-order logic with n variables for any n. This is done in the field of cylindric 
modal logic, see [42, 29, 15]. 


Note that in this modal system, the local satisfiability and the satisfiability problem under con- 
straints collapse. This is because A is locally satisfiable in a C model if and only iff AA O90,C 
is locally satisfiable. Thus we consider the local satisfiability problem only. That problem is 
decidable, and a proof for this uses some kind of finite model property as well. 

Here, instead of defining a finite model for A by selecting points out of the old model, we will 
identify points in the big model and define the finite model as a sort of quotient structure which 
we call —as before- filtration of the original model. It will turn out that this filtration will not be 
a square itself but a square-like structure that we here dub a pseudo-square. This is a model with 
an underlying frame (W, Ro, R1) in which both Ro and R; are equivalence relations, and their 
composition should be the universal relation. That is, (W, Ro, R1) has to validate 


(13) Ro and R; are equivalence relations and Vryiz(Roxz A Ri zy). 


For these kind of structures, we can prove the following proposition. (The system also has 
the bounded finite model property with respect to squares, but this is much harder to establish 
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[31, 18].) As we saw before, decidability follows immediately, because it is decidable whether a 
finite structure is a pseudo-square (this is a first-order property). 


PROPOSITION 11. Any S5?-formula A is satisfiable in a square iff it is satisfiable in a pseudo- 
square of size not exceeding 2^. 


Proof. We concentrate on the left to right direction of this proof since we are only interested 
in explaining the notion of filtration to a pseudomodel at the moment. (For the other direction 
of the proof, one shows that given a pseudo-square model, one can always find a square that is 
bisimilar to it — in fact, bisimilar through a functional bisimulation, see [29]). 

Suppose that A is satisfied somewhere in the square model M = (W, =o, =1, V). From this 
we will prove that A is true somewhere in a filtration Mf of M. As before, as the domain of 
Mf we take the set of theories: 


Wh = {60 (w) | win M}. 


Again we want to prove a truth lemma, so the valuation is now also fixed. What would be a good 
definition for the relations Rọ and Rı on Wf? In general, this is where the filtration method 
needs some creative input. Now, if the only requirement were that A is to be true somewhere 
in the resulting model, there is a whole family of definitions that work (in the sense that they 
ensure that the conditions min and max are satisfied). But the extra constraint, viz., that the re- 
sulting model should be a pseudo-square, puts some extra restrictions. In any case, the following 
definition works: 


ROG (8), 004) (t) if for all Siy € C(A): M, s H Oi iff M,t E Oi. 


(The reader should check that this is well-defined.) 
We can now prove the main claim concerning filtrations, the truth lemma: 


(14) for all formulas y € Cl(A), for all O's): M, 0i (s) H giff p € 0A) (s), 


This claim is proved by a formula induction as before. For the diamond cases, one should check 
that min and max indeed hold for the given definition of the relations. For min, use the fact that 
p — Oy is valid for every ¢ in this logic (because =; is a reflexive relation). For max, use the 
fact that s =; t implies that M, s = Oig iff M, t = Oi. 

This proves (14), so in order to prove the left to right direction of the Proposition we only 
have to show that M/ is a pseudo-square. We leave it to the reader to verify that both Ro 


and R; are equivalence relations. In order to check the other condition, consider sets gt) (s) 


and oF) (2), Now the fact that M is a square and that s and ¢ are pairs comes in handy. 


Let z = (s0,t1). Then s =o z =; t. But then it follows that R(O (8), 00 (2) and 
Ry (aA) (z), ga“) (t)), which shows that indeed, the composition of Ro and R; is the univer- 
sal relation on M/. Q 


The reader might wonder whether we can construct the pseudosquare by a Hintikka Set elim- 
ination procedure as well, just as we did with the basic modal system. The only difference is 
that we have to end up in a pseudosquare, whereas with the basic modal system any model was 
allowed. But how to implement the check for the condition YVxy3z( Rozz A Rızy)? Suppose 
it fails for some Hintikka sets, x, y. Which one should we remove from the set of candidates? 
It seems we have to consider both possibilities. But then we get an algorithm which takes far 
longer than the original Hintikka set elimination procedure. Instead of 214l many stages we have 


2214! many. In section 3.5 we will show that indeed this is a harder problem than the satisfiability 
problem under constraints for the basic modal system. 
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The until operator 


We now consider the modal system given by the propositional language expanded with the binary 
until operator U, the class of all models of the form (W, R, V) and an interpretation of U as in the 
chapter on temporal logic (recalled below). Note that this is not a modal system in the strict sense 
of Chapter 5 of this handbook, as U has a dual existential—universal definition: M, s = U(y, w) 
if and only if there exists u such that R(s, u) and M, u = y and for all ¢ such that R(s, t) and 
R(t, u) it holds that M, t = w. 

Our previous methods do not work for this language as they were based on reasoning on 
trees. It is not hard to see that the formula U(p, T) A =U(p, p) is satisfiable but not in a tree. 
Nevertheless, we will show that this system does have a finite pseudo-model property, and we 
use this property for showing that it has a decidable satisfiability problem. 

To start with, let Cy be the language obtained by expanding the classical propositional lan- 
guage with the binary connective U. It is convenient to use the following notation: for s and u 
elements of the domain of some model W, 


(15) M, su — y iff for all t satisfying Rst and Rtu,M,t = ẹ, 


because we can now rephrase the truth definition of the until operator as follows: 
(16) M,sEU(y,w) iff for some u such that Rsu M, u = ọ and M, su = wv. 


Let M denote the class of all models (W, R, V). We call the resulting modal system (£u, M, =) 
the until system. Note that Cy is normally interpreted on models in which R is a linear order, but 
here we disregard this extra complicating factor. 

Different from our earlier proofs, we will not use any kind of finite model property in order to 
prove decidability for the until system. This is not because the system does not have the bounded 
finite model property (it does); our proof method is for didactic purposes. The idea behind the 
mosaic method is that we construct a finite pseudo-model that we will call a linked set of mosaics. 
One then has to show that a formula is satisfiable if and only if there exists such a linked set of 
mosaics for it. 

What then are mosaics? One could best describe them as little pieces of a model that, if linked 
together in a nice way, contain sufficient information to construct a real model. 

Concerning the notion of a mosaic then, the first question is what information we are interested 
in. This question is easy to answer: as in all previous proofs we are only interested in the truth 
of subformulas of A. The second question then should be: how large should the little pieces of 
model be? In all previous proofs, the parts we worked with consisted of just one world. The 
definition of the until operator makes that this is not enough. We need to define a new concept. 
Call a subset of the domain of a model M = (W, R, V) packed if every two distinct elements 
s and t of the subset are R-related (that is, we require that Rst or Rts). Our patchwork pieces 
then will be packed sets of size at most three. 

The number three here derives from the fact that the truth definition of U(y, Y) employs three 
variables. In fact, if one would try to devise a standard translation or a bisimulation game for 
the £y-language, the number three would show up as the minimal number of variables needed 
and as the minimal size of the windows that cover the models during the game. During a game 
one would see that these windows will only be placed on packed sets of the models. Note that 
in a tree model there are no packed sets of size three, only of size two. Also note that in the two 
dimensional logic the packed sets in a model are exactly the rows and the columns. 

Abstracting from the origin of these pieces, we arrive at the following definition. From now 
on we let A be an arbitrary but fixed Ly formula. A is the formula whose satisfiability needs 
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to be decided. As usual, we let CI( A) denote the closure under single negations of the set of 
subformulas of A. 


DEFINITION 12. An A-type mosaic is a quadruple p = (X, R, Ay, By) gecia) such that X 
is a set of size at most three; R and every By are binary relations on X; and every A, is a unary 
relation on X. When A is clear from the context, we just use “mosaic”. 


The basic idea underlying this definition is that A, holds of a point if we ‘want’ to be true 
at it, while B, holds of a pair of points if we ‘want’ ọ to be true at each point between them. 
Obviously, not every such structure is part of some model — we need some further constraints 
for that. Call a mosaic coherent if it satisfies the following conditions (phrased in first-order logic 
and to be read universally): 

(CO) RayV RyrVz=y 
) Ayt = 7Aye 
C2) Apnyt = Apt N ÅyT 
) Bonyzy > Bory ^ Byzy 
C4) (Ray ^ Ryz ^ Byxz) > Agy 
Cd) (Rry^ Apy A Byxy) > Au(y,w)£ 

A few words of explanation: CO reflects the fact that we only took packed subsets of the 
model as the domain of our mosaic mini-models. C1—C3 are self-explanatory; note that there is 
no analog of C1 for the B-predicates since there is a hidden universal quantifier in the meaning 
of a predicate By, cf. (15). Finally, C4 and C5 are rather obvious consequences of our intuitive 
meaning of the A- and B-predicates and the truth definition of the until operator. 

How difficult is it to check whether an A-type mosaic is coherent, measured as a function of 
|A|? The size of an A-type mosaic is bounded by a polynomial in |A|. The length of the first- 
order formula formalizing coherence is bounded by a polynomial in | A], and is written using just 
three (again!) variables. So this check can be made using p(|A|) steps for some polynomial p. 

The conditions C0-C5 take care of all universal constraints on the A- and B-predicates; but of 
course there are existential demands as well which we will call requirements. A requirement of 
a mosaic u = (X, R, Ay, By) ecw) is one of the two following types of object: for s,t € X 

(a) (Auly, y)» s) such that Auy,w) 

(b) (notBy,s,t) such that Rst and not Byst. 
In order to explain requirements of type (a), suppose that we want the formula U (4, Y) to be true 
at a point s; if there is a point ¢ in the mosaic such that Rst, Apt and Byst, then the mosaic 
itself directly fulfills the requirement (by (C'5)). This will rarely be the case however; the whole 
point of the mosaic method is that requirements can be fulfilled by distinct mosaics as well, as 
follows. A link between two mosaics u and yp’ is simply a partial isomorphism between the two 
structures. We say that a link f :  — p fulfills the requirement (Ay(y,y), 5) of n if there is 
some t in p’ with Rf(s)t, Apt and By f(s)t. Likewise, a link f : y —> p’ fulfills the requirement 
(not Bo, s,t) if there is some u in ps’ with Rf(s)u, Ruf(t) and “Apu. 

A collection L of mosaics is called a linked set of mosaics if every requirement of every mosaic 
u € Lis fulfilled via some link f : y — p’ to some p’ also in L. It is a linked set of mosaics for 
A if it contains a mosaic with non-empty A 4. 

Given a collection L of A-type mosaics, how difficult is it to check that it is a linked set 
of mosaics for A? We can view such a collection L as one first-order structure in the same 
signature as A-type mosaics in which all the mosaics are pairwise disjoint. Then the universe 
of L is bounded by three times the number of mosaics. Checking coherence of all mosaics can 
be done using || checks each taking p(|A|) computation steps, for a polynomial p. That L is a 
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linked set of mosaics for A is a simple first-order statement: 432A 4(a). But also the existence of 
partial isomorphisms can be expressed in first-order logic, by a formula in five variables whose 
length is polynomially bounded by |A|. So the check can be made using a polynomial number 
of steps in |L] and | A]. 

Now the main result concerning mosaics is the following. 
PROPOSITION 13. An Lu-formula A is satisfiable if and only if there is a linked set of mosaics 
for A. 


THEOREM 14. It is decidable in 204!) steps whether an Ly-formula A is satisfiable. 


Proof. We can adjust the Hintikka set elimination algorithm given for the system K in order 
to deal with mosaics. This is done as follows. Let S be the set of all A-type mosaics (up to 
isomorphism). It is not hard to show that |S] < 20(lAl), Let So C S be the subset containing all 
coherent mosaics. Thus Sp can be computed in polynomial time in |S] < 204) and |A|. We 
now inductively construct a sequence of sets of mosaics So 2 S1 2 S2 2 S3---, just as in the 
proof for the system K*. The idea is that we delete mosaics from S; if they have a requirement 
which can not be fulfilled inside S;. We already showed that the checks to be made at each stage 
of the algorithm take time polynomial in the size of S; and |A|. As |S| < 204), there are at 
most 20/4!) stages, thus the whole algorithm can be performed in 2/4) steps. m) 


We end with the rather involved proof of the correctness of the algorithm. 


Proof of Proposition 13 The left to right direction of the proof is easy: suppose that M = 
(W, R, V) is a model for A. Out of this model we will cut a linked set of mosaics for A, as 
follows. Let P be the collection of all packed subsets of W of size at most three. Associate with 
any set X € P a mosaic ux based on the set X, with R as in M and with every A, and B, 
defined as given by the truth of y in M. We leave it as an exercise for the reader to verify that 
the collection of all these mosaics forms indeed a linked set of mosaics. 

The direction from right to left in the Proposition is the hard one, although the key idea 
underlying its proof is quite intuitive. We will construct a model for A step by step; that is, 
we will approximate our model via a series of finite structures that we call networks. A network 
is a structure N = (W, R, Ay, Beige cl(A) of the same type as a mosaic but not bounded in size. 
A network is called coherent if it satisfies the conditions C1—C5 above. To ask for CO would be 
too much; instead we require coherent networks AN to satisfy the following: 


(liveness) every packed set X of size at most three comes from a mosaic; that is, for each such 
set X C W there is a partial isomorphism f : M —> u such that f is defined on X. 


Liveness means that — through the mosaics — we are in control of certain small parts of the 
model: the packed sets of size at most three. Why only these sets? The truth definition of U 
provides the answer. The meaning of U(y, Y) depends only on these small packed sets in the 
model. 

A defect of a network is a requirement that is not directly fulfilled in the network itself, and 
a network is called saturated if it has no defects. A network is perfect if it is both coherent and 
saturated. 

This name is well-chosen, since perfect networks are the ones that we are after. The reason for 
this is that with every network V = (W, R, Ay, Bo) ve cl(A) We can associate a modal model 
in an obvious way: it is defined as the structure V° = (W, R, V°) with V°(p) = Ap for all 
variables p occurring in A. But only for perfect networks can we prove the following truth 
lemma. 
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CLAIM 15. If A is a perfect network, then for all formulas y € Cl(A) and all points s, t in M: 
1. s € Ay iff N°,s H ọ, 


2. if Rst, then (s,t) € By iff N°, st = ¢. 


PROOF OF CLAIM The proof of this claim is by induction on the complexity of y. We only 
consider the case where y is of the form U(w, x), and only prove part (ii) of the Claim (the first 
part is simpler). 

By the induction hypothesis and the truth definition of U, in order to prove (ii) it suffices to 
show that for all pairs of points s and t such that Rst, we have that (s,t) ¢ B, iff u ¢ A, for 
some u with Rsu and Rut. The left to right direction immediately follows from the fact that M 
is perfect and thus all requirements of type (b) are fulfilled. For the other direction, suppose that 
s, t and u are points satisfying Rst, Rsu, Rtu and u ¢ Ay. Observe that {s, t, u} is a packed 
set of size at most three, whence we may use the (liveness) condition. This yields a partial 
isomorphism f from M to some mosaic p such that f is defined for each of s, t and u. It follows 
that Rf(s) f(t), Rf(s)f(u), R(t) f(u) and f(u) ¢ Ap; but then it follows from condition C4 
that (f(s), f(t)) ¢ By. Returning to N this shows that (s, t) ¢ Bp, which is what we needed to 
prove. Q 


From the previous claim it follows that in order to show that A is satisfiable, it suffices to show 
that there is a perfect network for it, that is, a perfect network such that A 4 is not empty. 


CLAIM 16. There is a perfect network for A. 


PROOF OF CLAIM The proof of this claim consists of three parts. First we show that there is 
some network for A (not necessarily perfect). This is easy, since we are given a linked set of 
mosaics for A: as our network we simply take any mosaic with non-empty A 4. 

The second and main part of the proof consists in showing that any defect of any network can 
be repaired; that is, we can find a bigger network in which the defect no longer occurs. Without 
going too much into technical detail, let us see how to repair a defect of type (b) (defects of type 
(a) are repaired in a similar way). 

Suppose that s and ¢ are points of the network M such that Rst and not Bost for some 
subformula y of A, while there is no point u between s and t such that —A,u. The idea now is 
simply to repair this defect by adding a new point to the network. What kind of point? Well, since 
we have Rst we know that s and t come from a mosaic; that is, there is a partial isomorphism 
f from N to some mosaic u. Obviously, (not By, f(s), f(t)) is a requirement of this mosaic. 
But since we are working in a linked set of mosaics, there must be some link g between u and pu’ 
and some u in u’ such that Rg(f(s))u, Rug(f(t)) and ~A,u. Now simply add an entirely new 
point r to the network; make sure that the relations between s, t and r are such that this part of 
the model is isomorphic to y’. It is thus obvious that we have repaired the defect, and that the 
new structure is a network. In order to keep the liveness condition it is essential not to relate r to 
any other point besides s and t: in this way the only new packed sets are {r, s, t} and its subsets. 

Finally, these two parts provide the material and the tools for constructing the desired perfect 
network for A. Starting from the mosaic for A (which is of course a network), we repair defects, 
one by one, step by step, thus constructing a sequence No, M1, ... of networks. Using some 
standard combinatorics we can ensure that the limit of the chain of networks is a network without 
defects. In particular, if we always take new points from a fixed set, say w, we can enumerate the 
set of all (potential) defects of any network of the chain; if at each step of the construction we 
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repair the current network’s defect with the lowest number in this enumeration, we can create a 
perfect network. Q 


3 COMPLEXITY 


[27] lists the following as the basic questions of computer science: What is an algorithm? What 
can and what cannot be computed? When should an algorithm be considered practically feasible? 
In the previous sections we have —sometimes between the lines— used the available answers to 
these questions. Before we go back to modal logic we catch a brief glimpse of the theories of 
computability and computational complexity. Readers familar with this can jump immediately 
to subsection 3.5. 


3.1 Computability 


What is an algorithm? It is much easier to decide that a certain procedure can be labeled an 
algorithm than to give a definition. But a definition is needed when we want to prove that no 
algorithm exists to decide a certain problem. Recall that is what we did with the tiling logic in 
Section 1.3. Such a definition should be very robust. We would not like that later someone comes 
up with a procedure for deciding satisfiability under constraints for the tiling logic which we have 
to accept as an algorithm. As it turned out, the first proposal, now called Turing machine, named 
after its inventor Alan Turing, was immediately right. For a definition of Turing machines see 
any complexity or finite model theory textbook or Wikipedia. Every other model of computation 
that has been defined up to now has been shown to be equivalent to the Turing machine model. 
The so-called Church Turing thesis, turns these empirical facts into a principle: 


Church-Turing Thesis. The Turing machine that terminates on all inputs is the precise formal 
notion corresponding to the intuitive notion of an algorithm. 


More precisely, for X a finite alphabet and S C X* a set of X-strings, there exists an algorithm 
for deciding membership of X-strings in S if and only if there exists a Turing machine which 
terminates on all input strings s € X* and correctly outputs the answer to the question whether 
ses. 


The reader may substitute his preferred sufficiently powerful programming language for Tur- 
ing machine in the thesis (as each sufficiently powerful language is equivalent in computation 
power to the Turing machine model). Note that the thesis speaks about all inputs. That is the 
reason why we had to be so careful in Section 1 when we spoke about the desirable properties of 
a logic. 

Everyone with a limited amount of programming experience has created programs which do 
not terminate on some inputs. Such programs are not useful for deciding a yes/no problem, 
simply because for the particular input on which it does not terminate we do not get an answer. 
This is a good place to discuss the notion of semi-decision. A yes/no problem is said to be semi- 
decidable if a program (a Turing machine) exists which terminates on all yes instances and on all 
no instances it does not terminate. The set of valid first-order sentences is the prime example of 
such a set. It is semi-decidable but not decidable. Note that if both the yes and the no instances 
(that is, both “halves” of the problem) are semi-decidable, we can decide the whole language. 
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The reason is that on any input we can start both programs, one which terminates on the yes, and 
the other which terminates on the no-instances. Whatever instance we have, one program must 
terminate, so we have a decision procedure. Thus a problem is decidable iff both halves of it are 
semi-decidable. See [27] for a detailed argument. 

This is all we want to say about computability. The Church-Turing thesis yields an exact 
measure between the computable and the non computable problems. There is theory about the 
difficulty of a problem regardless whether it is a computable or a non computable problem. For 
instance, we just saw that first-order validity is not computable but still semi-decidable. A natural 
question is whether there exist even harder problems: those that cannot even be semi-decided. 
Indeed they do exist, and tiling problems have been developed for these cases as well. For 
instance, add to the tiling problem an extra special tile T* and ask whether a tiling exists such 
that T* occurs infinitely often on the first row. The complement of our original tiling problem is 
semi-decidable (Why? Because we can formalize it in terms of first-order logic!), but this is not 
true anymore for this extended version. Cf., [22] for further reading. 

As this chapter is about complexity we now take a closer look at the computable problems. 


3.2 Computational complexity 


In Section 1 we spoke about practically feasible algorithms, and defined them to be those which 
take at most p(n) computation steps, for p a polynomial function in n with n representing the 
length of the input. We were rather vague on what constitutes a computation step, but we can 
now make that precise using the Turing machine model: it is a step taken by a Turing machine. 
Even inside the practically feasible and inside the not practically feasible algorithms it makes 
sense to try to distinguish problems of different complexity. As we are mostly concerned with 
non practically feasible problems we take a closer look there. Let us first give a formal enough 
definition of the class P of problems solvable in polynomial time. 


DEFINITION 17. A Turing machine is polynomially time bounded if there is a polynomial p(n) 
such that the machine always halts after at most p(n) steps, where n is the length of the input. 
A problem is solvable in polynomial time (a function is computable in polynomial time) if there 
is a polynomially time bounded Turing machine that solves it (that computes it). The class of all 
problems solvable in polynomial time is called P. 


Within the class of non practically feasible algorithms we have those which take exponential 
time. We define the class EXPTIME of problems solvable in exponential time by requiring that 
there is some polynomial p such that the Turing machine must halt on all inputs after at most 
2”(") steps. Similarly we can define the class of 2EXPTIME problems, solvable in at most 
oon steps, and so on. These classes form a hierarchy and it is known that all inclusions are 
strict. Consider the class EXPTIME. Can we find interesting and natural subclasses here? We 
can look at the amount of working memory a Turing machine needs in its computation. At our 
level of discussion it is enough to know that in every computation step of a Turing machine, the 
machine can read and write a symbol of a specified finite alphabet in a cell of a tape. The tape 
corresponds to the memory of the Turing machine. Clearly machines are conceivable which take 
a long time before they reach their decision but which use only a limited amount of memory. A 
good example is the “bad way of doing model checking” described in Chapter 1. We can define 
space classes similarly to time classes: 


DEFINITION 18. A Turing machine is polynomially space bounded if there is a polynomial 
p(n) such that no computation of the machine scans more than p(n) tape cells. The class of all 
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problems solvable by a polynomially space bounded Turing machine is called PSPACE. 


It should be clear that P is contained in PSPACE. Note that there is no bound on the amount 
of time for polynomially space bounded computations. Still we have 


PSPACE is contained in EXPTIME. 


To see this, consider the number of ways a tape containing p(n) cells can be written, in an 
alphabet containing two symbols. That is 2?("). This bounds the number of configurations of a 
Turing machine. If a PSPACE machine takes more than exponential time, then it has repeated 
some configuration so it must be in an infinite loop. This is not possible because it must terminate 
on each input. 


Non-determinism. The Turing machine model we had in mind was the deterministic Turing 
machine. This is what we typically think of when we think of a computer program: the output 
state of a computer program is uniquely determined by its input state (that is, by its input). 
Moreover, for every intermediate state there is exactly one state in which the program can be at 
the next computation step. In essence, a program is a function from input states to output states. 

One of the more difficult abstractions made of a Turing machine is a non-deterministic Turing 
machine. Non-deterministic programs are very useful when the problem consists of a (difficult) 
search for a solution and an (easy) check whether the solution is correct. The prime example 
of such a problem is boolean satisfiability: given a propositional formula, does there exists a 
valuation of the proposition letters such that the formula evaluates to true? For a formula with 
n letters there are 2” many possible valuations, an enormous search space. To check whether 
a given valuation evaluates to true is very easy (the number of steps is polynomially bounded 
by the number of connectives in the formula). We can write a non-deterministic program which 
scans the formula from left to right, and has the following non-deterministic rule 


if you read p; for the first time, then either replace all occurrances of p; by 
true or replace all occurrances of p; by false. 


Consider the application of this rule as one computation step. After scanning the complete for- 
mula the program can simply check whether the result evaluates to true. Thus if a formula is 
satisfiable the program can answer fast and correctly. If the formula is not satisfiable, then none 
of the choices will lead to a state in which the program will answer that it is. So this program 
decides the satisfiability problem. 

We say that a non-deterministic Turing machine decides a problem if 


e for every yes instance of the problem, there is at least one computation that accepts the 
input, and 


e for every no instance, every computation rejects the input. 


Note the asymmetry in this definition. Deterministic Turing machines have just one computation 
on each given input: this is exactly what determinism requires. But the above non-deterministic 
program has 2” many different computations on a formula with n variables. Each of them leads 
to an accepting or rejecting state in p(n) steps, for p a polynomial. This is the time we measure. 


DEFINITION 19. NP is the class of problems decided by a polynomially time bounded non- 
deterministic Turing machine. NEXPTIME is the class of problems decided by an exponentially 
time bounded non-deterministic Turing machine. 
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Still the reader might ask how long a non-deterministic polynomially time bounded computa- 
tion really takes. Where “really” means implemented on a deterministic Turing machine. This is 
one of the greatest puzzles in computer science. The answer is simply: 


At present we can only do it using an exponentially time bounded deterministic Tur- 
ing machine. We do not know if we can do better, but we consider it unlikely. 


In other words, the question whether PANP is wide open, though it is generally believed that the 
two classes are different. Thus we have the following inclusions 


P CNP C PSPACE C EXPTIME C NEXPTIME, 


and all we know at present is that (N)P Ç (N)EXPTIME. 


3.3. The complexity of modal decision problems 


In Section 2 we gave several decision algorithms and analyzed their complexity in rather loose 
terms. In fact these arguments can be made rigorous without too much ado. Thus we can use 
them to argue that the problems discussed earlier are in certain complexity classes. We briefly 
list the results: 


1. Propositional satisfiability is in NP. 

2. Local satisfiability of the logical system tile is in NP. 

3. Local satisfiability of the basic modal system K is in PSPACE. 

4. Satisfiability under constraints of the basic modal system K is in EXPTIME. 
5. Local satisfiability of two dimensional modal logic is in NEXPTIME. 


These are nice results but they do not tell us very much, except that for none of them we have 
found a practically feasible algorithm. Surely that does not mean that no such algorithm exists. 
We would like to have a similar situation as with decidability: either we show a problem is 
decidable or we show it is undecidable. Thus we would like to be able to show that a problem 
is not in P , or it is in PSPACE, but not in NP, etc. Unfortunately, except for some problems in 
EXPTIME, we cannot show that a problem is not in P. At present we just do not know how to 
do that. As a second best to showing that a problem in NP is not in P we can show that it is a 
core problem in NP. A really desirable property of a core problem Q in NP would be that 


if Q happens to be in P, then every problem in NP is also in P. 


In other words, if you are able to find a polynomial time algorithm for Q, you have found one for 
all problems in NP. Even though this property sounds extremely strong, we now have hundreds 
of core problems in NP (cf., [16]). These are called NP complete problems and the crucial notion 
in their definition is that of a polynomial time reduction. 
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3.4 Reductions 


We have used a reduction from an undecidable problem (tiling) to another problem to show that 
the latter is also undecidable. The reduction used in the proof of Theorem 7 took an instance of 
the tiling problem and produced two formulas A and C. The crucial point of the reduction was 
that it was a computable function. Computability was all we needed to transfer undecidability. 

In the case at hand we want to transfer a similar negative property: most likely not in P. But 
then we should not ask for mere computability, but for computability in polynomial time. Note 
that the given reduction of the tiling problem is polynomial time computable. It is an example 
of a polynomial reduction of one problem into another. This simple and intuitive notion is very 
powerful. To recapitulate: if there is a polynomial reduction from problem A to problem B, then 
B is at least as hard as A. If we can solve B efficiently (that is, if B € P), then the same holds 
for A. But if A requires exponential time, then so does B. 


DEFINITION 20. A problem Q is said to be NP complete if Q is in NP and for every problem 
Q’ in NP there is a polynomial reduction from Q’ to Q. 


We invite the reader to show that NP complete problems have the desired property of core 
problems discussed above. We define complete problems for the other complexity classes in 
exactly the same way, all the time using polynomial reductions. 

From the definition it looks very difficult to show that a given problem which is in NP is also 
NP complete, because of the universal quantifier. But that is just appearance, as any problem in 
NP can be decided by a non deterministic polynomially time bounded Turing machine. Thus we 
need to reduce the acceptance problem of such machines. The first problem shown NP complete 
was boolean satisfiability (This is known as Cook’s Theorem.) Once you have one NP complete 
problem it is much easier to get more. Because the composition of two polynomial reductions is 
a polynomial reduction all one needs to do to establish NP completeness of a problem Q in NP 
is to reduce a known NP complete problem to it. Similarly for the other complexity classes. 

Thus when doing a complexity analysis of a problem one should try to establish a matching 
upper and lower complexity bound: that is, establish that the problem is complete for some 
complexity class. The upper bound indicates the amount of time and space needed by the best 
known algorithm. The matching lower bound that —with the present state of knowledge in 
computer science— one cannot do better. Note that “cannot do better” is a rather relative notion. 
For one thing, both 10 - n and n1° are polynomial functions. As none of the problems we look at 
is solvable by a practically feasible algorithm anyway, it is at this stage of the discussion enough 
to use the rather broad but robust complexity classes we discussed. 

We will now establish those required lower bounds for the problems listed in the beginning 
of Section 3.3. When we have reduced a known NP complete problem to a problem Q we say 
that Q is NP hard, and so on. Such reductions yield good insight in the expressive power and the 
design of the modal system. 


3.5 Tiling 


We will establish matching lower bounds by reductions to finite versions of the tiling problem 
discussed in Section 1.3. 

We start with the simplest finite version, square tiling. The problem is as before, we are given 
a set of tiles T, containing a special tile Tọ, and a natural number n. Note that n is part of the 
input. The problem is whether the n x n square can be tiled using the tiles T with the constraints 
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that To is placed at the four borders on the square. Interestingly, the complexity of this problem 
depends on how the size n is given. 


FACT 21. 


1. The n x n tiling problem with n given in unary is NP complete. 


2. When n is given in binary it is NEXPTIME complete. 


To get in the mood let us show that propositional satisfiability is NP hard, by reducing the 
tiling problem to it. So consider an instance of the problem consisting of an n and a set of tiles 
T = {Tọ, Tı ..., Tk}. We want to create a propositional formula A% which is satisfiable iff 
there exists a T tiling of the n x n square. Moreover the formula A‘, must be computable in 
polynomial time from T and n. A% will be constructed from the set of propositional variables 


{pty |OSt< k, O<2,y <n}. 


The intended meaning of Phy is “Tile T, is placed on position (x, y)”. Note that there are n? - 


(k + 1) variables Pris Añ, is a conjunction of clauses. It consists of the following parts: 


e At each point in the square, exactly one tile is placed: 


(at least one) No<zycn-1 (Poy Viiv pe) 


1 


(at most one) No<su<n-1 (Phy ^ Pry) 
O<tAt! <k 
e The special tile To is placed all along the edges of the square: 


(border) VAN (poi A Pn—1i ^ Pio ^ Pin—1)- 
0<i<n-1 


e Colors must match horizontally and vertically: 


: t t 
(horizontal) Nosa ysn- (Pay a V /|right (t)=left(t’) Pr+1y) 


‘ E t t 
(vertical) Nosa ysn- (Di = Vr Jup(t)=down(e’) Pry+1): 


Clearly this formula is computable from the instance. It is also not hard to show that it is a correct 
reduction: the formula is satisfiable if and only if the instance can tile the given square. But in 
order to show that we have given a polynomial reduction, we need to argue that the formula is 
polynomially computable from the given tiling instance. What is the size of the formula? Look 
at the last conjunct (vertical). It consists of n? - (k + 1) conjunctions each containing at most 
k + 2 variables and k + 1 connectives. What is the size of a propositional variable? Naively we 
think of propositional variables as letters p, q,r ... so it is tempting to assume that they have size 
1. But if we encode variables in some standard way, e.g. as strings of zeroes and ones, then the 
more we have of them the more bits we need. We always assume that we use a binary encoding, 
so for our n? - (k + 1) many variables we need log(n)? - log(k + 1) bits for each variable. Thus 
the total size of (vertical) is O(n? - log(n)? - k? - log(k)). We obtain similar bounds for the other 
conjuncts. Note how lucky we are that n was given in unary. Otherwise, when n had been given 
in binary, we had already 2” - 2” - (k + 1) many propositional variables, so our reduction would 
never have been polynomial. 


We will use the binary version of square tiling later on. First we look at a variant called corridor 
tiling. 
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Corridor tiling. Given a set of tiles T, a special tile Tọ and an integer n in unary. The problem 
is whether there exists a height m such that the rectangle n x m can be tiled by T’, with all borders 
tiled by To. 


FACT 22. Corridor tiling is PSPACE complete. 


Corridor tiling is very well-suited to obtain results for linear structures. Consider the logical 
system succ consisting of the basic modal language, its models are all initial segments of the 
natural numbers with successor, and © is interpreted by the successor function. 


PROPOSITION 23. The problem whether A is (locally) satisfiable in a model which globally 
satisfies C is PSPACE hard for the system succ. 


Proof. Of course we reduce corridor tiling. Let T = {Tọ, . . . , Tk} and n determine an instance. 
We use variables pi forO <a <n—1land0<t<k. We view an initial segment of the natural 
numbers as the corridor. Then pt, gets a familiar meaning: M,i ļ pt, means that “Tile T, is 
placed at position (x, i). 

Having this interpretation it seems straightforward to write down the constraints: 


e The side edges are tiled by To: 
Po ^ Pr— 1 
e Every position is tiled by exactly one tile: 


VAN p? Mat VÆ. 
O0<a<n-1 


VAN a(p, A Di): 


0<x<n-1, 0<tAt!<k 


Colors match horizontally by 


A ((pt, > y pec) 


O<a<n—1, 0<t,t’<k {t’|right (T;)=left (ZT, )} 


Colors match vertically by 


VAN (P > V Pi 


O<a<n-—1, 0<t,t’/<k {t’|up(T;)=down(T;,,)} 


e Every row either has a successor or it is the last one: 
OT V (pBA... Apl). 


These are all the universal constraints. Now we need worlds in which the formula (pA. . .Ap°_,) 
is true, one for the bottom row and one for the top. It is natural to use the locally satisfiable 
formula for the bottom row. Thus let 


A::=(p8 A... A pP) AOT. 
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OT is there to ensure that the real tiling starts. But how are we to ensure that the corridor ends? 
It is conceivable that A is satisfiable in an infinite model making all constraints true in which 
never another world containing (p8 A ... A p?_,) exists. This encoding seems hopeless but a 
closer inspection of the problem helps us out. 

Suppose an instance is a yes instance. Then there exists some m such that n x m can be tiled. 
We have placed no maximum on m but a little combinatorics show that we can. If a yes instance 
exists, there exists one in which no row is repeated in the corridor. (Because if there is, we can 
cut the whole intermediate part out and still have a yes instance.) How many rows of length n 
can we make with k + 1 tiles? At most (k + 1)”. That gives an upper bound on m. If a tiling 
exists there exists one with at most 1 + (k+ 1)” many rows. Now we can use the counter formula 
from Section 2.5 to create a binary counter starting at 0 at the world in which A is true and we 
just add a constraint stating that the world with counter value (k + 1)” is the last but one world 
in the model. The counter formula has size polynomial in k and n and the complete formula is 
polynomial in the size of the input. We leave the details of checking correctness to the reader. O 


Corridor tiling is highly suited for linear structures but it does not seem easy to use it for 
establishing the PSPACE lower bound for local K satisfiability. For one thing we cannot en- 
force such deep models without constraints. On the other hand, we can enforce models with an 
exponential number of leaves. Luckily there are also two person game versions of square and 
corridor tiling, which are PSPACE and EXPTIME complete, respectively. One play of a game is 
naturally represented by a sequence of game-positions, representing the moves made by the two 
players. All plays on a specific board can then be represented by a tree, such that each play is 
a complete branch in the tree. (For instance, think of chess. Each node represents the board at 
that stage of the game. The root represents the start position. It has exactly as many successors 
as there are possible opening moves for white. From each successor there is again one successor 
for each legal move of black, and so on.) When working with games we are often not interested 
if a player can win some play, rather we want to know if she can win every play. If so, we say 
she has a winning strategy. 

As modal logic and trees are closely related, it seems a good idea to encode game trees. That 
is just what we will do. Tiling games are played as follows. There are two players, a male and 
a female who alternate in placing tiles. She starts at the origin and they work their way up from 
left to right, and at the end of a row they start again at the left most position of the next row. 
Players must obey the matching color rules. She wins a play is she can establish a complete 
tiling. Otherwise he wins. She has a winning strategy is she can win every play. Clearly she can 
win some play iff a tiling exists. But the question whether she can win every play seems harder. 
And indeed 


FACT 24. 


1. The problem whether she has a winning strategy in the square tiling game (n given in 
unary) is PSPACE complete. 


2. The same problem for corridor tiling is EXPTIME complete. 


We use the square tiling game to show PSPACE hardness of local K satisfiability. The corridor 
game can be used to show EXPTIME hardness for the satisfiability problem under constraints. 
This is a fairly straightforward extension of the square game, using the same type of variables as 
in corridor tiling and also using a counter formula. Complete proofs are given in [6, 37, 4]. 


PROPOSITION 25. The local satisfiability problem for the basic modal system is PSPACE hard. 
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Proof. Let T = {Tọ,..., Tk}, n be an instance of the square tiling game. Use the same 
propositional variables as in square tiling. Use the branch and store macros of Section 2.1 to 
create an at most n? — 1 deep tree containing all possible legal plays. (Add the required extra 
constraints about matching colors and the uniqueness of tiles from square tiling where needed.) It 
might be convenient to use an extra variable encoding whose turn it is. Let that be she indicating 
that she is to move. Now there exists a tiling if there is an n? — 1 deep path in the tree. The 
female player has a winning strategy if she can win every game. We can formalize this using the 
notion of a winning position. Let wp be a variable denoting whether a position is winning for the 
female player. All leaves at depth n? — 1 are winning, and only those leaves. Now we inductively 
define winning positions for the intermediate nodes in the tree. If she is to move, then a position 
is winning iff she can move to a winning position: 


she > (wp = Owp). 


If he is to move, then a position is winning for her iff he can move at all, and all his moves lead 
to winning positions for her: 


ashe > (wp @ (OT A Owp). 


Of course these formulas must be true everywhere in the game tree. But, because the tree is of 
depth only n? — 1, this can be enforced by a formula of polynomial size in n. Now she has a 
winning strategy iff the root of the game tree is a winning position for her. Further details are left 
to the reader. Q 


To end this section we give a more involved reduction, based on ideas from Lewis [26]. As it 
is the most difficult one, we spell it out completely. We show NEXPTIME hardness for a number 
of modal systems of which the two-dimensional modal logic from Section 2.7 is a special case. 
All have the same language and the models are of the same shape, with two accessibility relations 
H and V. Let Grid be the class of models satisfying 


a) Vay(S2(aVz A zHy) = JA2z(a@Hz ^zVy)) 
(18) Vayz((cHy \aVz) > Jw(yVw A zHw)). 


These frame conditions make the models have a grid like nature. (17) states that V — H and 
H-—V paths commute, while (18) states a Church—Rosser like condition. They are both Sahlqvist 
definable by respectively O,O,p © O,Ony and O,Onyp —> Opry, respectively. These 
conditions play an important role in the study of products of modal logic [15]. Note that all two 
dimensional models are in Grid. 


PROPOSITION 26. Let Grid’ be any subclass of Grid containing all finite two dimensional 
frames. The local satisfiability problem for the modal system with class of models Grid’ is NEX- 
PTIME hard. 


Proof. Let Grid’ be as in the proposition. We will reduce the square tiling problem with n given 
in binary to the satisfiability problem of the modal system with class of models Grid’. Without 
loss we may assume that we have to tile the 2” x 2” square. Let an instance (2”,7), with 
T = {To,...,T;} be fixed. 

We will define a formula A,,7 which describes this instance. In order to obtain the lower 
bound we show that 


(A) A,r is computable in polynomial time in n and |T]. 
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(B) if T tiles 2” x 2”, then A,r is satisfiable in a finite two dimensional model, and 
(©) if A,r is Grid’—satisfiable, then T tiles 2” x 2”. 


Given (A), (B) and (C) we have an effective reduction from the NEXPTIME-complete tiling 
problem to Grid’-satisfiability, and the result follows. 

We first describe how we represent a T-tiling of 2” x 2” in an S5° model. Let (N, E) be a 
binary tree of depth 2n with nodes N and edges E. The elements of N are 2n-long strings in the 
alphabet {0, 1, ©}, placed in the tree as in Figure 2. (We use the symbol O to make all nodes a 


string of the same length). 
0 1 


01 10 11 


Figure 2. binary tree of depth 2 


Let F = (N x N,=o,=1) be the two dimensional frame with base N. Our formula A, 7 
will contain the following propositional variables: 


d denotes the nodes in the tree, located on the diagonal 

e denotes the daughter relation in the tree 

P1,---,P2n pi stands for the i-th bit of the strings encoding the nodes 
to,..-,t¢ one variable for each tile, 


and variables p} ... phn, tÈ... t, pt... p3,,,t8 ...t?, whose meaning will become clear later on. 
We now describe a valuation v on F of these variables. (Because we use V for one of the 

accessibility relations, we denote the valuation of a model by v in this proof.) 

vid) = {(x,y) € N? | x= y} 

v(e) = {(a,y) € N? | zEy} 

v(m) = {(z,2) € N? |x(i)=1} 

vip?) = {(x,y) € N? | (a,x) € v(p:)} 

vipt) = {(a,y) € N? | (y, y) € v(pi)}. 
Let T be a tiling of the 2” x 2”-grid. A pair (k,l) € 2” x 2” can be represented by a binary 
number of length 2n; the first n places for k and the second n for l. We now make a tile variable 
t; true at a leaf « in the tree (N, E) precisely if the tile T; tiles the pair (k, l) whose representation 
is x, that is 

(x,£) E€ v(ti) <= T; tiles (k,l) and (Vi < n)z(i) = k(i) and 

(Yn < i < 2n)z(i) = L(i — n). 

The t? and t? variables obtain their valuation just as the p? and p’. 


We now describe A,, r and show that it is satisfied at the pair (a, a) in (F, v), where a is the root 
of the tree (N, E). 

We first describe a binary tree of depth 2n, using the propositional variables pj, ...p2,. This 
will provide us with (2”)? leaves each encoding an element in the 2” x2” grid. We use here the 
“branch and store” formula from Section 2.1 again. 
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Let (E) A be an abbreviation for ©; (eA Oo(dAA)), and define [E] A = —(E)—A. We use (E) as 
an ordinary K-modality. [E]” is an abbreviation defined as: [E]°A = A and [E]"*".A = [E][E]” A. 


d^ [El IE L Arcon (E)* | (CE) pega A (E)=Pk+1) A 


(19) Nica (pi > [E]p:) A (~p: > [E]>p:)) ]. 


Note that the leaves in such a tree make d A [E]1 true. Clearly (19) is satisfied at (a,a). The 
other formulas have a rather redundant formulation if we think about two-dimensional models. 
Since we want to prove the proposition for a wide class of logics, we have to use this particular 
formulation. The next two formulas say that on any leaf, precisely one tile variable ¢ holds. 
Clearly they are satisfied at (a, a). 


(20) Dorida) > V ti 


1<i<t 
eD) PoP, A t > Nt) 
1<i<t jżi 


The following formula ensures that the tile To is placed along the edges. 


o” Oy" [a A [E]L A 


(22) ((a=p1 A... A 7pPn) V (p1 A... A Pn) V (Pn+1 A... A Pan) V 


(Pn+1 ^- - -A P2n)) > to] 


The next set of formulas capture the behavior of the variables indexed by h and v. First we 
write formulas which take care of the proper inheritance of information: Let x; stand for any of 
{pi, ti, pi, nti} 

(23) OPOP (as) > zi] 

A D9"[O7"(ai) > xi] 


a 


Then we propagate the new variables in the right direction. Obviously (F,v) H (23)-(26). 


05) Offa} > oga} 


i 


(26) og [et > O7" xt] 


Now we can express that colors match: 


QD DRON | Ep =£ AY =Y HLA AV | TS gS 
V{t} | up(T;) = down(T;)} ] 


(28) DOROP [yn = yy AEn = £y +1 AWAY {th |1<j<t}— 
V {tr | right(T;) = left(T;)} ]. 


Here we use the following abbreviations: 


Lh = Ly abbreviates /\,-,,(p! > p?) 
Zp = £y +1 abbreviates Vien [Nae = pr) A p? Aap? A au A pr)], 


Complexity of Modal Logic 175 


and similar for the y coordinates where we use the p;’s between pn+1 and pan. 

We show that (27) holds everywhere in the model (F,v). Let (k,l) =| a, = £y A yn = 
Ytl Ate A Vit} | 1 < j < t}. Then both k and l are leaves in (N, E) by the valuation 
of the t;. Then k encodes a pair (x,y) and l a pair (x, y+1) in the grid. Because (k,l) H t?, 
(k, k) H ti, and T; tiles (x, y). But since colors match (x, y+1) must be tiled by a Tj such that 
top(T;) = down(T;). Then (1,1) | tj and indeed (k, 1) | t}, as desired. 

So we have provided the formula A,, 7 and shown (B). Clearly the length of this formula is 
polynomial in |T| and n, and it can effectively be obtained given n and T. This proves (A). 
Finally we show that the given formula is indeed powerful enough to describe a tiling. So let 
An,r be Grid’ satisfiable. Then A, 7 is satisfied in a model M = (W, H,V,v) which satisfies 
(17) and (18). Now suppose that M, w = A,r. Then formula (19) forces a binary tree of depth 
2n starting at w, in which the leaves encode all possible valuations of the p;-variables. By (17), 
every leaf in that tree can be reached from w by making 2n horizontal, followed by 2n vertical 
steps. So (20) and (21) ensure that at each leaf precisely one tile variable holds. Choose such 
a tree starting at w and define a tiling of the grid, using the encoding given above. By (20) and 
(21) this is a well-defined tiling. By (22), the tile To is placed along the edges. Now we check 
that colors match. Suppose that T; tiles (x, y) and T}; tiles (x, y + 1). Then by (17) we have the 
following situation in our model: 


wV?"aH?"l and wH?"bV2"k for some worlds a and b, 


where k is a leaf encoding (x,y) and M,k — t; and l a leaf encoding (x, y+1) and M,L — 
tj. By the inheritance formulas (23) and (24) we have M,a | (z, yt)? ^ th and M,b 
(x,y)? A t?, where (x, y+1)” abbreviates the conjunction of p? and ~p? such that p; and ~p; 
are true at l, etcetera. Now by (18) we have a world c such that aH?"c and bV?"c, so M, c = 
(z,yt+1)?A th A (x, y)” A t? by the propagation formulas (25) and (26). But then by (27) the 
colors must indeed match. The same argument with (28) shows that colors match horizontally. 
This proves (C), hence the proposition. QO) 


3.6 Language design and complexity 


We briefly look at the effect of the design of the modal language on the complexity of the satis- 
fiability problem. We restrict ourselves to the basic modal language. Modal languages all come 
with an infinite number of propositional variables. What happens if we fix them to some arbitrary 
finite number n? That is, all formulas are build from propositional variables pı, ... , Pn only. Let 
us first look at propositional logic. For the full language the satisfiability problem is NP hard. 
Note that we crucially used the fact that we have an unbounded number of proposition letters in 
the lower bound proof. If we restrict the number of variables to some fixed n, the problem be- 
comes solvable in linear time: write out the truth table, it contains at most 2” rows, and make all 
(at most 2”) checks. Each check can be done using linear time in the length of the input wff. Of 
course we must still make a lot of checks but the number is fixed by the design of the language, 
and not dependent on the input. 

Does this also hold for the satisfiability problem of the basic modal system? Halpern [19] 
showed that it does not. With one propositional variable the satisfiability problem is still PSPACE 
hard. Here we will explain the idea and give a more efficient encoding as well. What we need 
is a polynomial time computable translation from arbitrary modal formulas to modal formulas in 
just one propositional variable, say g, which preserves satisfiability. Then PSPACE hardness of 
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the full modal language is inherited by the small language. This is Halpern’s translation: 


(p) = O(-gA a) 
(-)* commutes with all connectives 


Again ©’ abbreviates a string of i diamonds, thus the translation is only linear if the i in p; is 
given in unary. If 7 is given in binary, the translation is exponential. We now show that for 
each wff A, A is satisfiable iff A’ is satisfiable. The right to left direction is easy and left to the 
reader. For the other direction, let M = (W, R, V) and let M, wọ | A. Create a new model 
M’ = (W', R', V’) such that W” consists of W plus a suitable supply of new worlds, Riy = R, 
W C V'(q) and for all w € W adda path wRw: R... Rw; toM’ iff M, w = pj. The w; are all 
different and not yet in W. Of these new worlds only set w; € V’(q). Use new worlds for every 
w € W and every propositional variable pj. An induction on the length of the formula shows 
that for all w € W, for all subformulas B of A, M,w = B iff M’,w = Bt. AsM,w H A 
that means that A’? is satisfied in M. 

This idea can be used to get a linear translation if the indices of the p’s are given in binary. 
Instead of coding p; by an 7 long string of worlds, we encode it by a string of worlds which 
mimicks the binary encoding of i. For instance, the encoding of p19; would be 


O(ng Alq A Olg A q))), 


in which the leading ~q is as before to separate “coding” worlds from “real” worlds and the rest 
of the world sequence is a replica of the string 101. The length of the string of worlds is fixed for 
all p; and depends only on the number of variables in the input formula to be translated. Clearly 
the translation is linear. Details are left to the reader. 


Note that we need formulas of unbounded modal depth to encode as many propositional vari- 
ables as we like. What if we fix the modal depth of our formulas? Then the problem becomes 
NP complete which is an immediate consequence of the tree model property. Recall that each 
satisfiable formula A is satisfiable in a tree of depth d the modal depth of A and branching factor 
b bounded by the number of diamond formulas in A, hence by |A|. The number of worlds in 
such a tree is bounded by b“+!, which —since d is now considered fixed— is simply linear in 
JA]. 

If we fix both the number of propositional variables and the modal depth we are rapidly leaving 
the realm of logic, as then there are only a finite number of wffs up to logical equivalence. A 
straightforward argument shows that the satisfiability problem then can be decided in linear time. 
See [19] for further details. 


4 HISTORICAL NOTES 


We give pointers to further literature and try to sketch a little of the historical development by 
mentioning some of the milestones. This is not intended to be exhaustive. The chapters 4, 13 and 
17 on computational modal logic, description logic and automata for temporal logic, respectively 
contain useful pointers as well. A detailed set of historical notes together with references to the 
relavant literature can be found in the notes ending Chapter 6 of [4]. 

For background, one can consult textbooks on computational complexity [27, 32] and finite 
model theory [10, 28]. The chapter on computability and complexity in [4] contains detailed 
arguments of most proofs which are just sketched here and an extended annotated bibliography. 
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One might say that Cook’s Theorem bootstrapped the field of complexity of modal logics 
[9]. Ladner [25] established the first completeness results for the best known modal logics, 
focusing on local satisfiability: NP-completeness for S5 and PSPACE-completeness for K,T 
and S4. The K-World algorithm is from that paper, but using the abstract tableaux developed by 
Hemaspaandra [36]. The branch and store formula from section 2.1 originates also from [25]. 
The field took off with Fisher—Ladner [14] and Pratt [33], showing the EXPTIME lower and 
upper bound for Propositional Dynamic Logic PDL, respectively. This was a large generalization 
from earlier work: PDL is a multi modal language and the definition of = is second-order. 
Moreover within PDL the satisfiability problem under constraints can be reduced to the local 
satisfiability problem. Pratt introduced the technique of elimination of Hintikka Sets. 

In the eighties the field exploded: results for ever more complex modal systems were ob- 
tained. Halpern and Moses [20] (the original is from 1985) researched epistemic logic with 
multiple modalities and transitive closure operators in the tradition of Ladner and Pratt. PSPACE 
completeness of linear temporal logic with until was settled by Sistla and Clarke [35]. Vardi and 
Wolper [41] showed how Biichi tree automata can be used for powerful modal logics. A little 
later, the complexity of the satisfiability problem of one of the most expressive modal logics — 
the modal u-calculus— was settled (still EXPTIME-complete) by Emerson and Jutla [11]. More 
recently, Vardi and co-authors have shown that this result is robust under a number of expansions 
of the language [40, 34, 24]. 

There are a number of motivations for studying the complexity of modal satisfiability prob- 
lems. Description logic is concerned with building knowledge bases and the main computational 
question is whether a knowledge base is consistent. This field contains a wealth of complexity 
results, for an enormous variety of modal systems, cf., the handbook [3]. Temporal logic model 
checking is used in automated program verification, see [7, 8]. Epistemic logic and combinations 
of epistemic and temporal logics play a role in the analysis of distributed computer programs. 
Cf., [13] and numerous articles by the authors of that book. 

Several attempts have been made to explain why so many modal logics are decidable and 
why so often their satisfiability problem under constraints is complete for EXPTIME. Vardi [39] 
emphasizes the tree model property, Andréka, van Benthem, Németi [2] the fact that = is defined 
in a guarded fragment of first (or second) order logic, which are really two sides of the same coin, 
as shown by Gradel [17]. This explanation focuses on the definition of = and works if the class 
of structures of a modal system is large enough to allow tree models. Hemaspaandra [36] looks at 
the frame conditions and their influence, and also at the effect of joining several modal systems. 
Marx, Venema [30] indicate the importance of “locality” principles (like being in a fixed variable 
fragment) and the “looseness” principle given by the tree model property. The use of tiling to 
establish lower bounds has a number of —usually very enthusiastic— advocates, cf., for instance 
[37, 27, 5, 21]. 
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1 INTRODUCTION 


As we have seen in preceding chapters, the worst case complexity of basic reasoning tasks, 
such as deciding the satisfiability of a modal formula, is at least NP-complete for almost all 
modal logics. Moreover, for logics extended with features that are useful in practice, the worst 
case complexity can be much higher, e.g., ExpTime-complete for K,, extended with non-logical 
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axioms (background theories), and NExpTime-complete for K,, extended with converse modal- 
ities, graded modalities and nominals. 

Some may regard these results as discouraging and the question arises whether automated 
computation with such logics can be feasible in practice. Fortunately, the kinds of pathologi- 
cal formulae/theories that give rise to these worst case results seem to be rarely encountered in 
realistic applications, and this has allowed for the successful development and deployment of 
automated reasoning systems for modal logics and their notational variant, description logics; 
see Chapter 13 of this handbook. Applications of such systems include, e.g., multi-agent sys- 
tems [53, 60, 196], configuration [137], conceptual modelling [73], information integration [32], 
and ontology tools and applications [125, 131, 167, 189, 138, 197]. 

Even for application derived formulae/theories, however, naive implementations of theoretical 
proof systems, such as the tableau calculi presented in Chapter 2 of this handbook, are unlikely to 
be of practical utility. As pointed out in [40], without the use of an analytic cut rule, the minimal 
length of proofs using these calculi can exceed that of proofs using the truth table method for 
certain propositional (and modal) formulae. Further, not only is it important that short proofs 
exist, but also how we go about finding a proof or a counter-model. Much of the work presented 
in this chapter deals with techniques that reduce the size of the search space or help to traverse the 
search space more efficiently. Successful modern reasoning systems crucially employ specialised 
reasoning techniques along with optimisations to dramatically improve typical case performance; 
cf. for example [85, 90, 97, 115, 116, 158, 159]. In this chapter, we focus on reasoning and 
optimisation techniques used in tableau-based algorithms and translation-based methods. 

Translation-based methods make use of the fact that a wide variety of modal logics can be 
translated into first-order logic; in fact, they can be considered as characterising certain frag- 
ments of first-order logic as explained in Section 2 of Chapter 1 of this handbook. To the trans- 
lated modal formulae, we can apply first-order reasoning methods, in particular, refinements of 
resolution [16]. Using this combination of a translation method and resolution has some obvious 
advantages. Any modal logic which can be embedded into first-order logic can be treated. The 
translations are straightforward, and can be performed in time O(n log n), so the engineering 
effort is minimal. For the resolution part, standard resolution provers can be used, or otherwise 
they can be used with small adaptations. Modern resolution provers [169, 183, 194] are among 
the most sophisticated and fastest first-order logic theorem provers currently available. The trans- 
lation method is generic, it can handle first-order modal logics, undecidable modal logics, and 
combinations of modal and non-modal logics. In all cases, soundness and completeness of the 
method is immediate from results showing that the translation is satisfiability equivalence pre- 
serving and the soundness and completeness of the resolution calculus for first-order logic. The 
semi-decidability of first-order logic and the behaviour of first-order resolution on first-order for- 
mulae does not give us, however, any immediate insight into the modal fragment of first-order 
logic, which certainly is decidable, or the behaviour of first-order resolution on translated modal 
formulae. While termination of a resolution derivation from a translated modal formula is not 
always guaranteed, there are various ways, using different translations and different refinements 
of resolution, of obtaining translation-based decision procedures. In Section 3, we discuss some 
of these approaches and illustrate them using the modal logics Kn, K4,, KB, KZ (K, with 
converse modalities), and KB4,,. Also, using the modal logic K,,, we want to provide some 
fundamental understanding of how modern resolution provers work in general, what kind of op- 
timisations are available, and how they can be used to provide effective and practical decision 
procedures for modal logics. 
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Tableau-based algorithms are closely related to the prefixed tableau systems presented in Sec- 
tion 6 of Chapter 2 of this handbook. In Section 4, we first explain the exact relationship between 
the two before describing a tableau algorithm which decides the satisfiability of formulae in the 
basic multi-modal logic K,,. We then discuss implementation and optimisation techniques which 
can be used to turn this tableau algorithm into an effective and practical decision procedure for 
K,,. Following the same structure, we also describe tableau-based algorithms for the modal 
logics K4,,, Kn with non-logical axioms, K% , and their combinations and discuss implementa- 
tion issues of those algorithms. Whereas the K,, tableau algorithm terminates “automatically”, 
we use certain cycle detection mechanisms to ensure termination for other modal logics. It can 
be easily seen that these mechanisms must be chosen carefully to preserve correctness of the 
algorithm and, at the same time, to enable termination as soon as possible so as to avoid an 
unnecessarily long search. Interestingly, it has been shown by state of the art description logic 
reasoners [159, 90, 160] that such tableau algorithms are amenable to optimisation, and that they 
behave better than their worst-case complexity or that of the corresponding reasoning problem 
suggest: they implement non-deterministic double exponential decision procedures for logics 
that are ExpTime-complete. 

In Section 5, we give an overview of alternative computational approaches to the satisfiability 
problem in modal logics. These include automata-based algorithms, direct resolution, the inverse 
method, and sequent-based approaches. In Section 6, we survey reasoning problems other than 
satisfiability and provability which are relevant for applications of modal logics, namely, model 
checking, proof checking, and computing correspondence properties for modal axiom schemata. 
Finally, we conclude the chapter with a brief review and discussion of current and future research. 


2 SYNTAX, SEMANTICS, AND REASONING PROBLEMS OF MODAL LOGICS 


Throughout this chapter, we use a notation that is compatible with the one presented in Chapter 1 
of this handbook. We will use the symbols p, q, Pi, qi, .. . for propositional variables. Here, we 
will be concerned with extensions and variants of the multi-modal logic K,,. The set of Kẹ, 
formulae is the smallest set that contains all propositional variables, is closed under Boolean 
operators, and contains [i]¢ and (i)w for each 1 < i < n and each K, formula y. Formulae of 
the form [2] and (i)¢ are called box formulae and diamond formulae, respectively. In different 
sections, we will consider different normal forms of K,, formulae, and thus we are generous 
here and allow all kinds of Boolean operators and abbreviations, e.g. A, V, =, —, T (for any 
tautology), L (for ~T), etc. 

As usual, the semantics of K,, is defined in terms of relational, Kripke structures or frames. 
A frame is a tuple (W, R) of a non-empty set W (of worlds) and a mapping R from natural 
numbers i, 1 < i < n to binary relations over W, thus R(t) C W x W. Here and in the rest 
of the chapter, we use R; as an abbreviation of R(i), and we say that w is t-accessible from v 
if R;(v,w). A model is given by a triple M = (W, R, V}, where (W, R) is a frame and V is a 
mapping from propositional variables to subsets of W. The notion of a formula w being true in 
a model Wt at a world w € W is inductively defined as follows (we omit the definition for most 
Boolean operators). 
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Mw H| p iff w € V (p) 

Mw K ay iff not WM, w H= Y 

Mw = yro iff M, w Hy andM, wH o 

Mw = yve iff M, wH yorM, wHo 

Mw H [liy iff M, v = wv, for all v with R;(w, v) 
Mw H liw iff M, v = wv, for some v with R;(w, v) 


A modal formula ¢ is satisfiable in K, if there exists some M = (W, R, V) such that, for some 
w E€ W, M, w H ¢. In this case, we say that ¢ is satisfied in IN. ¢ is valid in K, if, for every 
M = (W, V} and every w E W, M, w = 4; ġ and w are equivalent if ¢ > w is valid. 

As usual, satisfiability and validity are inter-reducible, i.e., ¢ is satisfiable iff ~@ is not valid, 
and ¢ is valid iff =¢ is unsatisfiable. Thus, in what follows, we will mostly concentrate on a single 
inference problem, namely satisfiability testing. It is well-known that the satisfiability problem 
(and thus validity) in K, is PSpace-complete [93, 129] (see also Chapter 3 of this handbook), 
and there are various decision procedures for this problem [49, 93, 129] and implementations 
thereof [87, 90, 120, 159]. Many of these procedures exploit the fact that any satisfiable K, 
formula is satisfied in a finite tree model (i.e., one where the relational structure of the frame 
forms a finite tree) of depth linear in the size of the input formula. In this chapter, we will discuss 
in depth a resolution-based algorithm (in Section 3) and a tableau-based algorithm (in Section 4) 
for the satisfiability of K,,, and then explain how these two basic algorithms can be modified to 
also decide more expressive modal logics. 

We will often restrict our attention to formulae in negation normal form (NNF). In formulae 
in NNF, A, V, and ~ are the only Boolean connectives used, and negation occurs only in front of 
propositional variables. Each formula of K, and all extensions of K, discussed in this chapter 
can be easily transformed into an equivalent formula in NNF in linear time, by pushing negation 
inwards, using a combination of de Morgan’s laws and the duality between box and diamond 
formulae. 


In this chapter we refer to a number of extensions of K,, which we define in the following. 


K4,,, KB,,, and KB4,,. We will discuss decision procedures for K4,, the multi-modal logic of 
transitive frames, KB,,, the multi-modal logic of symmetric frames, and KB4,,, the multi-modal 
logic of symmetric and transitive frames. All these logics share the same language with K,, 
but their semantics is based on different classes of frames. As K4, models, we only consider 
those models that are based on frames (W, R) in which each R; is transitive, i.e., where for 
any u,v,w € W, R,(u,v) and R,(v,w) imply R;(u,w). For example, (2)()p A [i]np is 
K,, satisfiable, whereas the same formula is K4,, unsatisfiable. As KB,, models, we only 
consider models that are based on frames (W, R) in which each R; is symmetric, i.e., where 
for any u,v € W, R;(u, v) implies R;(v,u). An example of a formula which is K,, and K4, 
satisfiable, but KB, unsatisfiable, is sp ^ (i)[i]p. Finally, KB4,, models are based on frames 
(W, R) where each R; is symmetric and transitive. The formula (i)—p A (2) |2]p, for example, is 
KB4,, unsatisfiable, but satisfiable in Kn, K4,,, and KB,,. 

The modal logic K4, is axiomatised by the axioms of the modal logic K, (see, for example, 
Chapter 2 of this handbook), plus the axiom schema 4 below. Similarly, KB,, is axiomatised 
by adding the axiom schema B to the axiomatisation of K,,. Finally, for KB4,,, we add both 
axiom schemas B and 4. 


Axiom 4 lilo > [illi] 
Axiom B b= [i] (i)o 
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The modal logic K4, is of interest since both tableau-based algorithms and translation-based 
methods require additional techniques to ensure termination. The modal logic KB,, only re- 
quires a rather straightforward modification of the reasoning procedures we present for K,,, but 
raises some implementation issues for tableau systems. It is also worthwhile to remember that, 
in classical tableau systems, the treatment of KB,, requires some form of cut rule. Finally, the 
procedures we present for KB4,, combine the techniques we introduce for K4,, and KB,,. 


Non-logical axioms. We consider background theories, i.e., finite sets T = {91,..., Yn} of 
non-logical axioms Ņy;. A model IN satisfies a background theory T if, for each w € W and each 
y ET, M, w H y. As a reasoning problem, we are interested in the satisfiability of a formula 
w.r.t. a background theory I’, i.e., whether there exists a model W that satisfies both @ and a 
background theory I’. Note that, in such a model, ¢ has to be true in at least one world, whereas 
all formulae in T have to be true in all worlds. 

Next, we explain why we discuss algorithms that reason w.r.t. background theories. Firstly, 
considering background theories makes reasoning more difficult, i.e., satisfiability w.r.t. back- 
ground theories is ExpTime-complete [173], and thus they present a considerable challenge for 
automated reasoning tools. As with K4,,, tableau algorithms for reasoning w.r.t. background the- 
ories no longer terminate on all inputs. However, in contrast to K4,,, background theories allow 
us to enforce models with paths of exponential length using the standard encoding of incremen- 
tation modulo 2” on n propositional variables representing a binary counter (see, for example, 
page 14 of [133] for such a formula). The latter can be viewed as a symptom of the increased 
complexity since we might have to consider and search models with paths of exponential length. 
Secondly, background theories can be viewed as a weak form of the universal modality, i.e., ọ is 
satisfiable w.r.t. I iff 

oA N 0h, 


yer 


is satisfied in a model based on a frame (W, R) with Rọ = W x W. In such a model, [0] is 
called the universal modality because it can be used to access all worlds. In [4], it was shown 
how to reduce satisfiability in K,, with the universal modality (i.e., where the universal modality 
might also occur at a deeper modal level) to satisfiability w.r.t. background theories. Thirdly, 
background theories can be used to “internalise” axioms or “circumscribe” frame conditions. To 
do this, we first restrict our attention to formulae in negation formal form. As an example, let 
us consider K4,, as discussed above and a K4,, formula ¢ in NNF. It can be shown that ¢ is 
satisfiable iff ¢ is K, satisfiable w.r.t. the background theory 


{lily — [A [2]v | [é]e is a subformula of ¢ and 1 < i < n}. 


Finally, background theories are notational variants of description logic TBoxes or terminologies, 
which are used in applications to hold the intensional domain knowledge [44, 173]; see also 
Chapter 13 of this handbook. A TBox is (the description logic variant of) a background theory 
of the form {¢; —> Ypi | 1 < i < m}. Restricting non-logical axioms to implications is (i) not 
a real restriction: we can transform each background theory I into a single implication of the 
form T > A ver W; (ii) quite natural in various application, and (iii) enables the use of efficient 
optimisation techniques in tableau systems [109], which we will discuss in Section 4.4. 


Converse modalities. We discuss modifications of our algorithms to decide satisfiability of Ky 
formulae w.r.t. background theories, where Ky is the extension of K, that allows the use of 


converse modal parameters i~ in modalities. That is, [i~]@ and (i~)¢ are also well-formed for- 
mulae. The mapping R is extended to converse modal parameters as follows: Rj; = {(w,v) | 
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R;(v, w)}. Converse modalities are of interest because they occur naturally in applications, e.g., 
in description logics [105, 171] and temporal logics [163, 187], and because they require reason- 
ing techniques that are able to reason in both directions over relations. For example, to detect the 
unsatisfiability of the formula q A (i)(p A [i~]=q), one has to reason both ways over R;. This is 
similar to the kind of reasoning required for KB, but slightly more tricky since, in Ky, reason- 
ing in “both ways” over a relation depends also on the worlds related by R;. For example, the 
KB, formula [2] is equivalent to the Ky formula [ijy A [i~ ly. 


Graded/deterministic modalities. We discuss modifications of the tableau algorithm to handle 
deterministic and graded modalities. The former have (atomic) modal parameters 7 whose inter- 
pretation R; has to be a functional relation. To understand graded modalities, note that a diamond 
formula (2) can be read as “in at least one i-related world, ¢ is true”, and a box formula [i]ġ can 
be read as “in at most zero 7-related worlds, ¢ is not true”. Graded modalities generalise these 
formulae: K$ (resp. K>’°) is the extension of K, (resp. Ky) where we also allow for formulae 
of the form (2), and [iļmġ. We read (2), as “in at least (m + 1) i-related worlds, ¢ is true” 
and [i},,¢ as “in at most m i-related worlds, ¢ is true”. The semantics is extended in the obvious 
way. 
M, w H (ime iff there are at least m + 1 worlds v € W with R;(w,v) and M, v Ew 
M, w H filmo iff there are at most m worlds v € W with R;(w,v) and M, v = w 

Please note that —[7}¢@ is equivalent to (2),,—@ and that, by adding T — {i}, T to our background 
theory, we restrict models to those in which R; is a functional relation. Thus algorithms that can 
handle both graded modalities and background theories can also handle deterministic modal- 
ities. From a complexity point of view, adding graded/deterministic modalities rarely effects 
the worst case complexity, e.g., K$ and K>’° are both PSpace-complete without background 
theories [93, 186] and ExpTime-complete w.r.t. background theories [173, 184, 186]. From a 
practical reasoning perspective, graded modalities add quite some difficulty: consider, e.g., the 
formulae [ik T A (i) (pV q) A (ij (Ap V q) and [ip A [ti 7p A (2)2q. The former is satisfiable, but 
we have to find that the two diamond formulae can be satisfied via a “common” 7-related world. 
The latter is unsatisfiable, but we have to find that a third 7-related world in which neither p nor 
~p holds cannot exist. 


Nominals. In their simplest form, nominals [5, 163] are propositional variables that are true in 
exactly one world; we use 01, 02,... for these variables and indicate the availability of nominals 
in a logic by the superscript -° as, e.g., in K°. Nominals are of interest for automated reasoning 
since they destroy the tree model property (TMP) (see Chapter | of this handbook) of a logic. 
For example, the formula 02 ^ (i)(0, A (i)02) has only models with a cycle of length two. 
We mentioned above that K,, enjoys this property (and so do its extensions with converse and 
graded modalities and background theories), and that this property is exploited by tableau- and 
some resolution-based algorithms. Interestingly, adding nominals to Ky takes the complexity 
from PSpace- to ExpTime-completeness [5], and adding nominals to K>’° takes the complexity 
to NExpTime-completeness [186]. Here, we will consider K>*° with background theories. 


3 TRANSLATION-BASED METHODS 


3.1 Local satisfiability in multi modal K,, 


As outlined in Chapter 1 of this handbook, using the standard translation formulae of the basic 
modal logic K can be embedded into first-order logic. This translation is also called the relational 
translation, since it is based on the relational Kripke semantics for modal logic. In the following 
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we denote this translation by m, and present here its straightforward generalisation to multi- 
modal K,,. 


nr(T, £ 
Tr(p, £ 
Tr(p* wx 
Tr (lijp, x 


=T Tartak 
= P,(z) T, (7p, £) = Tr (p, £) 
= nmr(p, £) xT, (p, £) forx € {A,V,7,0} 

= Vy (Ri(z,y) > Tr(p,Y))  Tr((i)p, x) = Jy (Ri(z,y) A Tr(9,y)) 


WN a Sat 


In the translation, each propositional variable p is uniquely associated with a unary predicate 
symbol Pp, while each modal parameter 7, 1 < i < n, is uniquely associated with a binary 
predicate symbol R;. In addition, x is an arbitrary first-order variable while y is an arbitrary 
first-order variable distinct from z. 

This translation is satisfiability equivalence preserving, that is, for every modal formula y, 
y is K, satisfiable iff z,.(y, x) is first-order satisfiable. The free variable x is assumed to be 
existentially quantified. 

The currently predominant method for reasoning about first-order formulae is resolution [170]. 
The method requires that a first-order formula or set of first-order formulae y is first transformed 
into a satisfiability equivalent set of clauses No. This set of clauses is then saturated using the 
resolution rule and factoring rule shown in Figure 1. That is, given a clause set N;, i > 0, these 
inference rules are applied (top-down) to clauses already in the set and the conclusion C of such 
an application is added to N; to give us the clause set N;,,. This process continues until either 
(i) the current clause set N; contains the empty clause (i.e. L) or (ii) no new clauses can be de- 
rived, that is, any conclusion of an application of the resolution and factoring rules to clauses in 
N; is already contained in N;. Any clause set containing the empty clause is unsatisfiable. Thus, 
in the case (i), N; is unsatisfiable and by the soundness of the resolution calculus, so is No. This 
implies that vy is unsatisfiable, since No is satisfiable iff y is satisfiable. In the case (ii), if N; 
does not contain the empty clause, N; is satisfiable and it is possible to construct a model for N;. 
By the completeness of the resolution calculus, No is satisfiable. It follows that ọ is satisfiable. 
Due to the undecidability of first-order logic, there is in general no guarantee that, after a finite 
number of steps, we either always encounter case (i) or (ii). If we apply the inference rules of 
the resolution calculus in a fair way, then the completeness of the resolution calculus ensures 
that, eventually, the empty clause is derived. However, if the formula ~ and the clause set No 
are satisfiable, then the saturation process may continue indefinitely (unless suitable resolution 
refinements and/or translation methods are used, see below). 

The last observation is also true if the formula y we are considering belongs to a decidable 
fragment of first-order logic or is the result of translating a formula belonging to a decidable 
modal logic like K,,. However, starting with [123], a large number of fragments of first-order 
logic have been shown to be decidable by resolution or refinements of resolution [48, 65, 76, 82, 
117, 179]. 


. CVA, AVD .  CVI1V Le 
Resolution: (C V D)o Factoring: (Cv Lo 
where ø is the most general unifier of atoms where ø is the most general unifier of literals 
A, and A» Lı and Lo 


Figure 1. The resolution calculus R 
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Let us start by considering what happens if we apply the basic unrefined resolution calcu- 
lus to the relational translation of modal formulae. Consider, for example, the modal formula 
gi = [2|(p — (1)p). Its translation 7,(y1, x) is the first-order formula Yy] = Vy (R(x, y) > 
(P(Y) > 3z (Rı(y,z) A Pp(z)))). The corresponding set of clauses Nj consists of the two 
clauses 


(1) =R2(a, £) V =P,(x) V Ri(a, f(x) 
(2) =R2(a, y) V =P (y) Y Po(F(y)) 


where a is a constant introduced during the clause form transformation (for the free variable x 
in Y1). We assume that the variables in two clauses to which we want to apply the resolution rule 
are renamed so that they are variable disjoint, and we consider such variant clauses to be equal. 
There are several possibilities to apply the resolution rule to clauses (1) and (2). For example, we 
can resolve clause (1) on its second literal, —P,(x), with clause (2) on its third literal, P,(f(z)). 
The conclusion is 


[(1)2,R,(2)3] (3) =R2(a, f(2)) V Ri f(2), F (2))) V =R2(a, 2) V Pp (2) 


Clause (3) resolves with clause (2) and yields 


[3R G] (4) =R2(a, f(y)) V =R2(a, FEUD V REU FEGE 
V >Ro(a,y) V =Pp(y) 


This clause also resolves with clause (2), and again, the conclusion resolves with (2), and so 
forth. Repeatedly resolving the newly derived clauses with (2) yields clauses with increasingly 
more literals and increasingly more complex terms. All these clauses are new, that is, none is the 
same as an input clause or a clause derived earlier. As the formula y and its translation «7 are 
satisfiable, we are not able to derive the empty clause. So, the saturation process will continue 
indefinitely. 

There are three approaches that we can take to solve this termination problem: 


1. We can develop and use alternative translations of modal formulae to first-order (clause) 
logic, and try to find a translation for which resolution is a decision procedure. 


2. We can develop and use refinements of resolution which restrict the application of the in- 
ference rules of the resolution calculus and use powerful redundancy elimination methods. 


3. We can develop and use alternative inference methods for first-order logic. 


These three approaches are not mutually exclusive, in particular, alternative translations can be 
combined with both refinements of resolution and alternative calculi. 

Investigations following the first approach have resulted in the introduction of the optimised 
functional translation of K, to sorted first-order logic, more precisely, to a monadic fragment of 
sorted first-order logic called basic path logic [149, 177]. Basic path logic has a sort Sw for the 
set of worlds W and a sort S; for each modal parameter i, 1 < i < n, in a modal logic. It has n 
binary functions |- -]; of sort Sw x Si — Sw. Also there are special unary predicates def; of 
sort Sw representing subsets of W. Each propositional variable p is uniquely associated with a 
unary predicate symbols P, of sort Sw. Commonly, the optimised functional translation Top is 
defined as a two step process: (i) the application of the functional translation to a modal formula 
which translates it to basic path logic, followed by (ii) the application of a quantifier exchange 
operation which converts the first-order formula obtained from the functional translation into 
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prenex normal form and moves all existential quantifiers inwards as far as possible. Since we fo- 
cus here only on the satisfiability problem, we can give a simplified presentation of the optimised 
functional translation obtained in just one step. 


Tof(T,s) = Tof(L,s) =L 
T of (p, 8) = Pp(s) Tof (TP, 8) = Tof (P, 8) 
Top (Px Y, 8) = Tos (P, 8) x Tof(p, 8) fore € {A,V,>, >} 
Tof (lilp, s) = Vy:Si(def;(s) > Tof (p, [5 y:Si]i)) 
Tos h(i) p, 8) = def (8) A Tof (p, [s y:Si]i) 


where s denotes a (world) path and y:S; denotes a variable of sort S;. The omission of the 
quantifiers in the definition for (i)y is intensional. The optimised functional translation of a 
modal formula y in negation normal form is now given by 7o¢(y, £:Sw), where x:Sw is an 
arbitrary variable of sort Sw, and z:Sw as well as the y:5; from 7,f((i)y, s) are free variables 
which are implicitly existentially quantified. 

As an example, consider again the modal formula pı = [2](p — (1)p). Its optimised func- 
tional translation is pe! = mop(yi1,2:Sw) = Vy:S2 (def o(a:Sw) > (Pp([a:Sw y:S2]2) > 
(def ;((2:Sw y:Sal2) A Pp([[e:Sw y:S2]2 z:$1]1)))). 

In the representation of paths we often remove all occurrences of the binary functions [__]; 
except for the outermost occurrence and also leave out the index of that remaining occurrence, 
e.g. [[x: Sw y:Se]2 2:S1]1 is written as [a:Syy y:S2 2:91]. It is straightforward to restore the orig- 
inal path based on the remaining information. Intuitively, a path term like [a:Sy y:S2 2:S1] 
represents a path from a world x to another, possible identical, world in a Kripke frame via a 
series of ‘steps’ along the accessibility relations of the frame. Here an 2-step is followed by an 
Rı-step, which is indicated by the sorts Sz and Sı associated with the variables y and z, respec- 
tively. The def; predicates express ‘definability’ for a world in the sense that def ;(s) is true iff 
the world s has an 2-successor. 

The standard translation m, accommodates axiom schemas like 4 and B by adding first-order 
formulae 


(Rp) Vey (Ri(z,y) > Rily, x) 
(Ra) Vay z ((Ri(z,y) A Rily, 2)) > Raila, z)) 
representing the relational frame properties corresponding to these axiom schemas. By contrast, 


in the case of the optimised functional translation, we add so-called functional frame properties 
in the form of (conditional) equations between path terms, for example 


(Fp) Va: Sw Vy:S;42:5; (def ;(x:Sw) —> def ;([a:Sw y:Si]) A 
def (x:Sw) > «:Sw = [[a:Sw y:Si] 2:S%}) 
(Fa) Va:SwVy:Siv2:S;4u : Sı ((def;(x:Sw) A def ;([a:Sw y:Si])) > 


[a Sw y:S;] 2:S;] = [x:Sw u : Sil) 


Functional frame properties corresponding to axiom schemas 5, D, T, G, as well as functional 
frame properties corresponding to weak density, irreflexivity, and McKinsey’s axiom can be 
found in [177]. 


THEOREM 1 ([149]). Let K,,% be a complete modal logic such that the functional frame prop- 
erties corresponding to the axiom schemas in X are a set of first-order formulae Fs. Then ¢p is 
satisfiable in Kn È iff Fx ^ Tos (p, &: Sw) is first-order satisfiable. 
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If we are only interested in establishing the satisfiability of formulae in the basic modal 
logic K,, or extensions of K,, by the axiom schema D for some or all modalities, then the 
use of sorted first-order logic and binary function symbols can be avoided by using k-ary predi- 
cates where the sort information is coded into the predicate names [95, 116]. The k-ary predicate 
symbols are Pp, and def; ọ where p denotes a propositional symbol, ø is a k-sequence of nat- 
ural numbers and 1 < 7 < n,n > 0. We use 7 to denote a sequence of variables 71,..., Xz, 
and we use ‘€’ and ‘.’ for the empty sequence and the concatenation operation on sequences, 
respectively. 


Tof (T, T, k,o)=T Top(L, T, k,o)= L 
P, ifo=eandk=0 

a E a 
Pp,o(£1,...,£k) otherwise 


Top (7, T, k, 0) = =T (y, T, k, 0) 
Tof (p * Y, T, k, o) = Tof (Ps T, k, o) * Tog (Ws T, k, o) for x € {A, v} 
mor (lily, T, k, o) = VEn+1 (def; ,(Z) a Tof (Y, T.Tk+1, k+1, g.i)) 
Tp (i, T, k, a) R def i o (T) A Tof (p, T.Tk+1, k+1, a.i) 


The translation of a modal formula ¢ in negation normal form is given by Tor y,€,0,¢). In the 
case of the modal logic KD,,, and in fact for any modal logic where an accessibility relation R; 
is serial, all occurrences of def ; , can be replaced with the logical constant T. 

The translation Tof» called the polyadic optimised functional translation, takes advantage of 
two observations: 


1. All paths in Tof (p, £x:Sw) start with x:Sw and since this variable is free, it is implicitly 
existentially quantified, and is interpreted as a constant. Therefore, removing x:S from 
all paths is a satisfiability equivalence preserving transformation. 


2. The variables in the paths occurring in Tos (p, v: Sw) are prefix stable, that is, for any vari- 
able 7;41:5,, there exists a unique prefix [x:Sw £o:Sjo ... £;::9;,] such that every path 
containing 7;41:5;, has the form [x:Sw 9:54, ... 24355, Li+: Sji ---CR:9;,]. Thus, 
if a variable occurs at position ¿ in one path, then it occurs at position 7 in all paths. 
This property is due to a characteristic ordering of variables in the path terms deter- 
mined by the structure of modal formulae and is a reflection of the tree model property. 
Also, since variables do not ‘move’, the sort information can be associated with the po- 
sition at which a variable occurs instead of with the variable itself. Thus, we can code 


the sort information into predicate names. Replacing P,([x:Sw x0:5j, ... ©e1S;,|) by 
Pa, Sw Sig --Sig (a,2o0,.--, £k) is therefore a satisfiability equivalence preserving transfor- 
mation. 


Taking both observations together, and also taking advantage of the assumption that each sort S; 
is uniquely identified by its index i, we see that we can replace P,([x:Sw 0:5j, ... €k:5j,]) 
with Pes Weg e ors Ek). 

For the modal formula y; = [2](p — (1)p) the translation using mp is per = Vy (defo. > 
(Py2(y) > (defy.2(y) A Pp,21(y, z)))). The corresponding set Ne of clauses again consists 
of two clauses. 


(5) adefs e Va p2(Y) V defı 2(y) 
(6) defy. V 7Pp2(y) V Pp,21 (Y; 2) 
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Unlike for the clausal form of the relational translation of y1, for these two clauses there is no 
possibility to apply either the resolution rule or the factoring rule. For, we see that Pp,21(y, z) in 
clause (6) is not unifiable with P, 2(y) in clause (5), nor is it unifiable with P, 2(y) in clause (6). 
So, for this particular example we are able to conclude that Nog f i o $ and yı are satisfiable 
without the need to perform a single inference step. 

With this translation, is termination of the saturation process guaranteed? Consider the modal 


formula y2 = [2] (=p V [1]q) V [2]p. Its optimised functional translation is 


gf" = Vy(defz « > (OPp,2(y) V V2(def 1.2(y) > Py.2r(y,2)))) V Yu(def z e > Pp,2(u)). 
The corresponding set Ng f of clauses consists of just one clause 


(7) adef z e V= »,2(y) V adef 1 2(y) V Pyaily, z) V adef e V Pp,2(u). 


We consider clauses to be multisets of literals, that is, a literal can occur more than once in a 
clause, as is the case with the literal ~def > ¿ in clause (7). It is sometimes convenient to con- 
sider clauses as sets of literals. However, this complicates the completeness proof for resolution 
calculi which commonly proceeds by lifting ground level derivations to the non-ground level. 
This lifting is easier if clauses are considered to be multisets on both the ground and the non- 
ground level. Furthermore, multisets make the computational effort explicit which has to go into 
removing duplicate literals from clauses. 

We can resolve clause (7) with itself on the second literal and the last literal. Remember that 
this means that we first have to generate a variable-disjoint copy of clause (7) to serve as second 
premise of a resolution step. The conclusion is 


[(7)2,R,(7)6] (8) defo. V =Pp,2(y1) V adef1 2(y1) V Po21(y1, 21) V adef 1 2(y2) 
V Py ailye, 22) V adefs Vv P, 2(u2) V def» e V ~def z e 


We observe that the number of occurrences of ~def > has doubled, to four, and also that we 
now have two subclauses —def; 9(yi1) V Py,21(y1; z) and —def; 9(y2) V P},21 (Y2, 22) which 
are variants of each other.! Note that these two subclauses are not simply duplicates, so in a 
clauses-as-sets setting they would still remain, while all the duplicates of ~def ə, would not 
occur. Clause (8) can again be resolved with itself or with clause (7). A possible resolvent is: 


[(7)2,R,(8)8] (9) defo. V 7Pp,2(y3) V adef 1 2(y3) V Pq,21 (ys, 23) 
V ~defı 2(y1) v P21 (41, z1) V defy 2(y2) v Py 2i(ye, z2) 
V adef e V Pp, 2(u2) V adef e V adef e V adef e V adef a e 


We can continue this process indefinitely, producing bigger and bigger clauses. This shows that 
the saturation process does not terminate. 

We observe, however, that resolution is not the only inference rule that can be applied to 
clause (8): we can also apply the factoring rule. Indeed, there are several possibilities to do so, 
for example, we can apply the factoring rule to P},21(y1, 21) and P},21 (Y2, z2). The resulting 
factor is: 


[(8)4,F(8)6] (10) ~defs e V =Pp,2(y1) V adef1 2(y1) V adef1 2(y1) V Pa,21 (yi, 21) 
V adef a e V Pp 2(u2) V adef z e V ndef a e- 


'We consider two formulae or clauses to be equal iff they are variants of each other, that is, they are syntactically 
equal modulo variable renaming. 
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We see that the clause (10) is a subclause of the clause (8) from which it was derived. Clause (10) 
thus subsumes clause (8). In general, a clause C subsumes a clause D iff there is a substitution 
o such that Co is a subclause of D. Subsumed clauses are redundant and can be removed from 
a clause set without losing completeness. 

Further factoring steps are possible on clause (10), for example, on the two occurrences of 
~def (yi). It turns out that the final clause that we can derive by a series of factoring steps is 
a condensation of clause (8). By definition, a condensation Cond(C) of a clause C is a minimal 
subclause of C' which is also an instance of C. A clause C is condensed iff there exists no 
condensation of C which is a strict subclause of C. For any clause C, Cond(C) subsumes C, 
and hence C is redundant in the presence of Cond(C) and can be removed. This justifies that 
we can systematically replace clauses with their condensation. 

The condensation of clauses (7) and (8) are the clauses 


(7) defo. V 7Pp.2(y) V adef 2(y) V Pa,21(y, 2) V Pp,2(u) 
(8°) ~defa e V 7Pp.2(y1) V adef 1 2(41) V Pa,21 (91, 21) V Pp,2(u2). 


These two clauses are variants of each other, that is, we regard them as equal. So, the only clause 
derivable from (7’) is identical to (7'), which means the saturation process terminates. 

It turns out that systematically replacing clauses by their condensation is sufficient to guaran- 
tee termination not only for this particular example formula, but for any modal formula in K,, 
or KD,,. 


THEOREM 2 ([175]). Let p be a modal formula and No = Top (P, €,0,€). Then the saturation 
process from No by the resolution calculus R defined in Figure 1 in which clauses are systemati- 
cally and eagerly replaced with their condensation always terminates with a clause set Nn, and 
y is K(D),, unsatisfiable iff N, contains the empty clause. 


It is important to understand how Theorem 2 is to be interpreted. The theorem says that 
R plus condensing is a decision procedure for this translation of modal satisfiability problems. 
It does not stipulate that we must use R plus condensing. Rather, the theorem sets out the 
minimal requirement or weakest condition we have to impose on a saturation process by R to 
ensure that it terminates. It states that, as long as we keep clauses condensed, we can use any 
refinement of the calculus R, we can perform inference steps on any literals in a clause and can 
perform inference steps in any order, and the saturation process is still guaranteed to terminate. 
Condensing can be simulated by factoring and subsumption deletion. Consequently, any first- 
order theorem prover which implements some refinement of R (and subsumption deletion, which 
is standardly available) can serve as a decision procedure for K,, and KD,,. 

The question as to which particular refinement of resolution to use (determining which infer- 
ence steps are required for completeness) and which particular strategies and heuristics to use 
(determining the order in which inference steps are performed) is then subject to both theoretical 
and empirical investigation. We leave empirical aspects aside for the moment and instead focus 
on refinements of resolution. 

A wide range of refinements of resolution can be formulated in the general resolution calculus 
of Bachmair and Ganzinger; full details can be found in [16]. In the general resolution calculus, 
here denoted by RZ, inference rules are parameterised by an admissible ordering > on literals 
and a selection function S. Essentially, an admissible ordering is a total (well-founded) strict 
ordering on the ground level such that for literals: ... => ~An > An > ... > 7A, > A. 
This is extended to the non-ground level in a canonical manner. A selection function S assigns 
to each clause a possibly empty set of occurrences of negative literals. If C is a clause, then the 
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Deduction: Nu {Cond(O)} Resolution: (CV Dio 

if C is either a resolvent or a factor where (i) o is the most general unifier of atoms 

of clauses in N. A, and Ag, (ii) no literal is selected in C, and 
Ajo is strictly +-maximal with respect to Co, and 

Deletion: NU{C} (iii) ~A» is either selected, or — Ago is maximal 

N with respect to Do and no literal is selected in D. 
if C is redundant in N. 
5 NU{C VD} Positive Factoring: < 
Splitting: O 2 A 
NU{C}| NU{D} where (i) ø is the most general unifier of atoms A; 

if C and D are variable-disjoint. and Ag, and (ii) no literal is selected in C and A,o 

is >-maximal with respect to Co. 


Figure 2. Expansion and inference rules of Fig 


literal occurrences in S(C) are selected. No restrictions are imposed on the selection function. 
The calculus comprises expansion rules of the general form 


Sse 
N: | hee | Nn 


where both the numerator N and the denominators N1, ..., Nn (n > 1) are finite sets of clauses. 
Expansion rules are applied top-down. There are three kinds of expansion rules: Deduction, 
Deletion and Splitting which are defined in Figure 2. The inferences rules consist of the resolu- 
tion and the factoring rule also defined in Figure 2. The left premise of the resolution rule is called 
the positive premise and the right premise is called the negative premise. The implicit assumption 
is that the premises have no common variables. Resolvents are conclusions of resolution steps, 
while factors are conclusions of factoring steps. 

A derivation in Rs from a set of clauses N is a finitely branching, ordered tree T' with root N 
and nodes which are sets of clauses. The tree is constructed by applications of the expansion 
rules to the leaves. We assume that no resolution or factoring inference (on the same premises) 
is performed twice on the same branch of the derivation. A branch N(= No), Ni,... ina 
derivation T is called a closed branch in T iff the clause set |J j>0 N; contains the empty clause, 
otherwise it is called an open branch. We call a branch B in a derivation tree complete (with 
respect to R% ) iff no new successor nodes can be added with Ag to the endpoint of B, otherwise 
it is called an incomplete branch. A derivation T is a refutation iff every path N(= No), Nı,... 
in it is a closed branch, otherwise it is called an open derivation. 

In general, the calculus Rs can be enhanced with standard simplification rules such as tau- 
tology deletion and subsumption deletion. In fact, it can be enhanced by all simplification rules 
which are compatible with a general notion of redundancy [16, 18]. For example, C is redundant 
in NU{Cond(C)}. A set N of clauses is saturated up to redundancy with respect to a particular 
refinement of resolution if the conclusion of every inference from non-redundant premises in N 
is either contained in N, or else is redundant in N. A derivation T from N is called fair if, 
for any path N(= No), Ni,... in T with limit Nos = Ujso Ms; Ne. it is the case that each 
clause C which can be deduced from non-redundant premises in No is contained in some Nj. 
Intuitively, fairness means that no non-redundant inferences are delayed indefinitely. For a finite 


194 Ian Horrocks, Ullrich Hustadt, Ulrike Sattler, and Renate Schmidt 


complete branch N(= No), Ni,...Nn, the limit Na is equal to Ny. 
THEOREM 3 ([18]). Let T be a fair Fig derivation from a set N of clauses. Then 


1. if N(= No), M1,... is a path with limit No, then N is saturated (up to redundancy), 
2. N is satisfiable iff there exists a path in T with limit Na such that Ngo is satisfiable, and 


3. N is unsatisfiable iff for every path N(= No), Ni,... the clause set U;>o N; contains the 
empty clause. ~ 


As an aside, we note that it follows from the decidability result for the optimised functional 
translation (Theorem 2) that we can use any instance of Rs for the clause sets obtained by 
applying Topf to modal formulae in K, or KD,,. In particular, this gives us full flexibility with 
respect to orderings and selection functions. Furthermore, by Theorem 2, even instances of Rs 
without splitting will terminate. 

The purpose of the ordering > and the selection function S is to restrict the set of literals in a 
clause to which resolution and factoring can be applied. This limits the number of inferences per- 
formed and consequently reduces the search space. For example, reconsider the clause set N f 
consisting of just the clause 


(7) adef a e V= p.2(Y) V =defı 2(y) V Py aily, z) V adef e V Pp 2(u). 


Using an ordering we could restrict inference steps to the literals P} ,21(y, z) and Pp 2(u). Now 
—P,,2(y) can no longer be resolved with P, 2(u), since —P, 2(y) is neither maximal nor selected. 
Alternatively, using a selection function we could restrict inference steps to the negative literals 
=def > « or ~Py,2(y). Again, no inference steps are possible. 

Let us reconsider our very first example, the set of clauses Nj obtained via the relational 
translation of yı = [2](p > (1)p): 


(1) =Rz(a, x) V =P,(2) V Ri (a, f(x) 
(2) =R2(a, y) V =P (y) Y Po(F(y)) 


If we use an ordering > such that Rı(x, f(x)) is maximal in clause (1) and P,(f(y)) is maximal 
in clause (2), then no inference steps are possible on Nj. Likewise, if we select the literals 
=R2(a, x) and =R2(a, y) in their respective clauses, then again no inference steps are possible. 

This raises the question whether it is possible to obtain decision procedures for K, satisfi- 
ability based on the relational translation m, and the calculus Rs by using particular ordering 
or selection functions. To simplify matters, we use a technique called structural transformation. 
The purpose of the structural transformation is to convert the first-order translation into a more 
manageable form. Before we describe it formally, we need to define some basic notions. 

The polarity of (occurrences of) modal or first-order subformulae is defined as usual. Any 
occurrence of a proper subformula of an equivalence has zero polarity. For occurrences of sub- 
formulae not below a ‘<>’ symbol, an occurrence of a subformula has positive polarity if it is 
inside the scope of an even number of (explicit or implicit) negations, and it has negative polarity 
if it is inside the scope of an odd number of negations. For any first-order formula g, if A is the 
position of a subformula in y, then y|) denotes the subformula of y at position À and yl) > A] 
is the result of replacing ọ|\ at position A by 7). The set of all the positions of subformulae of y 
is denoted by A(v). 

Structural transformation, also referred to as renaming, associates a predicate symbol Q) and 
a literal Q)(Z) with each element » of A C A(w), where = 21,..., £n are the free variables 
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of y|,, the symbol Q, does not occur in y and two symbols Q) and Qx are equal only if y|) 
and ọ|x\ are equivalent formulae. In practice, one may want to use the same symbols for variant 
subformulae, or subformulae which are obviously equivalent, for example, y V ~ and w V y. 
Let Def} (Y) = YZ (Qy(Z) > yy) and Defy (Y) = VF (y|, —> Qy(Z)). The definition of Qx 
is the formula 


Def} (Y) if y| has positive polarity, 
Def (vy) = ¢ Defy (9) if |à has negative polarity, 
Def} (Y) A Def) (y) otherwise. 


The corresponding clauses are called definitional clauses. Now, assume that A is a set of positions 
in a formula y and that we want to systematically replace subformulae at positions in A while 
adding definitions for the newly introduced predicate symbols. A convenient way to do so, is 
to start by the renaming innermost subformulae, and then to proceed up towards the root of ọ. 
Formally, define Def, (p) inductively by: 


Defg(y) =~ and Defausa;(y) = Defa(ylQy(Z) => AJ) A Defa (g), 


where A is maximal in A U {A} with respect to the prefix ordering on positions. A definitional 
form of ọ is Def, (p), where A is a subset of all positions of subformulae of y (usually, non- 
atomic or non-literal subformulae). 


THEOREM 4 (e.g. [29, 161]). Let y be a first-order formula. Then 
1. y is satisfiable iff Def ,(y) is satisfiable, for any A C A(y), and 


2. Def (y) can be computed in polynomial time (or linear time if new symbols are introduced 
for all formulae occurring in A). 


By A,n(y) we denote the set of positions in 7,.(y, x) corresponding to non-atomic subexpres- 
sions of the modal formula ¢. 

Structural transformation allows us to keep the structure of the clauses we have to deal with 
very simple. This in turn simplifies the characterisation of classes of clause sets that can be 
derived from some initial clause set using Re. For example, assume that, in the relational trans- 
lation of the modal formula p3 = [2](1)p, we apply structural transformation to all positions 
that correspond to non-atomic subexpressions of the original modal formula y3. The result is the 
set of formulae on the left of Figure 3, while the clausal form is given on the right. In general, 
the formulae we obtain in this way from the relational translation of modal formulae (as well as 
the corresponding sets of clauses) belong to quite a number of decidable fragments of first-order 
logic, for example, the two-variable fragment, the guarded fragment [3], Maslov’s class K [135], 
and fluted logic [165, 166]. Resolution decision procedures have been developed for the guarded 


Q12\(1)p (2) Q2\(1)p(@)" 
AYT (Q12](1)p() > Vy (Ri(2,y) > Qayp(y)))  7QpaI(1)p(@) V 7Ra(z,y)* V Qayp(y) 
Ma (Q1yp() > Iy (Ri(z,y) A Pp(y))) 7Q(1)p(z) V Ri(z, f(x))* 
7Q(1)p(2) V PF) 


Figure 3. The structural transformation and the clausal form of [2] (1)p 
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fragment [48, 76], for Maslov’s class K [111, 117], for fluted logic [179] and various other classes 
related to modal logics, see e.g. [65, 82, 83, 111]. Here we use the results for the clausal class 
DL* defined in [49]. DL* is a variation of the class of DL-clauses, that was introduced in [119] 
for the purpose of deciding expressive description logics. 

In order to simplify the definition of DL*, all clauses are assumed to be maximally split. The 
components in the variable partition of a clause are called variable-disjoint or split components, 
that is, split components do not share variables. If C1, ..., Cy are the split components of C, 
then we say C can be decomposed into C1, ..., Cn. A clause which cannot be split further is 
called a maximally split clause or an indecomposable clause. Now, a maximally split clause C’ 
is a DL*-clause iff the following conditions are satisfied: (i) all literals are unary, or binary; (ii) 
there is no nesting of function symbols; (iii) every functional term in C contains all the variables 
of C (this condition implies that, if C contains a functional ground term, then C is ground); (iv) 
every binary literal (even if it has no functional terms) contains all the variables of C. It can be 
shown that all clauses in structural form obtained from Def,(z,-(y, 2)) for a modal formula y 
belong to DL* [49]. 

In order to decide the class DL*, we use the following ordering. First we define an order > 
on terms: s >q tif s is deeper than t, and every variable that occurs in t, occurs deeper in s. Then 
we define P(si,...,8n) > Q(t1,..-; tm) as {81,...,8n} >m™ {t1,..., tm}. Here >3™! is the 
multiset extension of >q [16]. So we have P(f(x)) > P(a), P(x) and P(x,y) > Q(x), but not 
P(f(x)) > P(f(a)). The selection function S is empty. We denote this particular instance of 
the resolution calculus Rg by R° A 

In the example in Figure 3, the maximal literals (with respect to >) are marked with *. These 
are the literals that we may apply resolution or factoring to. 

In order to prove that the procedure R° "d is indeed a decision procedure we have to show 
that it is complete and terminating. Completeness follows immediately from the completeness 
of Rs. Termination follows from the fact, that over a finite signature, there are only finitely many 
maximally split DL*-clauses (module variable renaming), and the fact that, from DL*-clauses, 
RS produces only clauses that are again in DL*, or are splittable into components in DL* 
(cf. [111, 119]). 


THEOREM 5 ([49, 180]). Let X be an arbitrary set of axiom schemas such that K,,% is com- 
plete and the clausal form of the relational frame properties Fs corresponding to the axiom 
schemas in © are expressible in DL*. Let p be a K,, formula and let N be the clausal form of 
Fs = Fs A Defa,,(y)(tr(p, )). Then 


1. is unsatisfiable in Kn} iff Fs,, is first-order unsatisfiable iff there is a refutation of N 
by R”, 


2. N isa set of DL* clauses, and 


3. any derivation from N in R? ta (up to redundancy) terminates in double exponential time; 
if © is empty, then any derivation from N in R° ss (up to redundancy) terminates in expo- 
nential time, and 


Here, and in subsequent theorems, we assume that the complexity of redundancy elimination is 
at most exponential in the size of a clause set. The theorem remains true for R° "d Without the 
splitting rule, but condensing is key for decidability. 

It is usually the case that, when studying modal decidability problems by analysing the de- 
cidability of related clausal classes, one comes to realise that stronger results are possible than 
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initially anticipated. In [49], extensions of K,, with PDL-like relational operations have been 
studied. Relational operations expressible in DL* include intersection, union, complementation, 
and converse, as are non-logical axioms. 

In F° rd; the inferences performed are determined by a refinement based on an ordering and 
the empty selection function. We now consider results from [49, 119, 121, 180] for a different 
refinement which is based solely on a selection function and an optional ordering. More pre- 
cisely, the calculus is based on maximal selection of negative literals. This means the selection 
function S' selects exactly the set of all negative literals in any non-positive clause. When no 
ordering refinement > is used, the resolution rule of Re can be replaced with the following rule. 


Resolution with maximal selection: 
CyV A, +++ Cy V An “Any V...V nAn VD 
(Ci V... V Cn V Die 


provided that for every i, 1 < i < n, (i) a is the most general unifier of A; and An+;, (ii) Ci V A; 
and D are positive clauses, (iii) no A; occurs in C;, and (iv) the ~An4+; are selected. The negative 
premise is 7An41 V ... V ~Agn V D and the other premises are the positive premises. The 
literals A; and An4; are the eligible literals. 

Let R® be the instance of Rs based on maximal selection and no ordering. This means that 
the rules are the above resolution rule, positive unordered factoring and splitting. This refinement 
of resolution is also referred to as hyperresolution plus splitting. Condensation is not needed, 
but could of course be added without losing completeness and will improve the performance 
of the procedure. Tautology deletion is used as a simplification rule. All derivations in R 
are generated by strategies in which no application of the resolution or factoring with identical 
premises and identical consequence may occur twice on the same path in any derivation. In 
addition, deletion rules, splitting, and the deduction rules are applied in this order, except that 
splitting is not applied to clauses which contain a selected literal. 

All clauses occurring in the clausal form of Def, (4) (Tr (p, £)) for a modal formula in K, 
have one of the forms described in Figure 4 [49, 119]. The literals marked with + are selected in 
the clauses by the maximal selection function S. The notation P(s) in the figure represents some 
literal with a unary predicate symbol and argument term s, and 7(s,t) represents some literal 
with a binary predicate symbol and argument terms s and t (not necessarily in this order). Two 
occurrences of P(s) or R(s, t) need not be identical, for example, -Qy,(x) V P(x) V Q(x) 
is an instance of =Q,,(x) V P(x) V P(x), while =Qy (£) V “R;(y, £) V Q,(y) is an instance 
of “Qy(x) V “R(x, y) V P(Y). 

As all non-unit clauses of a typical input set contain a selected literal, all definitional clauses 


Pla) 

Qy (a) V =P, (x) t if Y = ap 

“Qy(e)* VPC) V PCa] iE = by Ada = 41 V ol 
~Qo(2)* V>Rzu)* VP) ify = li W= ig 
-Qe N PUE) ate 

=O o(0)* V R(x, fa) Spe 


Figure 4. Schematic clausal forms for Kn 
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can only be used as negative premises of resolution steps. To begin with, there is only one 
candidate for a positive premise, namely, the ground unit clause @,,(a) (which representing 
the input formula vy). Inferences with such ground unary unit clauses produce ground clauses 
consisting of positive literals only, which are split into ground unit clauses. It can be shown 
that maximally split (non-empty) inferred clauses have one of two forms: P(s), or R(s, f(s)), 
where s is a ground term [119]. In general, s is a nested non-constant functional ground term, 
which is typically avoided in resolution decision procedures based on an ordering refinement 
because, in most situations, nesting causes unbounded computations. For the class of clauses 
under consideration, however, any derived clause is smaller than its positive parent clauses with 
respect to a well-founded ordering which reflects the structure of the formula. 


THEOREM 6 ([119, 121]). Let p be a Kn formula and let N be the clausal form of the formula 
Def A,n (y)(t(Y, £)). Then 


1. y is unsatisfiable in K, iff there is a refutation of N by R, and 


2. any R” derivation from N terminates. 


THEOREM 7 ([49]). Let y be aK, formula. The space complexity for testing the satisfiability 
of a modal formula ọ with R® is bounded by O(nd™), where n is the number of symbols in yp, 
d is the number of different diamond subformulae in y, and m is the modal depth of ọ.? 


Formulae in K, translate by the relational translation into the guarded fragment, in particular, 
into the two-variable guarded fragment GF?. It is not difficult to see that formulae in K, are 
in fact translated into the subfragment GF ~, introduced in [134]. Under the assumption that 
either (i) there is a bound on the arity of predicate symbols in GF ~ formulae, or (ii) that each 
subformula of a GF ~ formula has a bounded number of free variables, the satisfiability problem 
of GF ~ is PSpace-complete, the same as for the satisfiability problem of K,,. Obviously, there 
is a bound of two on the arity on predicate symbols occurring in the relational translation of 
modal formulae in K,,. From these observations a well-known result follows. 


THEOREM 8. The computational complexity of the satisfiability problem of K,, is PSpace- 
complete. 


In [81] it is shown that R can be implemented as a modification of the main procedure of 
a standard (saturation based) first-order theorem prover with splitting (e.g. (M)SPASS [120, 174, 
192, 194]) to provide a space optimal decision procedure for GF ~. A direct consequence is the 
following. 


THEOREM 9 ([81, 180]). R®P can be turned into a polynomial space resolution decision pro- 
cedure for Ky. 


A more detailed description of how this can be done is given in Section 3.4. 

Another interesting aspect of RY? is that it can polynomially simulate tableau algorithms [118, 
119, 121]. In general, a proof system A polynomially simulates (p-simulates) a proof system 5 
iff there is a function g, computable in polynomial time, mapping proofs of any given formula 
y in B to proofs of y in A [38]. To establish a correspondence between tableau proofs and 
derivations in R” YP we make use of the fact that each subformula w of a given modal formula y 
corresponds to a predicate symbol Qy in Def,,,,(,)(7(y,2)). Every node w occurring in a 


tableau completion tree corresponds to a term tọ occurring in a R® derivation. A formula Y 


?The modal depth of a formula y is the maximal nesting of modal operators (i) or [i] in vy. 
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occurring in a set labelling a node w corresponds to a unit clause Qy (tw) and any edge between 
nodes w and v with label 7 in a completion tree corresponds to a unit clause Rj (tw, f(tw)) in 
a RP derivation, where twų is the term corresponding to node w and f(t,,) is the term corre- 
sponding to node v, for some function symbol f. Given these correspondences, each application 
of a tableau expansion rule to a completion tree can be simulated by at most two applications of 
expansion rules in a RP derivation. 

This p-simulation result extends to tableau algorithms for many extension of K,,, for example 
extensions by the modal axiom schemas T, D, B, 4, and 5 [121]. It also extends to other forms 
of tableau and sequent-style calculi. 

The notion of p-simulation leaves open the possibility that an algorithm based on the proof 
system A which p-simulates a proof system B would have to search a much larger search space 
to find a proof for a given formula than an algorithm based on B. For R° YP however, it is possible 
to show that the search space corresponds to that of the tableau algorithm for K,, presented in 
Section 4.2 [121]. Related simulation results of tableau procedures for description logics can be 
found in [118, 119], see also [65]. All these simulation results provide valuable insights into the 
similarities and difference between tableau methods and resolution. On the one hand, the view 
presented is that many tableau algorithms are essentially hyperresolution with lazy translation to 
first-order logic. On the other hand, because of the generality of the setting (first-order logic) it is 
even possible to exploit the close link with hyperresolution and use it as a basis for systematically 
developing new tableau procedures. Using this approach, a new tableau decision procedure was 
essentially ‘read off’ in [49] from a translation-based hyperresolution decision procedure for an 
expressive PDL-style modal logic. 

For the modal logic K,,, an improved version of the relational translation is presented in [9]. In 
the original presentation, this translation consists of two steps, first mapping a formula from one 
multi-modal logic into another, and then applying the relational translation to it. Our presentation 
merges both steps into one. We uniquely associate a unary predicate symbol Pp, o with every 
propositional variable p and sequence o of modalities. Similarly, we uniquely associate a binary 
predicate symbol Ro with every sequence ø of modalities. Then the tree(-based) relational 
translation T+ is defined as follows. 


4 | 


Tir(T, 2,0 Tir(L,a,o) =L 
(£) Tir(P, £, 0) = Tir(p, 2,0) 
i o) x Tilp, z,o) forxE{^,V,>,} 

wy(Re il£, yY) > Ter(Y, y, 0-4)) 


y(Roi(x,y) A Tr(¥, Y, 7-2) 


Tir (D, £, o 


) 
)= 
Tir(p*W, z,o) 
)= 
)= 


l | 


: 


Tir (li]p, z, 0 


Tir ((i) p, £, 0 


The translation of a modal formula is given by 7;,-(y, x,¢€). The tree relational translation can 
be viewed as incorporating a feature of the (optimised) functional translation into the relational 
translation. Whereas the relational translation uses a family of binary predicate symbols R;, 
where 7 is a modal parameter, the tree relational translation uses a larger family of binary pred- 
icate symbols Ro, where ø is a sequence of modal parameters representing a path from the 
initial world, to encode transitions between worlds. Another difference is that in the tree-based 
translation the o are also encoded into the unary predicates. 


THEOREM 10. A modal formula ọ is satisfiable in K, iff Tu-(p, x, €) is first-order satisfiable. 


If we restrict ourselves to K, that is, our logic has only one modality, then the sequence o in 
the definition of Tir only serves as a unary coding of the natural numbers. Thus, we can further 
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simplify the translation by using 7;,(y,x,0) as translation of a modal formula and modifying 
the translation mr as follows. 


Tir (lijp, 2,0) = Yy(Ro+1 (2, y) > Tir(p, yY, +1) 
Ter (i), £, 0) = Jy(Ro+ı (x,y) A Ter (Qs Y, o+1)) 


All other cases in the definition of mr remain unchanged. In [8] it is shown that we can use 
the following ordering to ensure that derivations in Rs from the clausal form of 74,-(y, x, 0) 
of a K formula y terminates: P,(s1,..., Sn) > Qs(t1,...,tm) if either o < ô, oro = ô and 
n > m. This result can easily be extended to K,, by defining the ordering > as P,(s1,...,8n) > 
Qs(ti,...,tm) if either length(a) < length(ô) or length(a) = length(d) and n > m. This 
ordering restriction can be seen to force a kind of top-down approach. 


THEOREM 11. Let y be a modal formula in K, and let N be the clausal form of nih, x, €). 
Then any derivation from N in P? rq (up to redundancy) without splitting terminates. 


One of the interesting aspects of this result is that it does not require the use of structural 
transformation (nor does it require the use of the splitting rule, but condensing is crucial). 


3.2 Global satisfiability, non-logical axioms, transitive modalities, and K4, 


So far we have focused on local satisfiability, that is, the problem whether for a given modal 
formula y, there exists a model M = (W, R, V) and a world w € W such that M, w = y. 
Now we turn to the problem of determining whether there is a model Wt such that for all worlds 
w Ee W M,w = y, ie. is y globally true in some model. The modifications necessary to 
allows us to determine the global satisfiability of a modal formula in K,, based on the relational 
translation are minimal: y is globally satisfiable in K, iff Vx 7,(y, x) is first-order satisfiable. 
Is it straightforward to see that the clausal form N of Def,,,, (p) (V2 7r(y, x)) still consists only 


of DL* clauses. Consequently, R° "d can decide the satisfiability of the clause set N. 


THEOREM 12. Let X} be an arbitrary set of axiom schemas such that K,,% is complete and 
the clausal form of the relational frame properties F's corresponding to the axiom schemas in X 
is in DL*. Let p be a modal formula in K, and let N be the clausal form of Fs = Fs ^ 
Def An (p) (Va T(y, x)). Then 


1. ọ is not globally satisfiable in K,,% iff Fs is not first-order satisfiable iff there is a 
refutation of N by R° n 


2. N isa set of DL* clauses, and 


3. any derivation from N in P? a (up to redundancy) terminates in double exponential time 
and in exponential time, if X is empty. 


For local and global K,„-satisfiability w.r.t. to a background theory of non-logical axioms the 
same result is true. Furthermore the complexity of ordered resolution is optimal. 


THEOREM 13. LetT = {71,..., Yn} be a finite set of of modal formulae and let p be a modal 
formula. Let Fp, be the first-order formula 3x T, (9, £) A Ni=1 n VE Tr (Vi, £) and let N be 


the clausal form of Def àp g (Fro) where Ap, contains all non- Aom positions of Fr p. Then 


1. ọ is unsatisfiable in K, w.rt. T iff Fr is first-order unsatisfiable iff there is a refutation 
of N by R”, 
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2. N isa set of DL* clauses, and 


3. any derivation from N in P? ro, (up to redundancy) terminates in exponential time. 


In contrast to R? ra derivations in RP from the clausal form of Def Ary (Frio), as defined in 
Theorem 13, are not guaranteed to terminate. Tableau algorithms face the same problem, and 
the solution typically used is a technique called blocking. See Sections 4.3 and 4.4 for details. 
This technique can be transferred to the context of first-order clausal logic and R derivations 
as described in [118]. It involves the addition of a blocking rule which at certain points during 
a derivation adds equations tı ~% t2 between ground terms tı and tə to the clause set, rendering 
inferences on literals involving the greater of the two terms redundant. One of the interesting 
properties of this approach is that completeness follows immediately from the general complete- 
ness result for RY? [18], only soundness needs to be established. Another way of combining 
blocking with RP? is presented in [27]. In addition, optimisations techniques like lazy unfolding 
and absorption, which will be discussed in detail in Section 4.4, are in-built and therefore free in 
yp 


However, for K,, extended with axiom schemas sometimes quite different approaches are re- 
quired. For example the formula Vayz ((Ri(x, y)A Rily, z)) > Ri(x, z)) stating the transitivity 
of Ri; is not a formula in any of the relevant decidable first-order fragments. The corresponding 
clause does not belong to DL* either. To handle transitive modal logics one possibility is to 
use the ordered chaining calculus introduced in [15] for binary relations satisfying the general 
schema R; o Rj C Rx. A decision procedure for a first-order fragment covering the modal log- 
ics K4, KD4, and KT4, and their multi-modal variants, which is based on ordered chaining, 
is presented in [77]. Recent work in [124] presents an extension of Rs which can decide the 
guarded fragment with transitive guards. This provides a decision procedure for all modal logics 
translatable into this fragment. 

In the following we present another approach, the axiomatic translation approach [181], which 
allows a variety of modal logics with transitive modalities to be embedded in DL*. Consequently 
this allows the use of R° to decide these logics. This method is not restricted to transitive modal 
logics and applies to a large class of modal logics. 

Remember that structural transformation introduces for each modal subformula [i]y of a 
modal formula ¢ a predicate symbol Q);),, in 7,((p, £). The general principle of the axiomatic 
translation approach for K4, is the following. For every transitive modality [i] and every sub- 
formula [7] of the formula y, add the first-order formula 


(Aa) Vay ((Qrjy (2) A Ri(z,y)) > Quy (y)). 


to the translation. The main technical question with the axiomatic translation principle is to 
know how many instances of such a ‘schema formula’ need to be added to the translation. In the 
Hilbert axiomatisation, axioms such as 4 are valid for all substitution instances. Since we do not 
have access to a substitution rule, we need to make sure from the outset that enough instances of 
the schema formulae are present in the translation of p. (Of course, this does not preclude a lazy 
implementation which delays the translation of subformulae and the inclusion of instances of 
schema formulae until absolutely necessary.) The clausal form of A4 is “Qj (x) V>Ri(x, y) V 
Qiju(y), which is a DL* clause (and a guarded clause). 


THEOREM 14. Let ọ be a modal formula and © the set of all subformulae of the form [i] of ¢p. 
Let F4 be the first-order formula \jnyce Yzy ((Qtijy(x) A Ri(z,y)) > Qtqu(y)). Let N be the 
clausal form of Fap = Fa ^ Defa „n (o) (Tr(p, £)). Then 
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1. ọ is unsatisfiable in K4,, iff F4, is first-order unsatisfiable iff there is a refutation of N 
by R”, 
2. N isa set of DL* clauses, and 


3. any derivation from N in R? ro (up to redundancy) terminates in exponential time. 


The same result is true for global satisfiability in K4, and also reasoning with respect to non- 
logical axioms. Theorem 14 reduces reasoning in K4,, to reasoning in K,, with background 
theories. Consequently, R combined with a blocking rule provides an alternative decision 
procedure for K4,,. 


3.3 Converse modalities and the modal logics KB,, and KB4,, 


Extending the results of Section 3.1 to modal logics with converse modalities or to the modal log- 
ics KB, and KBA4, is straightforward. For converse modalities we have to extend our definition 
of the relational translation m, as follows: 


Tnr(li~]p, £) = Vy (Rily, x) > tr(p,y)) ar (a) yp, £) = Jy (Rily, £) A trp, y)) 


Then, Theorem 13 extends to the following. 


THEOREM 15. LetT = {71,..., Yn} be a finite set of of Kx formulae and let y be a Ky 
formula. Let Fr, be the first-order formula Ax mr (p, £) A Ni=1,.. n YE Tr(Yi, £)). Let N be the 
clausal form of Def a... (Fry) where Ar „ contain all non-atomic positions of Fr... Then 


1. ọ is unsatisfiable in KX w.rt. T iff Fr is first-order unsatisfiable iff there is a refutation 
of N by R”, 


2. N isa set of DL* clauses, and 


3. any derivation from N in P? i (up to redundancy) terminates in exponential time. 


In the case of the modal logic KB, we extend the relational translation (or the axiomatic transla- 
tion) by adding the relational frame property Rp corresponding to B, namely Yzy (R;(x,y) > 
R,(y,x)), to the translation of y. Finally, in the case of KB4,, we restrict ourselves to the 
axiomatic translation and again add the relational frame property Fp to the translation of y. 

In all these cases, the clausal form N of the translated modal formulae as well as that of Rp 
consists only of DL* clauses. Consequently, R° o provides us with a decision procedure for the 
satisfiability of N. 


THEOREM 16. Let be a KB,, formula and let N be the clausal form of the first-order formula 
Fg, = Yzy (Ri(x, y) > Rily, £)) A Defa,, (o) (Tr(p, £)). Then 


1. ọ is unsatisfiable in KB, iff Fg is first-order unsatisfiable iff there is a refutation of N 
by R" 


2. N isa set of DL* clauses, and 


3. any derivation from N in R? rg (up to redundancy) terminates in exponential time. 


Computational Modal Logic 203 


The result extends easily to global satisfiability and non-logical axioms. So, the axiomatic trans- 
lation for KB is another reduction into DL*, but also GF?, and R? "d is an exponential time 
decision procedure [181]. Besides R° "d we can also use R®P to decide the satisfiability of N 
(this is a consequence of the main results in [82, 83]). 


THEOREM 17. Let y be a KB4, formula and let = be the set of all subformulae of the form 
lily of p. Let Fg4 be the first-order formula 


Vay (Ri(x,y) > Rily, z)) A Aweza Vey ((Qiju(x) A Ril, y)) > Quy). 
Let N be the clausal form of Fga,p = Fea ^ Def An (o) (Tr(p, £)). Then 


1. ọ is unsatisfiable in KB4,, iff Fga,, is first-order unsatisfiable iff there is a refutation of 
N by R”, 


2. N isa set of DL* clauses, and 


3. any derivation from N in R? ie (up to redundancy) terminates in exponential time. 


As described in Section 3.1, in the case of the optimised functional translation, we add so-called 
functional frame properties in the form of (conditional) equations between path terms to ac- 
commodate additional axiom schemas like 4 and 5. Alternatively, one can replace syntactic 
unification in the inference rules of R with theory unification [175, 176]. The resulting calculus 
is called theory resolution. So far, the only decision procedures for modal logics like K4,, or 
KB,, based on theory resolution make use of a term depth bound, that is, any derived clause 
involving terms of depth greater than a pre-computed bound dependent on the modal formula 
whose satisfiability is tested will be removed [175, 178]. 

This section is an incomplete discussion of the different uses of first-order resolution. Due to 
space restrictions we have only been able to present a few of the translations that are available 
and have omitted a lot of details. Other translation methods are surveyed in [64, 148]. See also 
the surveys [65, 49, 122, 180, 182]. 


3.4 Implementation and optimisation 


In this section, we give a brief overview of the implementation of the resolution calculus pre- 
sented in Section 3.1 and discuss some of the issues involved in using such an implementation 
for theorem proving in modal logic. For further details on the implementation of first-order 
theorem provers see e.g. [193, 169, 183]. 

The procedure ResolutionProver presented in Figure 5 is the main procedure implementing 
the calculus Rs. The input is a set N of clauses. The output on termination is a proof of 
unsatisfiability or a saturated clause set. The procedure operates on two sets of clauses, US and 
WO (the set of usable clauses and the set of worked-off clauses). The set WO contains all 
the clauses that have already been used as premises in inference steps (or can never be used as 
premises) and the set US contains all the clauses that still need to be considered as premises. In 
our particular case, the input set NV is the clausal form of the translation of some modal formula. 

The procedure proceeds as follows. First, the input set NV is simplified by the function ired, 
that is, all tautologies and strictly subsumed clauses are deleted from N (this is achieved by the 
two argument ired function). The set N is then divided into two sets: the usable clauses US 
and the worked-off clauses WO. The set US contains all the clauses which are candidates for 
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Procedure ResolutionProver(N) 
local WO, US, NEW, Given; 
begin 
WO :=0; 
US := ired(N,N); 
Stack := emptystack(); 
while (US # Ø) and (L ¢ US or not stackempty(Stack)) 
do 
if (L € US) then 
(Stack, US, WO) := backtrack(Stack, US,WO); 
else 
begin 
(Given, US) := choose(US); 
if (splittable (Given)) then 
begin 
NEW := firstsplitcase(Given); 
Stack := push(Stack, secondsplitcase(Given)) 
end 
else 
begin 
WO := WO U {Given}; 
NEW := inf(Given, WO); 
end 
end 
(NEW, WO, US) := ited NEW, WO, US); 
return(U S) 
end 


Figure 5. Standard inference loop in a saturation theorem prover 


inferences and the set WO contains all the clauses that have already been selected for inferences. 
Initially, the set WO is the empty set, while US contains all clauses of N remaining after ap- 
plication of ired. Next the procedure enters the main inference loop in which it remains while 
the set US is not empty and the empty clause L has not been derived or there are still alternative 
branches of the derivation tree that need to be considered. Within the main loop it is first checked 
whether the set US contains the empty clause. If so, the current branch of the derivation is a 
closed branch and backtracking takes the computation to a different branch of the derivation. 
Otherwise the function choose selects a clause from US. This clause is called the given clause. 
If the splitting rule can be applied to the given clause, one of its two split components is taken to 
be the newly derived clause, which is stored in MEW, and the other split component is pushed 
onto a stack. Basically, this creates a new branch in the derivation tree that is explored later, if 
it turns out that the current branch can be closed. This corresponds to a depth-first construction 
of the derivation tree. If the splitting rule cannot be applied, we add the given clause to the set 
WO and compute all conclusions of inferences by resolution and factoring between the given 
clause and clauses in WO using the function inf. After removing redundant clauses from the 
sets US, WO, as well as the newly derived clauses (this is achieved by the three argument ired 
function), the remaining new clauses are added to the set US, and a new iteration of the main 
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loop is entered. 

Important points to note about the ResolutionProver procedure are the following. First, in the 
main inference loop, the function inf computes all conclusions derivable from the given clause 
and clauses in WO. For example, suppose we use the RY? instance of Rs. Let the set US con- 
tain the clauses Q(1)¥(t), Do = Qay lx) V Ri (a, f(x)), and Dı = -Qi1yy(@) VQ_(f()), as 
well as n clauses of the form Cj41 = Qpijy,(t) and Di+1 = Quy: (x) V 7Ri(a, y) V Qu. (y), 
for 1 < i < n. If we first choose each D;, 0 < i < n+1 they are simply moved to WO, 
without any new clause being inferred from them. The same is true if we continue by choosing 
each C+, in turn. Finally, when we choose Q1),,(t), the clauses R;(t, f(t)) and Q,(f(t)) is 
computed by inf and moved to US. When R(t, f (t)) becomes the given clause, inf computes in 
one step the clauses Qu, (f (t)), for 1 < i < n. This corresponds to the application of the tableau 
inference rule 

wi (ie wili o w: [in 
vi v: Ypy > Un 


where v is an 7-successor of w. However, if we choose clauses starting with Do, followed by 
Dı, and then Q(1),,(t), inf infers Ri(t, f(t)) and Q,(f(¢)), corresponding to an application of 
the ©-rule in the tableau algorithm defined in Figure 8. If we proceed by choosing Rı(t, f(t)), 
then each Ci, directly followed by D,+1, inf infers Qy,(f(t)), corresponding to a series of 
applications of the O-rule in Figure 8. This shows that the way in which clauses are selected by 
choose gives us added flexibility in how the search for a refutation is directed. 

Second, the ordering > and the selection function S only influence the function inf without 
changing what has just been said. Concerning the selection function S the user is able to se- 
lect among a fixed set of pre-defined selection functions. The selection function which selects 
every negative literal in any clause is usually included in that set. Concerning the ordering >, 
state-of-the-art first-order theorem provers standardly contain implementations of recursive path 
orderings, lexicographic path orderings or Knuth Bendix orderings, which are parameterised by 
an ordering on the signature of the input clause set N, which the user can specify. Refinements 
of the particular ordering > defined in Section 3.1 can be obtained by either recursive path order- 
ings or Knuth Bendix orderings (definitions of orderings and ordering extensions can be found 
in [52]). 

Third, the remaining functions in ResolutionProver are firstsplitcase and secondslitcase 
which basically determine the order in which branches of a derivation tree are investigated. 
Again, it is possible to exercise control on this order by using some heuristic. 

Fourth, the implementation of backtrack has significant influence on the performance of the 
prover. On the stack we only store the second split component that may need to be considered 
at a later point, but not the current state of WO and US. The information required to return 
WO and US to the correct state on backtracking is stored in each clause, allowing us to remove 
clauses which are no longer derivable and restoring clauses which are no longer redundant after 
backtracking. When we derive a contradiction it is not necessary to backtrack to the state as- 
sociated with the split component currently on top of the stack. Instead more intelligent forms 
of backtracking are possible. For example, the theorem prover SPASS [194] implements branch 
condensing. Here, on backtracking, all first components not used to derive a contradiction are 
removed from the set US as well as all the corresponding second split components on the stack. 
The prover then backtracks to the second split component which is now on top of the stack, 
removing clauses which are no longer derivable and restoring clauses which are no longer redun- 
dant. For further details see [193]. This form of intelligent backtracking is closely related but 
not identical to conflict-directed backjumping [78, 164]. See also Section 4.2. 


206 Ian Horrocks, Ullrich Hustadt, Ulrike Sattler, and Renate Schmidt 


An alternative to explicit splitting is splitting through new propositional variables [168] im- 
plemented in the theorem prover VAMPIRE [169] or the generalisation called separation in [179]. 
In the splitting through propositional variables approach, a clause C V D with variable-disjoint 
components C and D is replaced with two clauses C V p and D V ~p, where p is a new proposi- 
tional variable called a split propositional variable. The ordering > and the selection function S 
are extended to ensure that p is minimal in D V ~p and ~p is selected in D. This makes it impos- 
sible for the clause C V D to be derived from the two new clauses and also blocks D V ~p for 
inferences until we derive a clause in which p is maximal. The derivation of a contradiction from 
the split component C in explicit splitting then corresponds to the derivation of a clause E V p 
where E consists solely of split propositional variables. If p is maximal in E V p we can derive 
EV D which corresponds to backtracking to the branch of the derivation in which D is true. Note 
that this again is a form of intelligent backtracking since E V p is a representation of all the split 
components involved in deriving a ‘contradiction’. Thus, in backtracking we ignore all other 
splits not represented by a split propositional variable in Æ V p. Unlike branch condensing and 
(conflict-driven) backjumping, however, those splits are still present. A disadvantage of splitting 
through new propositional symbols is that subsumption and reductions such as unit propagation 
are not as effective as for explicit splitting. De Nivelle [47] has suggested modifications of the 
standard inference and redundancy elimination rules which take account of split propositional 
variables. 


Both explicit splitting and splitting through new propositional variables split a clause C V D 
into split components C and D. The two branches of the derivation do not necessarily investigate 
disjoint sets of Kripke/first-order models. For variants of splitting we have the option to add the 
negation of C’, ~C, to the branch on which D is true. However, in contrast to propositional logic, 
the benefit is less obvious. For example, assume that C is Q;},(@) and that the clause set to which 
we add =C = >Q)j)p(a) contains already the unit clause Qy,](p,q)(@). We can propagate the unit 
clause =C to all clauses in the clause set which removes all occurrences of Qj;j»(a) from those 
clauses. However, the contradiction between =Qj;p(a) and Qipaq) (a) is not detected. This 
is true even if the clause set contains the definitional clauses Qjj,)(a) V R(x, f(x)), Qigp (x) V 
—=P,(f(a)), which we can use to derive R(a, f(a)) and —P,(f(a)). Only when R(a, f(a)) 
and Qii(paq) (a) together with the definition clauses =Qi (pag) (£) V 7R(x,y) V Py(y) (and 
Qipaq (£) V R(x, y) V Pa(y)) are used to derive P,(f(a)), is a contradiction detected. 
Note also that the clause R(a, f(a)) might trigger the derivation of a large number of additional 
clauses which would not be derived in the absence of —Q,jp(a) or its definitional clauses. In 
general, the computational effort expended to this point might be great without a guarantee that 
there is a payoff. Termination is however not compromised. 


Used as a procedure to test the satisfiability of a K, formula y with any refinement of Rs and 
any of the translations presented in this section, ResolutionProver requires exponential space in 
the size of y. In [81] we have shown how ResolutionProver can be turned into a space optimal 
decision procedure for the class GF ~. This modified procedure provides also a polynomial 
space decision procedure for the relational translation of K,, and KB,, formulae. If we focus 
on K,,, then a simple modification of ResolutionProver as described in Figure 6 is sufficient. 
The procedure uses an additional local variable ¢ which stores the term we currently focus on. 
Initially it is the only ground term in NV, and is returned by groundTerm. The procedure choose 
selects the given clauses in a particular order. It starts by choosing non-ground clauses. This 
transfers all definitional clauses from US to WO without any inference steps being performed. 
Then it selects ground clauses in an order which ensures that the derivation corresponds to a 
depth-first exploration of the completion tree in a tableau derivation. Finally, ired is modified so 
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Procedure ResolutionProver(N) Procedure choose(US, t) 

local WO, US, NEW, Given, t; begin 

begin if (C € US where C is non-ground) then 
t := groundTerm(N); return( C, US — {0}, t) 
e else if (Q(t) V C € US) then 
(Given, US, t) := choose(U S, t); return( Q(t) V C,US — {Q(t) VC}, t) 
te else if (R;(t, s) € US) then 
(NEW, WO, US) := return( R(t, s), US — {Ri(t,s)}, s) 

ired( MEW, WO, US, t); else if (R;(u, v) € US with v having greatest 

ade depth in US) then 

end return( R;(u,v), US — {R;(u,v)}, v) 

end 


Figure 6. Modified procedures for a polynomial space decision procedure for K, 


that it removes from WO all clauses containing argument terms which are not subterms of the 
term t. This modification ensures that the information on terms which have been fully explored 
and does not contribute to a refutation is removed, bringing the space requirements down to 
polynomial space. 


3.5 Other extensions (counting, nominals) 


The modal logics KS and Ky% with graded modalities and the modal logic K? with nominals 
can be translated to first-order logic using a number of different embeddings. The simplest one 
is an extension of the relational translation as follows (the symbol o; denotes a nominal). 


Tr({i)mY; £) = Jyı -Ym (Ri (a, y1) A... A Ri(a, Ym) ANY x yo A... A Ym—1 £ Ym) 


Tr (limp, £) = Vyr--- Ymti ((Rilx, yi) A- A Ri(2,Ym4i)) > 
(y1 © Y2 V... V Yn © Ym41)) 


T,(0;,0) = (£ & oi) 


The superposition calculus [14] and the basic superposition calculus [17] are extensions of Rs 
with rules for equality reasoning. In [113, 112] it is shown that the basic superposition calculus 
can be used to decide the satisfiability of knowledge bases in the SHZQ description logic. It 
follows that it can also be used to decide the satisfiability of formulae in K$ and K>’°. 

An extension of the optimised functional translation to K$ is presented and shown to be sound 
and complete in [150]. 


4 TABLEAU-BASED ALGORITHMS 


In this section, we describe tableau-based decision procedures for modal logics and discuss their 
complexity and implementation issues. First, we discuss various choices for presenting tableau 
algorithms in general, and then present the basic tableau algorithm for K,, together with a de- 
tailed discussion of implementation and optimisation issues. Next, we modify this algorithm to 
handle K4,,, background theories, converse modalities, and their combinations, and point out 
relevant modifications concerning the implementation and optimisation. 
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Intuitively, a tableau algorithm tries to construct, for an input formula y, a model of y; i.e., 
to decide the validity of a formula y, the tableau algorithm is started with ~y. Depending on 
the modal logic, it is often convenient to consider an abstraction of models rather than models, 
namely a so-called tableau. 


4.1 Tableau algorithms in general 


We start with a description of a tableau algorithm for multi modal K,,. Roughly speaking, this 
algorithm takes the input formula y and deduces constraints on the model it is going to build 
by breaking it down into its sub-formulae. We will first describe different styles in which this 
attempt at a model construction has been described and relate them to each other. 

The “breaking down” is realized through tableau expansion rules; quite often, we find one 
such expansion rule per logical constructor. For example, if we know that Yı A %2 should 
be true in world w of the model we are constructing, then we break the conjunction down and 
explicitly add the constraints that each ~; has to be true in w. Next, we discuss the rules that 
handle box- and diamond formulae. Intuitively, if we know that (i) should be true in world w, 
then we “generate” a witness world w’, which is i-accessible from w and in which v is true. This 
can be formalised in different ways: 


e for certain modal logics such as K,,, one can first handle all formulae talking about a single 
world, then collect all constraints concerning another world and process these, and so on 
[129]. This approach is sometimes called “distructive” [92] (see also Chapter 2) because 
we can forget the constraints concerning an “old” world once we procede to the next one. 


labelled tableaux are closely related to propositional tableaux: they are sets of labelled 
formulae that partially describe a model: each formula is labelled with the world it should 
be true in (see Chapter 2 of this handbook). For example, the case where (1)w is true 
in world w would translate to finding the labelled formula w : (1) in our tableau, and 
the ©-rule adds labelled formulae w’ : 7 and wlw’, where the latter encodes that w’ is 
1-accessible from w. This information is required if we find, additionally, a formula of the 
form w : [1]q’: in this case, the O-rule adds w’ : y. 


Alternatively, one can store the information that w’ is i-accessible from w in the labels by 
using appropriate sequences instead of atomic “names” w, w’. We start with the empty 
sequence labelling the input concept, and then append these labels, e.g., as follows: if a 
world is generated for a labelled formula s : (i)wW, we name this world s(2, w) and simply 
introduce the new labelled formula s(i,w) : ~. Please note that si : ~ does not suffice 
because (1) A (1)-w is satisfiable, but only in a world that has two distinguished 1- 
acccessible worlds. 


other tableau algorithms explicitly store the relational structure of the model (or tableau) 
they are building. More precisely, they work on labelled graphs (often trees) where nodes 
represent worlds and labelled edges represent 7-accessibility. Moreover, nodes are labelled 
with the set of formulae that should be true in the corresponding world. Thus, instead 
of finding two labelled formulae w’ : Y’ and w’ : w” in a tableau, we would find both 
formulae in the label of the node w’, written {’, ’”} C L(w’). 


An advantage of this approach is that all information concerning a single world is kept in 
the same place. For example, it allows for the detection of obvious inconsistencies such as 
w : pand w : ~p by a test that is local to £(w). When considering logics with converse 


Computational Modal Logic 209 


or graded modalities, the advantages of this “one node per world” approach become even 
more pronounced. State-of-the-art implementations of modal tableau algorithms adopt this 
approach [159, 90], which is why we have chosen it for this section. 


Similarly, the V-rule is often formulated using either branching or non-determinism in the 
model construction. For example, if we know that Yı V p2 should be true in w, then the V-rule 
can be formalised in the following two ways: 


e we branch our model construction into two, one in which 7 is true in w and one in which 
qe is true in w, and then continue with the construction of each branch independently. 


This is how non-deterministic constructors are handled in standard first order and modal 
logic tableau: the tableau rules expand a tree where each branching represents a non- 
deterministic choice, and thus where each path stands for a possible model. 


e we non-deterministically choose one 7; to be true in w. This yields a non-deterministic 
algorithm which, when implemented, requires back-tracking to be complete. 


From a computational perspective, this approach is preferable since, in contrast to the 
above “branching” alternative, it preserves the useful “one node per world” property. Addi- 
tionally, it can easily be adapted to exploit techniques developed for solving SAT problems, 
such as David-Putnam and related heuristics [41, 87]. State-of-the-art implementations of 
modal tableau algorithms handle disjunctions (and possibly other non-deterministic oper- 
ators) in this way, and are combined with intelligent back-tracking (or back-jumping) and 
heuristics to make the “good” choice first, see Section 4.2. 


The algorithms described in this chapter will use the latter, non-deterministic formulation, and 
will work on a single model/tableau at any world in time, where all information concerning each 
world is stored in a single node. 

Figure 7 shows two example applications of different tableau algorithms to decide the satisfi- 
ability of the K formula y% = (1)p A (1)q A [1](~p V ~q). On the left hand side, we show the 
result of a standard labelled tableau, where we use sequences as labels. First, we have broken 
down the conjunctions, then generated two new labels (1, p) and (1, q) for the two diamond for- 
mulae. Next, we have expanded the box formula for both new worlds, and finally branched for 
the disjunctions. The resulting tree stands for four different attempts to construct a model, one 
for each path from a leaf node to the root. Only the one ending in the filled node corresponds to 
a model since all other branches contain obvious inconsistencies: e.g., the first one contains both 
(1,p) : p and (1, p) : =p. 

On the right hand side, we show a (successfull) application of the non-deterministic version 
of a tableau algorithm working on trees. It has generated three nodes w; with labels that are 
completely expanded sets of formulae. Here, the edges stand for the accessibility relations, i.e., 
w and wz are l-accessible from w. In contrast, on the left hand side, (the formulae along) one 
path in the tree represents a model, i.e., edges relate formulae that are true in the same model. 


4.2 Local satisfiability for multi modal K,, 


Before we describe the algorithm, we introduce an appropriate data structure in which to rep- 
resent models (and later tableaux). Firstly, it will be convenient to assume that all formulae 
descriptions are in negation normal form (see Section 2). The tableau algorithms presented in 
this section work on completion trees: a completion tree is a finite tree where each node z is 
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Figure 7. Two application of tableau algorithms to the same formula. 


labelled with a set L(x) of formulae, and edges are labelled with modal parameters. A node y 
is called an t-successor of a node z if y is a successor of x and the edge from z to y is labelled 
with i. A completion tree is said to be closed if it contains a node x with {p, =p} C L(x); a 
completion tree that is not closed is open, and it is complete if no expansion rule applies—the 
expansion rules are given in Figure 8. Please note that they are formulated in such a way that, if 
a rule is applicable (i.e., the corresponding condition is satisfied by the current completion tree), 
then its application indeed changes the tree. 

To decide the satisfiability of @ (in NNF), the tableau algorithm is started with a completion 
tree consisting of the root node zo only, with L(xo) = {¢}. It applies the expansion rules until 
the completion tree becomes closed or complete, and returns “œ is satisfiable” if the expansion 
rules can be applied such that they yield a complete and open tableau, and “¢ is unsatisfiable” 
otherwise. The “can be applied” formulation is due to the non-deterministic V-rule, as discussed 
in Section 4.1. Also, the algorithm does not fix any order in which the rules are to be applied, 
which means that an implementation has to/can chose a “good” one. 


A-rule: If there is a node x with Yı A We E L(x) and {y1, Y2} Z L(x), 
then L(x) := L(x) U {41, Y2}. 
V-rule: Jf there is a node x with a1 V we € L(x) and {41, Y2} N L(x) = 9, 
then L(x) := L(x) U {yi} for some i € {1,2}. 
©-rule: Jf there is a node x with (i)¢ € L(x) and z has no i-successor y with Y € L(y), 
then create a new i-successor y of x with L(y) := {i}. 
-rule: Jf there is a node x with [i]Y € L(x) and z has an i-successor y with Y ¢ L(y), 
then L(y) := L(y) U {4}. 


Figure 8. The expansion rules for K,,. 


Before discussing the properties of this algorithm, we would like to point out that the tableau 
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rule 
wilde wid o w: fiyn 
v: p v:ypi > V:Yn 
mentioned in Section 3.4 of this chapter corresponds, in our notation, to 
If there is a node x with { (ijọ, [¢]v1,.--, lilYn} C L(x), 
then create a new i-successor y of x with L(y) := {y,v1,..-, Un}. 

The fact that our algorithm decides satisfiability of K, formulae is an immediate consequence 
of the following lemma, for which we first need to define the semantics of completion trees. Let 
T be a completion tree, M = (W, R, V} a model, and 7 a (total) mapping from the nodes of T 
to W. Then 9M is said to satisfy T via 7 if, for each node x in T, 


1. for each Y € L(x), we have M, r(x) H ¢ and 


2. for each i successor y of x, we have R;(7(x), 7(y)). 


LEMMA 18. Let ¢ bea K, formula and T a completion tree generated by the tableau algorithm 
for ¢. 


1 When applied to ¢, the tableau algorithm terminates. 


2 If M satisfies T via m and one of the expansion rules is applicable to T, then this rule can 
be applied in such a way that it yields a T’ satisfied by M via x or an extension of 7. 


3 If T is complete, then there exists a model IN and a mapping r such that M satisfies T via 
Tw iff T is open. 


Lemma 18.1 is due to the fact that (i) the breadth and depth of the completion tree are bounded 
linearly by the length of ¢, (ii) node labels are sets of subformulae of ¢, and (iii) the completion 
tree is built in a monotonic way, i.e., each rule strictly increases node labels or adds new nodes. 
Property (i) is due to the fact that there are at most |¢| diamond modalities in ¢ and that the max- 
imal modal depth of formulae in node labels strictly decreases from a node to its (2-)successors. 
Lemma 18.2 is an immediate consequence of the semantics of K,, and completion trees. For 
example, let the ©-rule be applicable to some T with (2) € L(x), and let M satisfy T via 7. 
Hence M, r(x) H (i), and thus there exists some w € W with R(n (x), w) and M, w = y. 

As a consequence, we can extend 7 to 7(y) = w for y the newly introduced node, and M satisfies 
the result of this rule application via (the extended) 7. The “if” direction of Lemma 18.3 is easy 
since each open completion tree can be viewed as a model with W the set of nodes, x € V (p) if 
p € L(x), and R;(x, y) if y is an i-successor of x. The only-if direction of Lemma 18.3 is trivial. 


THEOREM 19. The K, tableau algorithm decides K„ satisfiability and can be implemented in 
polynomial space. 


As an immediate consequence of Lemma 18 and the fact that each model Wt satisfying Y 
is one that satisfies the initial completion tree (and vice versa), we thus have the first point of 
Theorem 19. The second part follows from the following observations. As a consequence of (i) 
and (ii) in the proof sketch of Lemma 18.1, we can store each branch of a completion tree in space 
bounded polynomially in the length of ~. Next, we observe that we can consider each branch 
independently, and thus we can build the completion tree in a depth first manner, keeping only 
a single branch in memory at each point in time. Finally, our V-rule is non-deterministic, but it 
is known how to transform a non-deterministic polynomial space algorithm into a deterministic 
one that also runs in polynomial space [172]. 
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Implementation Issues 


Even this “simplest” modal logic K,, extends propositional logic, and thus the complexity is 
rather discouraging from an implementational perspective: we may have to consider a number 
of models (or completion trees) that is exponential in the size of the input formula. Moreover, 
because the completion tree is usually built in a depth first manner, with the ^- and V-rules being 
exhaustively applied to a given node before creating any modal successors with the ©-rule, it is 
easy to find formulae with unsatisfiability “hidden” in the leaves of the tree for which a naive 
implementation will always exhibit pathological worst case behaviour. Consider, for example, 
the formula: 


(11) d= (PMV M1) A... A (Pn V dn) A (i) A [i]. 


There are 2” different ways in which the combination of the A-and V-rules can be applied to a 
node whose label is initialised with {¢}, but in each case subsequent applications of the ©- and 
the O-rules will eventually lead to a closed completion tree. A naive implementation of the trace 
technique with “chronological” backtracking search would consider all 2” possible expansions 
before concluding that the input formula is unsatisfiable; this kind of unproductive backtracking 
search in often referred to as thrashing. 


Fortunately, a wide range of optimisation techniques has been developed in order to improve 
the efficiency with which the algorithm explores the space of possible models [104, 103]. Al- 
though these optimisations may lead to a situation in which the worst case behaviour would 
actually be much worse than the theoretical worst case, empirical studies have shown that such 
optimised algorithms are very effective with typical formulae, i.e., formulae derived from appli- 
cations. These techniques include normalisation and simplification, dependency directed back- 
tracking, SAT based search techniques, simplification of node labels, heuristics and caching. 


Normalisation and Simplification As usual, our description of the K, tableau algorithm as- 
sumes that the input formula is in negation normal form (NNF); this simplifies the (description of 
the) algorithm, but it means that a completion tree will only be closed when a propositional vari- 
able and its negation occur in the same node label. For example, when testing the satisfiability of 
the formula (p A q) A =(p A q), the transformation into NNF would give (p A q) A (=p V ~q); 
in practise this means that, in spite of the “obvious” contradiction, backtracking search will be 
performed in order to determine that the formula is unsatisfiable. 

For this reason, practical algorithms do not transform the input concept into NNF, but include 
a —-rule that performs a single (negation) normalisation step (e.g., applying the —-rule to =(p A 
q) € L(x) would cause ~p V ~q to be added to £(x)), and a completion tree is closed if it 
contains a node x with {~,7~} C L(x) for an arbitrary formula 7. Moreover, in order to 
facilitate the detection of such closure conditions, the input formula is normalised and simplified 
so that logically equivalent formulae are more often syntactically equivalent. This is achieved by 
(recursively) applying a set of rewrite rules to the input formula, and by ordering conjuncts w.r.t. 
some total ordering. For example, we re-write V and © formulae as negated ^A and O formulae, 
respectively; we remove redundant parentheses between conjunctions; we order conjuncts; and 
we simplify formulae using the following equivalences: (Y A Y) = Y, a7 > p, (WA mW A 
PerAT, WAT) ed, (WATT) OAT, and [iT OT. 

If the above transformations are applied to the formula ¢ from the above example (11), then 
(i) would be rewritten as s[i]>~, =[2]7~) A [iJ =y would be rewritten as ~T and (pi V qi) A 
... A (Pn V qn) A aT would be rewritten as =T, a formula that is trivially unsatisfiable. 
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If 7), was added to L(x) by the 
A-rule for Yı A Y2 € L(x), then dep(w;, x de 
V-rule for Yı V Y2 E L(x), then dep(w;, x ep(ay V Y2, £) U {b} for each j € {1,2} 
©-tule for (i). € L(x’), then dep(q1, x) := dep((ijy1, x’) 
-rule for [ijy € L(x’), then dep(w1, x) := dep([i]¢1, 2’) U dep((2) 2, x’) 
where x was generated by the ©-rule for (i) a2 E€ L(x’) 


p(w1 A p2, x) for each j € {1,2} 


) 
) 


Figure 9. Inductive definition of dep(w, x) 


Dependency Directed Backtracking As we saw in the above example (11), inherent unsatisfia- 
bility concealed in sub-formulae can lead to large amounts of unproductive backtracking search 
known as thrashing. Although the normalisation and simplification technique described above 
solved the problem for this example, this might not have been the case if the unsatisfiability 
caused by the modal sub-formulae had been slightly less trivial. Consider, e.g., the following, 
only slightly modified formula ¢’: 


(12) Q =(p1 V1) A... A (Pn V an) A D A p) A lily. 


To avoid an exponential search in the case of ¢’, a more sophisticated solution is required, and can 
be found by adapting a form of dependency directed backtracking called backjumping, which has 
also been used, e.g., in solving constraint satisfiability problems [19] and (in a slightly different 
form) in the HARP theorem prover [153]. 

Intuitively, backjumping works by labelling each formula 7 in the label of a node x with 
a dependency set dep(q, x) indicating the branching points (i.e., applications of the V-rule) 
on which it depends. In case the completion tree is closed because it contains some node x 
with {y, aw} € L(x), we use dep(w, x) and dep(—w, x) to identify the most recent branching 
point b on which w or ~ depends. The algorithm can then jump back to b over intervening 
branching points without exploring any alternative branches (non-deterministic choices), and 
make a different non-deterministic choice which might not lead to the same closure condition 
being encountered. In case no such b exists, the closure did not depend on any non-deterministic 
choice, and the algorithm stops. 

To be more precise, a branching point is simply a non-negative integer b indicating the b-th 
V-rule application in the run of the tableau algorithm. Initially, for £o the root node and ¢ the 
input formula, dep(¢,2q) := Ø. The sets dep(z, x) are then defined inductively as shown in 
Figure 9. In this way, each formula in each node label is associated with a dependency set. If 
the completion tree is closed because it contains some node x with {1), =Y} € L(x), the closure 
dependency set S := dep(w, x) U dep(-w, x), and the algorithm backtracks to the b-th V-rule 
application (or exits if b = 0). 

The procedure for expanding a completion tree T is given in Figure 10. For an input for- 
mula ¢, T is initialised to contain a single node zo with L(x) = {¢} and dep(¢, £o) := Q; 
@ is satisfiable if Satisfiable(T,0) returns {—1} and unsatisfiable otherwise. For example, when 
expanding the formula ¢’ from 12 above, the ^-rule might first be applied exhaustively via re- 
cursive calls to Satisfiable, resulting in {p1 V q1,..-,Pn V qn, (D (Y A p), [liJ =7yY} C L(zo) and 
dep(w,;, £o) = Ø for each formula Y; € L(x). These dependencies reflect the fact that, so far, 
no non-deterministic choices have been made. A top-down and “left to right” strategy might 
then cause Branch to be called n times, with, for the j-th call, b = j, fi = pj, f2 = qj and 
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Procedure Satisfiable(T,,b) Procedure Branch(T,b,z, f1, f2,D) 
local f; local S, T-saved; 
begin begin 
if for some node x in T, {w,7w} € L(x) T-saved := T 
then add fı to L(x) with dep( f1, £) = {b} UD 
return(dep(w, x) U dep( =y, x)) S := Satisfiable(T,b) 
else if T is complete then ifb Z S then 
return({—1}) return(S) 
else else 
begin begin 
f := some unexpanded formula in node T := T-saved 
cin T add f2 to L(x) with dep(fo,x) = 
if f is of the form 7, V Y2 then bud 
return(Branch(T,b + return(S U Satisfiable(T,b)) 
1,x,u1,02,dep(f, x))) end 
else end 
begin 


expand f (as per Fig. 8 and 9) 
return(Satisfiable(T,b)) 
end 
end 
end 


Figure 10. Procedure for tableau expansion with backjumping 


D = Ú, so that pi,...,pn are added to L(xo) with dep(p;j, £o) = j. Next, recursive calls to 
Satisfiable would expand: (7)(W A p) € L(xo), causing the generation of an i-successor xı of 
xo with £L(x1) = {4Y A p} and dep(w A p, x1) = 9; [i] =Y € L(ao), causing ~y to be added to 
L(x), with dep(7~, x1) = 0; and Y A p € L(x), causing ~ and p to be added to £(x1), with 
dep(w, £1) = dep(p, 21) = 0. The completion tree would then be closed, as {w, =Y} C L(x), 
and Satisfiable would return dep(w, x1) U dep(7w, 21) = 0. 

If we were using chronological backtracking, the recursion would return to the n-th branching 
point, i.e., the one where Branch was called with b = n, fı = pn and f2 = pn. T would be 
restored to its state prior to adding pn to £(ao), and the rule would be applied again such that qn 
was added to £(a9). Using backjumping, however, we return from Branch immediately because 
b ¢ S. This is obviously true for all of the preceding branching points, so all calls to Branch will 
return without expanding the completion trees obtained by adding the various q; to £(xo), and 
Satisfiable will eventually return Ø, allowing us to conclude that ¢’ is unsatisfiable. 


SAT Based Search Techniques Even with the addition of dependency directed backtracking, a 
naive implementation of the -rule is inherently inefficient as it can lead to the repetition of parts 
of the expansion. For example, given an input formula 


(13) "= (PV 1) A- A (pV dn), 


where Yı A ... A Yn is satisfiable but p is not, the procedure described above would lead to 
the construction of n (possibly large) closed completion trees, each with p € £L(xo), before a 
complete and open completion tree is constructed. 

This problem can be avoided by using more sophisticated search techniques. One of best 
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known of these is the Davis-Putnam algorithm, originally designed for solving propositional sat- 
isfiability (SAT) problems [42]. The basic idea behind Davis-Putnam is that, instead of branching 
on unexpanded disjunctions, we branch on a formula ~ such that w occurs in an unexpanded dis- 
junction in a node x of the completion tree and {w, =Y} N L(x) = 0; the algorithm then searches 
the two possible trees obtained by adding Y or =y to L(x). This basic technique is usually en- 
hanced with heuristics and simplification rules (which we will discuss in more detail below); in 
particular, we usually branch first on formulae that occur in many unexpanded disjunctions and, 
if {Y V p,7>w} C L(x), then w V p is deterministically expanded by adding p to L(x). It is 
easy to see that if this strategy is applied to ø” above, we would branch first on p (as it occurs in 
n unexpanded disjunctions), and at most one closed completion tree (if p is tried first) would be 
constructed before finding a complete and open one. 

This technique has been shown to be very effective with formulae generated at random us- 
ing generators adapted from those used to generate SAT problems [87, 114]. Such problems 
typically include a relatively small number of propositional variables (so there is likely to be 
significant repetition of the sub-formulae occurring in disjunctions), and have a very low modal 
depth (so the importance of propositional reasoning is emphasised); this is because large num- 
bers of propositional variables and/or a high modal depth would result in almost all problems 
of reasonable size being trivially satisfiable. Formulae from applications, however, typically do 
not exhibit these characteristics, and Davis-Putnam is much less effective—in fact it can even be 
counter-productive if the negated formulae that Davis-Putnam introduces are large and/or com- 
plex [103]. 

An alternative technique used in [56] is to enhance the standard chronological backtracking 
method with a no-good list for each node, i.e., a set of formulae, each of which has already been 
shown to lead to a closed completion tree when it is added to the node label by an application 
of V-rule. Formulae in the no-good list are not considered when applying the V-rule. Using 
this technique with $” above, p would be added to the no-good list after the first application 
of the V-rule leads to a closed completion tree. In subsequent applications of the V-rule, p 
would not be considered, and Y; would always be selected. This technique has the advantage 
that wasted search is avoided without adding negated formulae that could themselves lead to 
additional (possibly non-deterministic) expansion. 

Note that, when using these (and other) optimisations in addition to backjumping, care must 
be taken to ensure that all dependencies are being taken into consideration. For example, when 
using a no-good list to restrict the possible choices made by the V-rule, it is important to also 
consider the dependencies associated with the relevant formulae in the no-good list. 


Simplification of Node Labels As well as the standard tableau expansion rules described in 
Figure 8, additional inference rules can be applied to the formulae occurring in a node label, 
usually with the objective of simplifying them and reducing the number of V-rule applications. 
The most commonly used simplification, often called Boolean Constraint Propagation (BCP) 
[74], is again derived from SAT solvers, where it is usually used in conjunction with the Davis- 
Putnam procedure. The basic idea is to identify a disjunction Yı V ... V Yn € L(x) such that 
the negations of all but one of the w, are already elements of £(x); when this is the case, the 
formula can be deterministically expanded by adding the relevant %; to L(x). This amounts to 
applying the following inference rule 


Wi,- Un V1 V -V Un VY 
Y 


to the formulae in a node label, which is a restricted variant of hyper resolution, see 3.1. 
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As we have already seen, when ~p is added to £L(xo) during the expansion of ¢” above, 

the BCP rule can be applied to all the remaining @ V y; formulae, leading to a complete and 
open completion tree without any further applications of the V-rule. Note that, as with the more 
sophisticated search techniques described above, careful consideration needs to be given to the 
dependencies of formulae added by such inference rules if they are to be used together with 
backjumping. 
Heuristics As mentioned in Section 4.1, one advantage of the non-deterministic formulation of 
the V-rule is that an algorithm can try to choose a “good” order in which to try the different 
possible expansions. In practise, this usually means using heuristics to select the way in which 
the V-rule is applied to the disjunctions in a node label, and the order in which the successor 
nodes created by ©-rule applications are expanded; in either case, a heuristic function is used to 
compute the relative “goodness” of candidate formulae/nodes. 

When using the Davis-Putnam technique, the well known MOMS heuristic [74] is often used 
to select the formulae on which to branch; it tries to select formulae that will maximise the effect 
of BCP and so minimise the number of non-deterministic choices needed in order to complete 
the completion tree [103]. There is little evidence, however, that (a suitably adapted form of) this 
heuristic is effective with modal formulae, and even some evidence to suggest that interference 
with the backjumping optimisation makes it counter productive [103]. 

An alternative heuristic, whose design was prompted by this observation, tries to maximise 
the effect of backjumping by preferentially selecting formulae with low valued dependencies 
[103, 99]. This heuristic has the added advantage that it can also be used to select the order in 
which successor nodes are expanded. 


Caching When using the top-down construction strategy, all information from predecessors is 
added to a node label before it is processed. This means that, when a given node has been fully 
expanded (i.e., the expansion rules have been exhaustively applied to it), a successor node y 
with L(y) = {v1,...,Wn} can be treated as an independent problem, equivalent to testing the 
satisfiability of Yı A... A Yn. 

A completion tree may contain many such nodes, and the labels of nodes tend to be quite 
similar, particularly as the labels of i-successors of a node x each contain the same formulae 
resulting from O-rule applications to [i]y-formulae in L(x). For some formulae, this may result 
in the same sub-problem being solved again and again. In order to avoid this, it is possible to 
cache and re-use the results of such sub-problems. The usual technique is to use a hash table 
to store the satisfiability status of node labels (i.e., sets of formulae treated as a conjunction). 
Before applying any expansion rules to a new node zx, the cache is interrogated to determine if the 
satisfiability status of L(x) is already known. If it is known, then the result can be used without 
further expansion, i.e., L(x) can be treated as though it were either {L} (for unsatisfiable) or 
{T} (for satisfiable). If the satisfiability status of L(x) is not known, then £(x) is added to the 
cache, and its status set to satisfiable if a complete and open completion tree rooted in x can be 
constructed, and to unsatisfiable otherwise. 

Since the satisfiability of a set of formulae L implies the satisfiability of each subset of L, and 
the unsatisfiability of a set of formulae L implies the unsatisfiability of each superset of L, this 
basic idea can be extended to check for satisfiable supersets of L(x) and unsatisfiable subsets of 
L(x). However, this requires a considerably more sophisticated data structure if cache operations 
are to be efficient [100, 86]. 

Apart from the problem of the storage required for the cache, another more subtle disadvan- 
tage of caching is that, in the case where the cache returns “unsatisfiable” for L(x), there is 
no information about the cause of the unsatisfiability that can be used to derive the dependency 
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information required for backjumping. Backjumping can still be performed by combining the de- 
pendency sets of all of the formulae in L(x), but this is likely to overestimate the set of branching 
points on which the unsatisfiability depends. 


Another useful form of caching is a technique known as model merging [103, 91]. The idea 
here is to prove the satisfiability of a node label L(x) by showing that open and complete com- 
pletion trees for L1,..., Lp with Lı U...U Lk = L(x) can be combined into an open and 
complete completion tree for L(x) by simply “gluing” their root nodes together. This is possi- 
ble if there are no “interactions” between the various completion trees, e.g., if there are no j,k 
such that either Y € Lj and =y € Ly or (i)w € Lj and [i]p € Lp for some i, and p. Thus 
model merging involves (a) cashing satisfiable sets of formulae that occur as root labels of open 
and complete completion trees, and (b) trying to prove the satisfiability of some £ (x) by finding 
cached sets L; that do not interact in the above sense. 


4.3 Transitive modalities and K4, 


The main problem one has to overcome when modifying the K,, tableau algorithm presented 
in Section 4.2 to K4,, is termination. Please recall that the K,, tableau algorithm terminates 
“automatically” since it builds a tree of bounded depth and breadth in a monotonic way. As 
we will see, this is not the case for K4,,. Consider, e.g., the K4,, formula (i)q A [2](2)y. A 
K4, tableau algorithm would start with a root node xo labelled with this formula, then apply 
the A-rule, and then generate an 7-successor xı. Next, the ©-rule would be applicable and it 
would add (i)~ to L(x1). Thus the ©-rule would generate an i-successor x2 of 1. At his point, 
the difference between K, and K4, becomes apparent: in K4,, models, R; has to be transive, 
and thus x2 should be i-accessible from zo, i.e., (2) would also need to be true in (the world 
represented by) x2. Hence, we would need a (new) rule that adds (i)7) to £(a2). However, this 
would trigger the applicability of the O-rule, which would generate an 7-successor x3 of x2. Now 
we can use R;’s transitivity again to argue that (7) needs to be added to £(x3), and continue the 
whole pattern to construct an infinite 7-chain. Thus the tableau algorithm would not terminate: 
in contrast to the K, tableau algorithm, the maximal modal depth of formulae in node labels no 
longer decreases from a node to its successors. 

To regain termination, we observe that, creating this infinite path, we keep repeating the same 
actions. More precisely, the node labels of the nodes x1, %2,... are all identical. In the fol- 
lowing, we show how we can prevent this “looping” using a cycle detection mechanism called 
“blocking”. Intuitively, after the creation of £> and the application of the O-rule, we could have 
noticed that L(x2) = {4, (i)} = L(a1), and decided to not apply the ©-rule to x2 because (i) 
we would continue repeating ourselves and (ii) it is not necessary since L(x1) = £(x2) implies 
that we can use (the world represented by) xı for the world represented by x2. The latter means 
that we can build a model WM with (x1, x1) € R; in which M, xı = w and, from the semantics, 
M, Tı F (i)w. 

The other problem we have to overcome is how we are going to take care of R,’s transitivity. 
Consider an i-successor y of a node x. Now if y has in turn an 2-successor z, then this situation 
represents a model in which (x, z) € Rj, i.e., z “should” also be an i-successor of x. That is, if 
[i] € L(x), then 7 should be in £(z). One possible way to achieve this would be to give up 
on working on completion trees, and instead work on graphs where we would add the additional 
i-edge between x and z. For implementation purposes, however, trees are clearly advantagous, 
and thus we choose to employ an alternative technique: the same effect as adding the additional 
i-edge between x and z can be obtained by adding [i] to L(y) for each [ijy € L(x). This will 
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be realized in a modified O-rule. 

Now we formalise this in our tableau algorithm. First, we define the notion of a blocked node. 
We use ancestors and offsprings in the usual way; a node z is directly blocked if it has an ancestor 
x’ with L(x) C L(x"); a node is blocked if it is directly blocked or if it has an ancestor that is 
directly blocked. Next, we take this notion into account in the K4,, expansion rules, which are 
given in Figure 11. Compared to the K, expansion rules, these expansion rules only apply to 
nodes that are not blocked (however, O-rule can add formulae to the label of a directly blocked 
node), and the O—rule “pushes” box formulae in the way discussed above. 


A-rule: If there is a node z that is not blocked with 71 A Y2 E€ L(x) and {41, Y2} Z L(x), 
then L(x) := L(x) U {y1, Y2}. 
V-rule: Zf there is a node z that is not blocked with #1 V Y2 € L(x) and {41, Y2} N L(x) = 9, 
then L(x) := L(x) U {yi} for some i € {1,2}. 
©-rule: Jf there is anode z that is not blocked with (i)q € L(x) and x has no i-successor y 
with Y € L(y), 
then create a new i-successor y of x with L(y) := {4}. 
-rule: Jf there is anode z that is not blocked with [i] € L(x) and x has an i-successor y 
with Y ¢ L(y), 
then L(y) = L(y) U {a i- 


Figure 11. The expansion rules for K4,,. 


To convince ourselves that this algorithm indeed decides satisfiability of K4, formulae, we 
sketch the same technical lemma as for K,,. 


LEMMA 20. Lety be a K4, formula and T a completion tree generated by the tableau algo- 
rithm for w. 


1. When applied to wp, the tableau algorithm terminates. 


2. If MN satisfies T via T and one of the expansion rules is applicable to T, then this rule can 
be applied in such a way that it yields a T’ satisfied by M via (possibly an extension of) 7. 


3. If T is complete, then there exists a model IN and a mapping m such that W satisfies T via 
Tw iff T is open. 


Again, we only sketch the proof. Termination is due to the same three observations as in the 
sketch of Lemma 18, but the reason for the bound of the depth of the tree is more involved (and 
the bound is now quadratic). Consider three nodes x, y, and z where y is an i-successor of x 
and z a j-successor of y. If i # j, then the maximal modal depth of formulae in the label of 
z is strictly smaller than the one in the label of y. If i = j, then either L(z) C L(y) or y was 
generated for a different different diamond formula in L(x) than z in L(y). In the former case, 
z 1s blocked. The latter case can only occur linearly often in the length of the input formula. As 
a consequence, paths in the completion tree are of length at most quadratic in the length of the 
input formula. Lemma 20 (ii) is similar to the K, case, but we have to exploit the transitivity of 
R; to explain why pushing [i] from a node to its i-successor preserves M being a model via 7. 
Finally, the construction of a model from an open, complete completion tree in Lemma 20 (iii) 
is slightly modified: firstly, only un-blocked nodes represent worlds in the model. Secondly, we 
also add (x, y’) to R; if x has an i-successor y which is blocked and y’ is an ancestor of y with 
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L(y) C L(y’). Thirdly, we extend R; so that it is transitively closed, i.e., if {(x, y), (y, z)} C Ri, 
then we also have (x, z) € Ri. 
The same reasons as for K, then yield the following theorem. 


THEOREM 21. The K4, tableau algorithm decides K4, satisfiability and can be implemented 
in polynomial space. 


Implementation Issues 


As we have seen, the main difference between the tableau algorithms for K,, and K4, is the 
introduction of blocking. In fact the blocking condition described above, which specifies a subset 
relationship between the labels of blocked and blocking nodes, is already optimised w.r.t. the one 
originally described in [93], which specified label equality. The subset condition means that 
blocking can occur sooner, thus avoiding possibly costly expansion. 

Consider, for example, a node x labelled as follows: 


(14) L(x) = {p, b, (iY, [i] (i) v}, 


With subset blocking, an i-successor y of x with L(y) = {4, (ijy, [li] (2)h} would be blocked 
by x; with equality blocking, a block would not be established until an 7-successor z of y is 
constructed, with £(z) = L(y). This may lead to significant additional work if is itself a large 
and/or complex formula. 

Apart from blocking, the algorithm is very similar to the K,, case, and most of the optimi- 
sation techniques described in Section 4.2 can be applied without modification. Blocking does, 
however, mean that additional care is required when caching and re-using the satisfiability of a 
set of formulae, because the satisfiability of the set of formulae in the label of a blocked node is 
contingent on the satisfiability of the set of formulae in the label of the blocking node [103]. This 
dependency also extends to the satisfiability of the sets of formulae in the labels of any nodes on 
the path between the blocking node and the blocked node. 

Consider, for example, a node x labelled as in 14 above, where w is unsatisfiable. As we 
have seen, an application of the ©-rule to (4)y € L(x), followed by applications of the O- 
rule to [é](i)y € L(x), would lead to the creation of an i-successor y of x with L(y) = 
{v, (i), [i] (¢)v}, and no expansion rule would be applicable to y as it would be blocked by 
x. Updating the cache to indicate that the set of formulae L(y) is satisfiable would, however, 
clearly be an error, as ~ is unsatisfiable. 


4.4 Non-logical axioms and background theories 


Now that we have understood how to handle transitivity in K4,,, understanding how to handle 
background theories is easy. Consider the satisfiability of a formula @ w.r.t. the background 
theory I = {71,. . - , Yn}, and remember that the nodes of our completion tree represent worlds 
of the model we are trying to build, which has to be a common model of ¢ and I. Moreover, 
p E€ L(x) stands for the fact that ¢) is true in the world (represented by) x. As before, at least one 
node (the root node) will carry ¢ in its label. Additionally, we will make sure that all nodes will 
carry each ~; in their label. As a consequence, we will have a similar problem with termination as 
we have seen for K4,, i.e., the maximal modal depth of formulae in node labels does no longer 
decrease from a node to its successor. Fortunately, we can use the same blocking technique as for 
K4,,: a node x is directly blocked if it has an ancestor x’ with L(x) C L(x’), and it is blocked 
if it is directly blocked or if it has an ancestor that is directly blocked. The expansion rules for 
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K,, w.r.t. background theories are given in Figure 12: they contain the K,, O—rule, an additional 
T-rule that adds I to each node label, and the K4, restriction to blocked nodes. We call the 
resulting algorithm the extended K, tableau algorithm. 


A-rule: If there is a node z that is not blocked with yı A we € L(x) and {41, Y2} Z L(x), 
then L(x) := L(x) U {y1, Y2}. 
V-rule: If there is anode z that is not blocked with #1 V Y2 € L(x) and {41, Y2} N L(x) = 9, 
then L(x) := L(x) U {yi} for some i € {1,2}. 
©-rule: Jf there is anode z that is not blocked with (i)q € L(x) and x has no i-successor y 
with Y € L(y), 
then create a new i-successor y of x with L(y) := {4}. 
-rule: Jf there is anode z that is not blocked with [i] € £(a) and x has an i-successor y 
with Y ¢ L(y), 
then L(y) := L(y) U {4}. 
T-rule: Zf there is anode x that is not blocked with T Z L(x), 
then L(x) := L(x) UT. 


Figure 12. The expansion rules for K, with background theories. 


We can state and prove an analogous technical lemma as for K,, and K4,,, and then use the 
same reasons to conclude the following theorem. 


THEOREM 22. The extended K, tableau algorithm decides satisfiability w.r.t background the- 


ories. 


However, in contrast, we no longer can implement our tableau algorithm in polynomial space: 
firstly, it is known that satisfiability of K, formulae w.r.t. background theories is ExpTime- 
complete (we can adapt the proofs in [68, 162]). Secondly, we can easily construct a formula 
and a background theory such that each of their model contains a path of length exponential 
in the input formulae: we can use propositional variables p,,...,p¢ as a “binary counter” for 
numbers between 0 and 2¢ — 1, and non-logical axioms to enforce that, if the p; at a world w 
represent a number k, then the p; at a world w’ with (w, w’) € R; represent the number k + 1 
mod £. Thirdly, in the worst case, our algorithm indeed constructs completion trees that are of 
depth exponential in the length of the input formulae: for K4,,, we could argue that the maximal 
modal depth decreases from a node to a j-successor of its i-successor (if i Æ j). For Kn, with 
background theories, this is no longer true. As a consequence of this exponential length and 
the non-deterministic V-rule, our tableau algorithm runs, in the worst case, in non-deterministic 
double exponential time—which is clearly sub-optimal. In [56], an optimal tableau algorithm for 
(the description logic) variant of K,, with background theories was presented; however, to the 
best of our knowledge, this algorithm has never been implemented, whereas the sub-optimal one 
described here has proven to work surprisingly well in practice [159, 90]. 


Implementation Issues 


One obvious consequence of the above algorithm is that expansion of the formulae in I oc- 
curs in every node in the completion tree, and this can easily lead to an explosion in the size 
of the completion tree or in the number of different possible completion trees that can be (non- 
deterministically) constructed for a given input formula. For example, if = {(i)v1,..., (Wn }, 
a completion tree containing nn! + 1 nodes will be constructed. Similarly, if y € T, with 
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y = ((pi V qi) A... A (Pn V Gn)), and the input formula leads to the construction of a com- 
pletion tree containing k nodes, then there are 2%” different ways to apply the ^- and V-rules 
to the resulting k copies of y. This explosion in the size of the search space can easily lead to 
a catastrophic degradation in performance, even when optimisations such as backjumping and 
caching are employed [102]. 

Fortunately, optimisations known as lazy unfolding and absorption have proved to be very 
effective in reducing the size of the search space, particularly for background theories derived, 
e.g., from class based knowledge representation formalisms. 


Lazy Unfolding In background theories, formulae are often (restricted to be) of the form p — w 
or p + w for some propositional variable p. A theory 


T= {p1 © Y1,- .., pe S Pe, Pepi > Yeti,- -- Pe+m > Ye+m} 
is said to be unfoldable, if it satisfies the following conditions. 


e Formulae in I are unique. I.e., for each propositional variable p, [ contains at most one 
formula of the form p > w (i.e., pi A pj for 1 <i < j < 4), and if it contains a formula 
of the form p +> y, then it does not contain any formulae of the form p — ~. (Note that an 
arbitrary set of formulae {p —  ,...,p — Wn} can be combined into a single formula 


po (pia... An), 


e T is acyclic. I.e., there is no formula p; > p; € T such that p; occurs either directly or 
indirectly in w,;.> A propositional variable p occurs indirectly in a formula w if there is a 
propositional variable formula p’ such that p’ occurs directly in 7, and there is a formula 
p' > Y ET such that p occurs either directly or indirectly in y”. 


Instead of being dealt with using the T’-rule, such a set of formulae can be lazily unfolded 
during the tableau expansion. I.e., for a formula pı —> Yı € T, if p; is added to L(x) for some 
node x, then 7; is also added to £(x), and for a formula p; = Y; € I, if p; (p;) is added to 
L(x) for some node zx, then Y; (resp. =7;) is also added to L(x). 

It is obvious that an arbitrary background theory I can be divided into an unfoldable part r, 
and a general part T4 such that Tọ, UP, =T and ru 1, = 0. The unfoldable part T, can then 
be dealt with using lazy unfolding while the general part I’, is dealt with using the I’-rule. 

In fact it has been shown that the definition of an unfoldable theory can be extended somewhat 
while still allowing the use of the above lazy unfolding technique. In particular, the formulae 
occurring on the left hand side of (bi-) implications can also be negated propositional variables, 
and the acyclicity condition can be relaxed by distinguishing positive and negative occurrences 
of propositional variables in a stratified theory [109, 132]. 


Absorption Given the effectiveness of lazy unfolding in dealing with the unfoldable part of a 
background theory I’, it makes sense to try to rewrite the formulae in I’ so that the size of I’ can 
be reduced. Absorption is just such a rewriting optimisation. 

The idea behind absorption derives from the observation that (apparently non-unfoldable) 
formulae inT ; are often of the form p A p — ~. This formula can be rewritten as p > (Y V =p), 
which allows it to be moved from I’, to lu, provided that l, does not already contain a formula 
of the form p > yw’. In case l, does contain such a formula, then the technique can be extended 
by using the formulae in T`, to perform further rewriting. E.g., ifp > p; E€ T'u andp > Y; € Ty, 
then the second formula can be rewritten as Y; — a, and, if 7); is of the form q A ~, the formula 


3For the purposes of lazy unfolding, only cycles consisting entirely of axioms are problematical. 
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can be further rewritten as q > Y; V 7~{. A more detailed description of the various re-writings 
used in absorption can be found in [109]. 


4.5 Converse modalities 


So far, our tableau algorithms only use expansions rules that are either local to a single node, 
create new successors, or push formulae from a node label into the label of a successor. The ob- 
jective of this section is to discuss a tableau algorithm for Ky, i.e., K,, with converse modalities. 
It is well-known that satisfiability in Ky can be polynomially reduced to the satisfiability of K,, 
w.r.t. background theories [43]. However, from an implementation perspective, this approach is 
not feasible since it leads to a dramatic performance degradation, and we thus present a direct 
algorithm. 

As mentioned in Section 2, Ky requires reasoning in both ways over relations R;. For our 
tableau algorithm, this will simply mean that we push formulae up and down in a completion 
tree. To realize this, we define the notion of an i-neighbour, which requires a few other concepts: 
firstly, to avoid numerous case distinction, we introduce a function Cv(-) on modal parameters 
as follows: Cv(i) = i~ and Cv(i~) = i. Next, we consider completion trees where each edge 
is labelled with a possibly converse modal parameter 7 or i~. Finally, for œ a (possibly converse) 
modal parameter, we call a node y an a-neighbour of a node z if y is an a-successor of x or if x is 
a Cv(a)-successor of y. The expansion rules for Ky are identical to those for K,,, with the only 
difference being that the O- and the ©-rules now consider a-neighbours instead of a-successors 
(but the ©-rule still generates an a-successor if no appropriate a-neighbour is available); they 
can be found in Figure 13. 


A-rule: If there is anode x with yı A Y2 E€ L(x) and {41, Y2} Z L(x), 
then L(x) := L(x) U {y1, Y2}. 
V-rule: Zf there is anode x with yı V we E€ L(x) and {y1, Y2} N L(x) = 9, 
then L(x) := L(x) U {yi} for some i € {1,2}. 
©-rule: Zf there is anode x with (a)y € L(x) and z has no a-neighbour y with Y € L(y), 
then create a new a-successor y of x with L(y) := {4}. 
-rule: Jf there is a node x with [a]Y € L(x) and x has an a-neighbour y with Yy ¢ L(y), 
then L(y) := L(y) U {4}. 


Figure 13. The expansion rules for Ky. 


We can state and prove an analogous technical lemma as for K,,, and then use similar reasons 
to conclude the first part of following theorem. 


THEOREM 23. The K% tableau algorithm decides K,, satisfiability and can be implemented 
in polynomial space. 


To implement the Ky tableau algorithm in polynomial space, we can use the following 
“restart” technique: for each node x, we first apply the ^- and the V-rule exhaustively.> Next, 
if a formula is added to L(x) by the O-rule for some [a]¢ in a Cv(a)-successor of x, then we 
disregard the whole sub-tree below x and re-start its construction from scratch. As a consequence 
of this “strategy”, all branches of a completion tree are independent, and we can still construct a 
completion tree depth first. 


4Remember that K, with converse modalities provides modal parameters i and i~ for 1 < i < m. 
5Please note that we never made any assumptions or restrictions on the order in which the rules are to be applied. 
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Implementation Issues 


Although the restart technique can be used to enable Ky completion trees to be constructed 
using a depth first strategy, the technique is not used in practice as rebuilding discarded parts of 
the completion tree can be very costly (and space usage is rarely a problem in practice). Without 
this technique, however, extra care is required when using some of the optimisation techniques 
described above. 

Without the depth first strategy, the satisfiability of (the formula represented by) the label of 
a node x can no longer be treated as an independent problem, because the results of expanding 
x might affect its predecessor (unless x is the root node). This means that, although we can re- 
use cached unsatisfiability results from the cache as before, we must either disregard satisfiable 
results, or use more sophisticated caching techniques (e.g., storing additional information that 
would allow us to check for possible interactions with the predecessor node) [103]. 

Computation of the dependencies used in backjumping is also made more difficult by the 
loss of the depth first strategy. In particular we need to consider the dependency set of the (i) 
formula in x that led to the generation of an i-successor y in order to compute dep(w, y) when 
p is added to L(y) as a result of a O-rule application to a formula [7]y € L(x). With depth 
first expansion, this is usually accomplished by combining ©-rule applications with all relevant 
-rule applications. Without depth first expansion, this is usually achieved by extending the 
labelling of either nodes or edges with the dependency set of the ©-formula that caused them to 
be added to the completion tree. 

Finally, without the depth first strategy it is necessary, in general, to save the state of the whole 
completion tree at each V-rule application (as mentioned above, the depth first strategy allows 
state saving and restoring to be restricted to a single node label). This problem can be ameliorated 
by using a lazy state saving strategy, where node labels are only saved when they are about to be 
extended by some rule application. 


4.6 Converse modalities and background theories 


In the last sections, we have seen how to extend the basic K, tableau algorithm to a decision 
procedure for K4,,, for K,, with background theories, and for Ky. For the first two exten- 
sions, we discussed a technique to “artificially” ensure termination while preserving soundness 
and completeness. For the third extension, we introduced the concept of neighbours and mod- 
ified the expansion rules as to work up and down the completion tree. In this section, we will 
put these techniques and concepts together—and show that their combination requires a further 
adjustment. 

To be more precise, in this section, we discuss a tableau algorithm for K with background 
theories, i.e., converse modal parameters can occur both in the input formula and in the formulae 
of the background theory. Next, we discuss the expansion rules, which are given in Figure 14. 
Clearly, in the presence of converse modal parameters, we use the notion of a-neighbours. Sim- 
ilarly, in the presence of background theories, we use the I’-rule, and we use blocking to ensure 
termination. However, the combination of background theories with converse modal parameters 
requires two modifications. Consider an i-successor y of x with [i~]y € L(y), and assume that 
y is blocked and z is not blocked. Hence there is some node y’ with L(y) C L(y’). In case the 
tableau algorithm stops with an open, complete completion tree, we will try to construct a model 
IM from this tree, and we will have (x, y’) € Ri. Now L(y) C L(y’) implies that [i~] € L(y’), 
and we thus have to show that M, x H y. However, if we would not apply the O-rule to y 
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because y is blocked, we might not find y € L(x), and thus our construction might fail. This 
observations leads to the first modification: 


1. we call a node indirectly blocked if it is blocked, and if its predecessor is blocked as well. 
Then we apply all but the ©-rule to nodes that are not indirectly blocked. 


In our example case, y was indirectly blocked, and thus the O-rule would add w into L(x). Next, 
consider some [i~] € L(y’) \ L(y). The same reasons as for [i~] imply that we should find 
wy’ € L(x)—which we would not since our blocking condition only requires L(y) C L(y’). This 
observation leads to the second modification: 


2. anode x is directly blocked if it has an ancestor x’ with L(x’) = L(x). 


For obvious reasons, we refer to the former blocking condition as subset blocking, and to this new 
condition as equality blocking. Please note that, in this setting, it is unavoidable that blocking 
is “dynamic”, that is, a blocked node can later become not blocked. In contrast, with a certain 
strategy for the order of rule applications, this can be avoided in the K, case. 


A-rule: If there is a node z that is not indirectly blocked with Yı A Y2 E€ L(x) 
and {41, Y2} Z L(x), 
then L(x) := L(x) U {41, Y2}. 
V-rule: Jf there is a node z that is not indirectly blocked with Yı V Y2 € L(x) 
and {41, Y2} N L(x) = 0, 
then L(x) := L(x) U {yi} for some i € {1,2}. 
©-rule: Zf there is a node z that is not blocked with (a)q € L(x) and x has no a-neighbour y 
with Y € L(y), 
then create a new a-successor y of x with L(y) := {4}. 
-rule: Jf there is a node z that is not indirectly blocked with [a}w € L(x) and 
x has an a-neighbour y with Yy ¢ L(y), 
then L(y) = L(y) U {Y} 
T-rule: Jf there is a node z that is not indirectly blocked with T Z L(x), 
then L(x) := L(x) UT. 


Figure 14. The expansion rules for K with background theories. 


4.7 Other extensions (counting, nominals, transitive closure, and fixpoints) 


In this section, we discuss two other extensions of our tableau algorithms. Firstly, we discuss 
K;’°, the extension of K% with background theories and nominals. Secondly, we discuss Kẹ, 
the extension of K, with graded modalities, and also how to ensure termination in the additional 
presence of background theories. Finally, we discuss modal logics with a transitive closure 
operator and fixpoints. 


Further add nominals to K% with background theories 


K% ° with background theories is of interest because it lacks the tree models property and 
because it requires another form of non-local reasoning. The former point was already dis- 
cussed in Section 2. To see the latter point, consider the formula (i)(p A (£o) A (jjo A 
ELi (p A (Lo) A (7) (0 A [é-]q). The first three conjuncts imply the existence of an infinite 
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(possibly cyclic) R;-path w1, w2, ... such that the world in which o is true is -accessible from 
each w. The fourth conjunct implies that, in all wz, q is true—however, this is only “detected” 
when the ©-rule is applied to the fourth conjunct. 

To handle, additionally, nominals, we can further modify our extended Ky tableau algorithm 
as follows. Firstly, we give up completion trees. More precisly, if 01,...,0¢ are all nominals 
occurring in ¢ and I, we start our tableau with £ + 1 root nodes x;, where L(xo) = {} and 
L(xi) = {o;}, for each 1 < i < 4. Then, whenever we find a nominal o; in a node £x Æ zi, 
we merge x into x;; that is, we merge x and x;’s labels and incoming and outgoing edges. 
As a consequence of this merging, we will possibly find several edges going into a nominal 
node x;; however, removing these edges clearly yields a forest structure. Correctness is then 
straightforward, and termination is due to the fact that (a) each path starting at some x; is of 
bounded length because of blocking, and (b) if a successor node was created for some iy € 
L(x), then we will not create it “again”, even if x was merged into another node. For details, see 
[5, 106]. 


Further add graded modalities to K,, 


In this section, we will discuss, on a rather abstract level, what modifications are necessary to 
handle graded modalities (7),,¢ and [i|,@; for a more detailed description, see [108, 101]. 

Firstly, following our previous approach, it is quite obvious that, when we find (i), € L(x), 
we should make sure that we find n + 1 i-successors y; of x with Yy € L(y;). Usually, when we 
do not find them, we create them all in a single step. Similarly, if we find [iY E€ L(x), we must 
make sure that we do not find more than n i-successors y; of x with y € L(y,;). Thus, if there 
are more such 7-successors, we merge two of them, say y; and yz, i.e., we merge y;,’s node label 
and outgoing edges into y;’s and remove yx, thus reducing the number of such 7-successors by 
one. 

Secondly, in the presence of contradicting graded modalities (2), and [il Y" with Y — Y 
and n’ < n in the label of a node x, the above naive approach would lead to the repeated 
generation and merging of 2-successors of x, and thus to non-termination. To prevent this “yoyo”- 
effect, when introducing n + 1 i-successors for some (i),7 € L(x), we use an explicit inequality 
relation between these 7-successors, do not merge “explicitly unequal” nodes, and extend the 
notion of a clash to also cover the case where [iY E€ L(x) but x has more than n “explicitly 
unequal” i-successors with w in their label. 

Thirdly, these modification yield a terminating yet unsound decision procedure: consider, for 
example, the formula fihp A [ip A (ijq. With the modifications made so far, our tableau 
algorithm would generate three (explicitly unequal) i-successors yj of a root node xo with q € 
L(y;), stop, and return “satisfiable”, which is clearly the wrong answer. The reason for this 
incorrect answer is that we only merge surplus i-successors for some [i], Y if we already know 
that they must satisfy Y, i.e., if Y is found in their label. However, as the previous example 
shows, this is not enough: if [iY € L(x), we must determine, for each i-successor yj, whether 
it does or does not satisfy 7. We can do this using an additional, non-deterministic choose-rule 
that adds, to each such 7-successor, either ~ or the negation normal form of ~y. 

For K,, these modifications lead to a decision procedure for satisfiability, even in the presence 
of either background theories or converse modalities (where we only have to take care to count 
and merge 7-neighbours correctly). However, for Ky with background theories, we need a fur- 
ther modification, namely one to the blocking condition: otherwise, the algorithm is not correct 
(see, e.g., the example in [105]). Since this logic lacks the finite model property, a construction 
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of a model from a completion tree uses standard unravelling where, instead of a path going to a 
blocked node, it goes to the node blocking it. Now, in the presence of graded modalities, we must 
make sure that this does not lead to additional 7-accessible worlds which thus would violate some 
graded modal formulae. Roughly speaking, we ensure this using double blocking, i.e., instead of 
a node being blocked by an ancestor, a node and its predecessor is blocked by an ancestor and its 
respective predecessor. For details, see [105, 108]. 


Implementation Issues 


As we have seen, the tableau algorithm K% requires a more complex blocking condition in order 
to ensure that a completion tree can be unravelled into an infinite tableau. This can adversely 
affect performance, because blocks can take (much) longer to establish, and the completion tree 
can thus grow (much) larger. The problem can be ameliorated by using a more precise (weaker) 
blocking condition that identifies the cases where double blocking is really needed (i.e., where 
a cyclical model cannot be built from a branch of the completion tree blocked using the original 
single blocking condition), and compares only those parts of the node label pairs that are relevant 
to determining if the completion tree could be unravelled to give an infinite tableau [107]. 


Transitive Closure and Fixpoints 


There are various extension of modal logics with transitive closure operators and general fix- 
points, see Chapter 12 of this handbook. However, there are only few “practicable” satisfiability 
algorithms in the sense that one could dare to implement them and expect a reasonable behaviour 
in any non-trivial case. To the best of our knowledge, there are only two such algorithms based 
on tableau, namely the ones described in [11, 45] for extensions of K,, with transitive closure, 
and there has only been a single attempt at an implementation, namely in the system DLP [159]. 
For this kind of extensions, automata-based techniques (see 5.1) seem to be suited best: for exam- 
ple, the only known decision procedure for the -calculus is based on automata, see Chapter 12 
of this handbook. 


5 OTHER COMPUTATIONAL APPROACHES 


5.1 Automata-based algorithms 


Roughly speaking, automata-based algorithms work as follows. To decide the satisfiability of a 
logic £, we first show an appropriate tree-model property for £, i.e., prove that each satisfiable £ 
formula is satisfiable in a model (or an abstraction of a model) whose relational structure forms 
a tree. For example, it is well-known that each satisfiable K,, formula is satisfiable in a tree 
model which is, additionally, finite [93]. For other logics, e.g., K4,, we can easily show that 
each satisfiable formula has a model with an infinite tree abstraction, where we can obtain a 
model from such an abstraction by transitively closing the accessibility relations [93]. Secondly, 
for an £ formula ¢, we define an automaton Ag such that A, accepts all tree models of ¢ (or 
abstractions thereof). Depending on the logic and its model properties, we use automata on finite 
or on infinite trees. Thus we have reduced the satisfiability of formulae in £ to the emptiness 


®For other reasoning problems such as model checking, these algorithms exist and have been implemented success- 
fully, see Chapter 17 of this handbook. 
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problem of a certain class of automata, and we can use well-known algorithms to decide these 
emptiness problems. 

For a variety of logics, this approach has several of advantages. Consider, for example, K, 
with background theories. It can easily be seen that this logic enjoys the tree model property, 
and thus we only need to devise the construction of an automaton Ay. Using alternating au- 
tomata, this construction is quite straightforward and yields, surprisingly, a (worst-case) optimal 
decision procedure (for a similar construction for a more powerful logic see, e.g., [188]): the 
automaton A, is of size polynomial in the input tree, and testing its emptiness can be done in 
deterministic exponential time [128]. Thus, in contrast to the tableau algorithm described in Sec- 
tion 4.4, we effortlessly obtain a deterministic algorithm, and do not even need to take care of 
termination or finite models: using automata on infinite trees makes this unnecessary. 

Concerning the implementability of automata-based approaches, we observe that their worst- 
case complexity often coincides with their best-case complexity: to decide the emptiness of 
alternating automata, we first translate them into non-deterministic ones that are then tested for 
emptiness, i.e., we first build a structure of exponential size, for which we then decide emptiness 
in polynomial time [128]. In case we directly use non-deterministic automata, they tend to be 
of size exponential in the size of the input formula, and we are thus confronted with the same 
problem. Thus, any naive implementation is doomed to failure. However, there are at least two 
ways out: in [158], it was shown how BDDs can be used to efficiently represent and handle large 
automata, thus proving that (variations of) automata-based algorithms can be implemented effi- 
ciently using appropriate data structures. In [12], it was shown how an automata-based approach 
can be transformed mechanically into a tableau-based decision procedure: as a consequence, we 
only need to “hand-craft’” the automata-based algorithm, and then get both a (possibly optimal) 
worst-case upper bound and a (possibly practicable) tableau-based algorithm for free. 


5.2 Modal resolution 


In the late 1980s and early 1990s various direct resolution methods for modal logics have been 
investigated [1, 10, 33, 46, 59, 61, 72, 79, 126, 139, 140]. According to [139] a resolution method 
for a logic L is determined by specifying (i) a class of formulae called clauses, (ii) a reduction 
method which allows us to transform any formula of L into a finite set of clauses, (iii) a calculus 
consisting of a set of resolution rules for deriving clauses (and possibly redundancy elimination 
and simplification rules), and (iv) a derivation process which starts from an initial set of clauses 
and constructs a sequence of derivable clauses. One can then define a modal resolution method to 
be a resolution method in which clauses are formulae of the modal logic L under consideration. 
This definition excludes methods which do not use a clausal form from the outset, e.g. destructive 
modal resolution [72], or methods which use auxiliary labels, e.g. prefixed resolution [6] and 
labelled modal resolution [7]. Methods which use additional modal operators like the resolution 
calculus for temporal logics of knowledge presented in [54] can be considered to be borderline 
cases. 

In the following we focus on the modal resolution method of [59] but follow the presentation 
in the survey paper [64], where a more complete overview of various direct resolution methods 
and other methods can be found. 

A modal formula of K is in disjunctive normal form iff it is a (possibly empty) disjunction of 
the form V L; V V OD; V V © Ax where each L; is a propositional literal, each D; is a modal 
formula in disjunctive normal form, and each A, is a modal formula in conjunctive normal 
form. A modal formula is in conjunctive normal form iff it is a conjunction A Dı where each 
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Axioms 
axiom1: p, =p => L axiom2: LAS 
Resolution rules 
v-rulel: AVD,BVD')SCVDVD ifA,B>C 
V-rule2: AVCS}>BVC if A> B 
©-rulel: O(A, B,N) > O(A, B,C, N) if A, B> C 
©-rule2: O(A, N) = O(B,A,N) if ASB 
K-rule1: A,O(B,N)SO(B,C,N) ifA,B>C 
K-rule2: A,OB C fA, B> C 
-rule: A B f A> B 
Simplification rules 
V-simp1: LvD—=D Q-simp: CLoL 
V-simp2: AVAVD-—AVD A-simp: LNoL 


Figure 15. Modal resolution rules of [59] for K. (The symbols A, B, C, D, D’ denote clauses, 
N denotes a set of clauses, and (A, N) denotes the union of {A} and N. No distinction is made 
between a set NV of clauses and the conjunction of its elements.) 


D; is a modal formula in disjunctive normal form. A formula in disjunctive normal form is also 
called a (modal) clause. Any modal formula ¢ can be transformed into an equivalent formula in 
conjunctive normal form cnf (p). In the following, we do not distinguish between a conjunction 
of clauses and a set of clauses. 

The calculus Ck of [59] is given by the set of axioms, resolution rules, and simplification rules 
shown in Figure 15. The intended meaning of A, B > C and A => C is that the conjunction of 
the formulae on the left-hand side of > implies the formula on its right-hand side. In contrast, the 
meaning of A, B — C is that occurrences of A and B in a conjunction can be simplified to, that 
is, replaced by, C. Analogously, A — C, means that occurrences of A can be replaced by C. 
Every formula A has a unique normal form nf(A) under the simplification rules of Figure 15 
(modulo commutativity and associativity of V and ^). 

Various extensions of K have been considered, including extensions by the axiom schemas D, 
T, and 4. For each of these axiom schemas the calculus Cx needs to be extended with additional 
rules: for D with O1 L, for T with OA, B C if A,B = C, while for 4 with the two 
rules 0A, OB C if OA, B = C and DA, O(B, N) > O(B,C, N) if OA, B > C. We 
denote the calculi obtained by adding these rules to Ck by Ckp, Ckr, and Ca, respectively. 

Let L be one of K, KD, KT, K4. Given sets of clauses N and (C, N) we say (C, N) can be 
derived in one step from N in C; iff either there are clauses A and B in N such that A, B > C” 
in Cz or there is a clause A in N such that A => C” in Cz, and C = nf (C") in CL. A derivation 
of N’ from N in Cy is a sequence N = No, Ni,..., Nn = N’ such that for every 1,0 <i < n, 
N;41 can be derived from N; in one step. A refutation of N in Cy is a derivation of L from N 
in Cz. If a refutation of N exists, then N is C,-refutable. 

In [59] it is shown that a modal formula ¢ is valid in L iff cnf(-y) is Cy-refutable. This 
soundness and completeness result is shown in [10] to also hold for a number of refinements of 
this modal resolution method and the extension by subsumption deletion. 


So far, little work seems to have been conducted on devising specialised and efficient data 
structures and algorithms for modal resolution methods. Due to the extra structural information 
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that modal formulae carry, which is reflected in the more complicated clausal form, the data 
structures and algorithms developed for efficient propositional and first-order resolution provers 
cannot be utilised easily to implement modal resolution methods. 


5.3 Sequent-based approaches 


Sequent calculi were introduced by Gentzen [80] as a tool for studying natural deduction. The 
central property of sequent calculi is cut elimination which usually yields consistency as an 
easy corollary. The first sequent calculi and cut elimination results for modal logics have been 
established in the early fifties [39], see [89] for further historic references. 

A sequent is a structure of the form I’ + A, where T and A are (finite) lists, multisets, or sets of 
formulae; A is also quite often restricted to be a singleton set or the empty set. A sequent calculus 
for a logic L consists of two parts: (i) a finite set of axioms, (ii) a finite set of rules of the form 
St or S182 with conclusion S and premises S; and S2, where S, S1, and S2 denote sequents. 
The rules can usually be divided into two major groups: logical rules, which introduce a new 
logical formula either on the left or on the right of the turnstile F, and structural rules, which 
operate on the structure of the sequents. Of particular interest, both from a proof-theoretical and 
a computational point of view is the cut rule, a rule of the form 


Ty A,,A A,T2t Ag 
rı, T2 F Ay, A2 


where, in general, A is an arbitrary formula, called the cut formula. A sequent calculus proof of 
a goal sequent S' is a tree whose nodes are labelled with sequents, such that (i) the root of the tree 
is labelled with S, (ii) each leaf node is an instance of an axiom of the calculus, and (iii) each 
sequent labelling a non-leaf node n follows by one of the rules of the calculus from the sequents 
labelling the children of n. This notion of a proof does not prescribe a particular approach to the 
construction of the proof of a sequent S. However, it is quite natural to proceed by backward 
reasoning, that is, to start with a tree consisting only of the root node labelled with S and to apply 
rules from bottom to top, taking the sequent labelling a node of the tree to be the conclusion of 
a rule and adding children to the tree labelled with the premises of the rule. The construction 
is complete if all the current leaf nodes are labelled with instances of axioms. In contrast, in 
forward reasoning one would start with one or more leaf nodes labelled with instances of axioms 
and build the tree toward its root node labelled with S. This approach is basically taken in the 
inverse method, see Section 5.4. For further details on sequent calculi see Sections 7 and 8 of 
Chapter 2 of this handbook. 

From a computational point of view, sequent calculi pose several challenges and also provide 
insights that can help to improve systems based on tableau calculi or the inverse method. 

First, the cut rule is problematic for backward reasoning, since we can choose an arbitrary 
formula to be the cut formula. We can try to show that we can restrict ourselves to cut formulae 
which are subformulae of formulae in the goal sequent S while retaining completeness of the 
calculus. The result would be a calculus with analytic cut. However, from a practical point 
of view, while for analytic cuts we can only choose finitely many different cut formulae, the 
search space may still be too large. Alternatively, one can try to show that for any sequent S 
there exists a proof without any application of the cut rule. In such a case, we can omit the cut 
rule from the calculus and obtain a cut-free sequent calculus. While for some modal logics it is 
rather straightforward to devise cut-free sequent calculi, for others it is much more challenging, 
for example, for S5 [30, 151, 152], and for some it is an open problem, for example, for PDL 
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and converse PDL [127]. We are also not aware of cut-free systems for modal logics with the 
common knowledge operator. 

Second, in the presence of the axiom schema 4, systems based on sequent calculi face the 
same non-termination problems as systems based on tableau calculi. Recall from Section 7 of 
Chapter 2 one of the additional rules required for K4, 


Wi ce IV Yna, Yn AF no OG st Zn 
T, OY, ..., OYm, CAF OZ icc, O25. 


where [ and A are sequences of formulae not containing a O-formula and ©-formula, respec- 
tively. Here, the premise is not necessarily ‘simpler’ than the conclusion which can lead to 
situations in which this rule can be applied infinitely many times when using backward reason- 
ing. To ensure termination a form of loop-check has to be used, that is, a check which detects 
whenever the ‘same’ sequent occurs twice on a branch of a proof. If in turn we would like to 
formulate the rules of our calculus in such a way that the applicability of rules does not depend 
on information about the whole branch of a proof or even the whole proof, additional history 
information has to accompany each sequent in a proof. What minimal history information for 
loop-checks is necessary to ensure termination on a variety of modal logics, including KT and 
S4, is investigated in [96, 98]. These results transfer directly to tableau calculi. 


Finally, sequent-based systems face the same problems as tableau-based systems when trying 
to prove formulae involving disjunctions on the left or conjunctions on the right of the turnstile. 
Naturally, similar solutions as presented in Section 4, in particular, simplification and forms of 
intelligent backtracking, have also been considered in the context of sequent-based systems, most 
notably in the work of [25, 96, 97]. 


5.4 Inverse method 


The inverse method is a variant of the sequent calculus [51, 135] which carries its name because 
it works from sub-goals to goals, whereas standard sequent-based approaches work in the other 
direction. For example, if it has already been proven that ¢ is false and Y is true, then the inverse 
method will deduce from this that ¢ — yw is true. For this kind of forward reasoning to work, 
we need to be able to focus on an acceptably small set of axioms, and an acceptably small set 
of goals and sub-goals. For many modal logics, we can restrict our attention to such ‘acceptably 
small’ sets of formulae since they enjoy the sub-formula property, i.e. every valid formula ¢ 
has a derivation in which only (negated or unnegated) sub-formulae of ¢@ occur [51]. Calculi 
for modal logics using the inverse method have been developed in [139, 140, 190]. The inverse 
method has been shown to be suitable for efficient modal logic theorem proving and is amenable 
to optimisations [190]. 

Interestingly, the inverse method is closely related to automata-based approaches [13]. More 
precisely, the algorithm that decides emptiness of automata (the problem to which satisfiability 
of a variety of modal logics can be reduced, see Section 5.1) can be viewed as being a notational 
variant of the inverse method. Both start with propositional axioms (in the automata emptiness 
test, these correspond to unreachable states), and saturate these axioms using basically the same 
deduction rules. As a consequence, it should be possible to translate a variety of automata-based 
decision procedures into the inverse method, thus obtaining an efficient implementation (or a 
good starting point for its implementation) basically for free. 
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6 OTHER REASONING PROBLEMS 


In this chapter, we have focused on one specific reasoning problem, satisfiability or, dually, 
validity. There are, however, other interesting reasoning problems for modal logics that are 
useful for certain applications. We will discuss some of them in this section and we refer the 
reader to Section 5 of Chapter 13 of this handbook for reasoning problems that are motivated by 
applications of description logics. 


6.1 Model checking 


Model checking is the problem of deciding whether Mt, w = y for a given Kripke structure IN, a 
world w, and a modal formula ọ. It is used for system verification, e.g. to verify a piece of soft- 
or hardware, as follows: 


e M represents the system: worlds are viewed as states the systems can be in, 


e modal parameters represent actions which take the system from one state into another (or 
several others), 


e w is some initial state, and 
e y is a temporal logic formula describing a desired behaviour of the system. 


Whereas satisfiability algorithms have to reason w.r.t. all structures (possibly from a given class), 
model checking is concerned with a single structure, and thus quite different: model checking is 
often less complex than satisfiability, and there are industrial strength implementations of model 
checking algorithms capable of handling large systems and formulae from rather expressive log- 
ics. We refer the interested reader to Chapter 17 of this handbook and [34, 35]. 


6.2 Proof checking 


Proof checking is the problem of deciding whether a given derivation P is a proof of a given 
formula y, commonly with respect to a fixed calculus C for a logic L. It requires a language 
in which we are able to formalise derivations. The formalisation of a derivation may simply be 
a sequence or a tree-structure of formulae, but may also contain additional information about 
which and how inference rules of the calculus C have been used in each step of the derivation. 

The motivation for proof checking is the fact that advanced theorem proving systems are 
rarely verified. Thus, like any other piece of software they invariably include errors which can 
lead the system to provide incorrect answers, including, providing an incorrect proof P for a 
given formula y. Simplifying theorem proving systems to an extend that would allow their 
verification in all likelihood results in systems which are too slow to be useful. However, such 
system may still be sufficiently powerful to check the correctness of a given derivation P. Thus, 
a natural approach is to use a highly optimised but unverified system to find a proof P for a given 
formula y which is then independently checked for correctness by a slower, verified system. 

Proof checking has received considerable attention in the context of higher-order logic [155, 
195] and is taken seriously in the context of first-order logic [136]. However, we are not aware 
of any work in this direction in the context of modal logics, although the problem of incorrect 
theorem provers also exists in this field. Note that in the context of the translation approach we 
can rely on first-order proof checkers augmented with a verified program for translating modal 
formulae into first-order clause sets. 


232 Ian Horrocks, Ullrich Hustadt, Ulrike Sattler, and Renate Schmidt 


Even more complex is the problem of verifying the non-existence of a proof. For the modal 
logics we have considered in this chapter we would also expect decision procedures to correctly 
determine in finite time that a given formula y has no proof. A justification for this can be 
given by a model or representation of a model M for ~y, produced by the decision procedure. 
A verified model checker could then be used to independently verify that 9% is indeed a model 
of ~g. 


6.3 Computing correspondences 


Recall from Chapter 1 of this handbook the notion of a modal formula (p1, . . . , Pn.) over propo- 
sitional variables p4, ..., Pn being true in frame § iff for every world w and every valuation map- 
ping V for its propositional variables we have (¥, V), w — y, and the notion of a modal formula 
y defining a class of frames iff ọ is true in precisely the frames in the class. It straightforward 
to see that a modal formula ¢ over p1, ..., Pn is true in a frame ¥ iff the monadic second-order 
formula VP,, ... Pp, Vz Tr(p, £) is true in the class of all models over the frame §. There are 
methods for reducing such second-order formulae to equivalent first-order formulae and there 
are methods for reducing the second-order logic formulation of modal axioms to the correspond- 
ing frame properties. Computing the first-order equivalents of modal formulae (if they exists) 
amounts to the elimination of the universal or existential monadic second-order quantifiers. For 
example, if we are interested in establishing the relational frame properties corresponding to a 
modal formula y, then we either have to eliminate the universal monadic second-order quantifiers 
from YP, ... Pp, YE Tr(Y, x), or, equivalently, the existential monadic second-order quantifiers 
from 4P,, ... Pp dz 7,-(-y, x£). There can be no algorithm which is guaranteed to find a first- 
order equivalent formula if there exists one. Still, a number of automated algorithms are known 
which provide a partial solution to the quantifier elimination problem, namely SCAN [75, 58], 
DLS [55, 185] and SQEMA [37]. SCAN and DLS are based on a form of resolution while SQEMA 
can be viewed as a modalized DLS algorithm. Here we briefly review the SCAN algorithm, but 
more details of DLS and other quantifier elimination algorithms can be found in [36, 147]. 
The SCAN algorithm involves three stages: 


(i) transformation to clausal form and (inner) Skolemisation; 
(ii) C-resolution; 


(iii) reverse Skolemisation (unskolemisation). 


The input of SCAN is a second-order formula of the form 4Q, ... IQ x, Y, where the Q; are unary 
predicate variables and w is a first-order formula. In the first stage SCAN converts w into clausal 
normal form by transformation into conjunctive normal form, Skolemisation, and clausifying the 
Skolemised formula. In the second stage SCAN performs a special kind of constraint resolution, 
called C-resolution, the two main inference rules are given in Figure 16. It generates all and only 
resolvents and factors with the second-order variables that are to be eliminated, which in the case 
of computing frame correspondence properties includes all existentially quantified second-order 
variables. When all C-resolvents and C-factors with respect to a particular @;-literal and the rest 
of the clause set have been generated, purity deletion removes all clauses in which this literal 
occurs. The subsumption deletion rule is optional for the sake of soundness, but helps simplify 
clause sets in the derivation. 

If the C-resolution stage terminates, it yields a set N of clauses in which the specified second- 
order variables are eliminated. This set is satisfiability equivalent to the original second-order 
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formula. If no clauses remain after purity deletion, then the original formula is a tautology; if C- 
resolution produces the empty clause, then it is unsatisfiable. If N is non-empty, finite and does 
not contain the empty clause, then in the third stage, SCAN attempts to restore the quantifiers 
from the Skolem functions by reversing Skolemisation. This is not always possible, for instance 
if the input formula is not first-order definable. 

If the input formula is not first-order definable and stage two terminates successfully yielding 
a non-empty set not containing the empty clause then SCAN produces equivalent second-order 
formulae in which the specified second-order variables are eliminated but quantifiers involving 
Skolem functions occur and the reverse Skolemisation typically produces Henkin quantifiers. If 
SCAN terminates and reverse Skolemisation is successful, then the result is a first-order formula 
logically equivalent to the second-order input formula. 

SCAN can compute the frame correspondence properties for very many well-known axioms 
including T, 4, and 5. Recent work has in fact shown that the SCAN algorithm is complete 
for the class of all Sahlqvist formulae, in the sense that, when given a Sahlqvist formula it will 
successfully compute an equivalent first-order formula for it [88]. 


6.4 Model generation 


A problem closely related to the satisfiability problem is the problem of generating (counter-) 
models. Ideally we want to construct finite models if they exist. It is possible to use both 
tableau and resolution methods to prove that logics have the finite model property and also to 
give procedures for constructing standard Kripke models. 

Although tableau provers do not always output models, it is well-known that tableau proce- 
dures implicitly generate models (of some kind) for satisfiable input problems. This is especially 
true for semantic tableau procedures which are defined by structural rules and use explicit ac- 
cessibility relations. Modal tableau procedures of the kind described in Section 4 which use 
propagation rules for handling the additional axioms do construct models but often they are just 
skeleton models which need to be completed with respect to the relational correspondence prop- 
erties and then give standard Kripke models. 

In first-order logic it is well-known that hyperresolution like tableau methods can be employed 
both as a reasoning method and a Herbrand model builder [31, 65]. It has been shown that the 
methods using RY? and the relational translation described in Section 3 require hardly any extra 
effort to construct a modal model [49, 121, 180]. It is usually a simple matter to read off a 
Kripke model from the saturated set of ground unit clauses which represents a Herbrand model. 
In general this set will be infinite in the limit, but when R is a decision procedure then the set 
is finitely bounded and consequently a finite Kripke model can be defined. 

In more detail, a Herbrand interpretation is a set of ground atoms. By definition a ground 
atom A is true in an interpretation H iff A € H and it is false in H iff A ¢ H. Now, extend the 


CV Q(s1,---;8n) Q(t, .--,tn) V D 
CVDV 8, €t1V...V Sn # tn 

provided the two premises have no variables in common and are distinct clauses 
CV Q(s1,---5 Sn) V Q(ti,---,tn) 

CV Q(s1,---,5n) V $1 HV... V Sn Kt 


C-Resolution: 


C-Factoring: 


Figure 16. The calculus of SCAN 


234 Ian Horrocks, Ullrich Hustadt, Ulrike Sattler, and Renate Schmidt 


definition as expected to the Boolean combination of ground atoms. A clause C is true in H iff 
for all ground substitutions ø there is a literal L in Co which is true in H. A set N of clauses is 
true in H iff all clauses in N are true in H. If a set N of clauses is true in an interpretation H 
then H is referred to as a Herbrand model of N. It is proved in [49, 121] that the combination of 
the relational translation and RY? can be used as a finite Herbrand model generator for the modal 
logics K,,, Ky and the extensions with T, D, B (actually more general results are proved). 

In general Herbrand models are not unique and can be large. Therefore it is useful to have a 
method for generating minimal Herbrand models. An interpretation H is a minimal Herbrand 
model for a set N of clauses iff H is a Herbrand model of N and for no Herbrand model H’ of 
N, H’ C H holds. Various approaches to generating minimal Herbrand models with hyperreso- 
lution are known [26, 31, 94, 144]. It follows from [31] and investigations of GF ~ and the class 
Bu in [81, 82] that with a moderate extension of R YP denoted here by RY, it is possible to 
guarantee the generation of all and only minimal Herbrand models for any modal and description 
logic reducible to a decidable class of range restricted clauses. It is necessary to use a depth-first 
strategy, a complement splitting rule should be used so that the first model generated is a minimal 
Herbrand model, and a model constraint propagation rule is necessary to prevent the generation 
of non-minimal Herbrand models (see Figure 17). The procedure Rive is generally sound and 
complete and is a minimal Herbrand model building procedure for range-restricted clauses [31]. 
An alternative is to use the generalisation [81, 82] of an approach of [144]. 

It is not difficult to see that model generation procedures and the mentioned minimal Herbrand 
model generation procedures can be developed by using hyperresolution and the other translation 
methods. Because of the close connection to tableau, corresponding tableau procedures can be 
defined and all results carry over to the tableau setting (see [49, 121]). 


6.5 Bisimulation 


Chapter 1 of this handbook has introduced the notion of a bisimulation between two Kripke 
models. A bisimulation between models M = (W, R, V} and W = (W’, R', V’) is a binary 
relation E C W x W’ such that whenever E(w, w’) the following three properties hold: 


Atomic: for all propositional variables p, w € V (p) iff w € V’(p); 
Zig: if R;(w,v) for some i, then there exists v’ in 9’ such that E (v, v’) and Ri(w’, v’); and 


Zag: if Ri(w’, v’) for some i, then there exists v in Jt such that E(v, v’) and R;(w, v). 


NuU{CVv D} 
Nu{G,=D} | NU{D} 


Complement splitting: 


where D is a ground clause. 


: é N 
Model constraint propagation: NOAN aN A 
where {A,,...,A,} is the finite Herbrand model of an open branch which is complete 


with respect to R, The model constraint propagation rule extends all branches in the 
derivation tree (to the right) which are not complete with respect to RYP, 


Figure 17. Additional rules for minimal Herbrand model generation 
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One important property of bisimilar models is that they satisfy the same js-calculus formulae, 
that is, let E(w, w’) hold then a p-calculus formula ¢ is true at w in M iff y is true at w’ in WN’. 
The notion of bisimulation not only plays an important rôle in modal logic, as an equivalence 
principle between Kripke models, but also in other fields, for example, concurrency theory, set 
theory, and formal verification. An algorithm for ‘on the fly’ verification of bisimulations is 
presented in [66]. 


A related problem is that of bisimulation minimisation, that is, the problem of finding the 
minimal Kripke model bisimilar to a given Kripke model. In particular, in the context of formal 
verification by model checking (see Section 6.1 and Chapter 17 of this handbook for further de- 
tails), bisimulation minimisation provides an easily and automatically computable way to reduce 
the number of states of a model while preserving the truth and falsehood of the formulae that 
hold in it. 


Let M = (W, R, V} be a Kripke model and E be an equivalence relation on W. Let |w] £ 
denote the equivalence class of a world w € W with respect to Æ. The set of all equivalence 
classes is a partition of W and M. The bisimulation minimisation of a Kripke model Wt is the 
quotient M/E = (W’, R’, V’) where 


W = {luje|we Ww}, 
Ro = {((wlz,[w’]c)|w,w’ € W A^ R(w,w’)}, and 
Vp) = {lvle| we V(p)} 


for every propositional variable p such that FE is the maximal equivalence relation on W which 
is also a bisimulation between SJ and itself. A partition P is stable with respect to E iff for 
each pair [w]z, [w']g of equivalence classes with respect to F either [w]e C E~+({w’]e) or 
lule  E~*((w']z) = 0. 


In the computation of the bisimulation minimisation of a Kripke model we can basically fol- 
low two strategies. One is a negative strategy in which we start with the coarsest partition P such 
that E(w, w’) iff w € V(p) iff w’ € V(p) for every positional variable p and split classes when- 
ever P is not stable. Another is a positive strategy in which we start with the finest partition P 
in which each equivalence class consists of a single world and the bisimulation minimisation 
is constructed via a sequence of steps in which we merge two or more classes. An algorithm 
following the negative strategy is presented in [156] which has the optimal worst-case running 
time, namely O(|R|log|W |). An implementation of this algorithm is presented in [67]. Other 
algorithms following a negative strategy are presented in [28, 130]. They take advantage of the 
fact that in a number of applications we are only interested in the part of a Kripke model reach- 
able from a designated start world. In this case, equivalence classes associated with unreachable 
worlds need not be taken into account when considering the stability of an equivalence class 
associated with a reachable world. An algorithm following the positive strategy is presented 
in [157]. Recently, [57] has introduced an algorithm combines both the positive and negative 
strategy by using the algorithms of [156] and [157] as subroutines. For a range of special cases 
this algorithm terminates in time O(|R| + |W]). 


Finally, [71] presents on-the-fly model checkers for invariant properties incorporating the 
bisimulation minimisation algorithms of [28, 130, 156]. From an empirical comparison they 
draw the conclusion that in this context an optimised version of the algorithm of [156] performs 
better than the other two. 
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6.6 Modal logic programming 


The problem of extending logic programming languages with modal operators has received a 
lot of attention in the late 1980s and early 1990s, at about the same time most of the direct 
resolution methods mentioned in Section 5.2 were developed and also work on the translation 
methods described in Section 3 intensified. Consequently, work in this area can again be divided 
between direct approaches and translation approaches. 

Following the direct approach, [21, 20] presents a declarative semantics and an SLD resolution 
calculus for a class of modal logic programs in modal logics KD, KT, and S4, while [22, 23] 
present a framework for developing the fixpoint and operational semantics of a class of multi- 
modal logic programs where additional properties of modal operators can be described by axiom 
schemas of the form [#1][i2]--+ [ém|p — [j1][J2]---[in]p, so-called inclusion axioms. More 
recent work includes [142] presenting a fixpoint semantics, least model semantics, and an SLD 
resolution calculus for modal logic programs in modal logics extending K with a non-empty 
selection of the axiom schemas B, D, T, 4 and 5. Also, modal logic programs in [142] are as 
expressive as the general modal Horn fragment which allows arbitrary occurrences of the modal 
operators O and © in programs clauses and goals. 

Following the translation approach, [50] applies the functional translation to multi-modal logic 
programs in the modal logics KD, KT, KD4, KT4, KF (F is the functionality axiom), and 
simple inclusion axioms of the form [7]p — [j]p. In these logics, the functional translation of 
goals and program clauses in the general modal Horn fragment are in the first-order Horn frag- 
ment. For computations SLD resolution extended by theory unification is used. In [146] presents 
an application of the semi-functional translation [145, 148] to modal logic programs in modal 
logics KB and KDB, as well as KD, KT, and their extension by one or both of the axiom 
schemas 4 and 5. The semi-functional translation combines features of the relational and func- 
tional translation. For modal formulae in negation normal form, subformulae of the form Oy are 
translated using the relational translation, while subformulae of the form Oy are translated us- 
ing the functional translation. A functional simulator axiom needs to be added to the translation 
to link the relational and functional aspects of the translation. The semi-functional translation 
has the advantage over the functional translation that the frame properties of many modal log- 
ics, including the ones listed above, can be specified by simple first-order Horn theories without 
equality. Consequently, the use of theory unification and theory resolution can be avoided. Fur- 
thermore, if the semi-functional translation is applied to goals and program clauses in the general 
modal Horn fragment, then the resulting first-order clauses are themselves Horn. Together with 
the fact that the frame properties are expressed by Horn clauses, this implies that unmodified 
SLD resolution can be used to execute the translated modal logic programs. 

The functional and semi-functional translation have been incorporated into MSPASS [120, 
174]. Implementations of systems based on the direct approach include MOLOG [62, 63], MPro- 
log [141, 143], and TIM [21]. However, just as for the direct resolution approaches described 
in Section 5.2, little work seems to have been conducted on developing specialised and efficient 
data structures and algorithms for such systems, with the exception of [2] which describes an 
abstract machine model for MOLOG, in analogue to the Warren Abstract Machine model for 
Prolog [191]. 

There has also been considerable work on temporal logic programming. For surveys on this 
work which also cover some of the approaches to modal logic programming mentioned above 
see [154, 70, 84]. 

There is currently renewed interest in modal and temporal logic programming in the context 
of multi-agent system development [24, 53, 69] and related areas. 
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7 REVIEW AND DISCUSSION 


In this chapter we have examined computational approaches to modal logics. Although we have 
considered a variety of computational approaches and reasoning problems, we have focused 
on the use of translation-based and tableau-based algorithms for deciding the satisfiability of a 
formula, both with and without reference to a background theory. This focus was motivated by 
the dominance of translation-based and tableau-based approaches in implemented systems, and 
by the importance of satisfiability testing in applications such as the verification of multi-agent 
systems and ontology engineering. 


The reason for the dominance of these two approaches is that they have proved amenable to 
implementation and optimisation techniques that dramatically improve typical case performance; 
the use of such techniques is crucial if reasoning systems are to be effective in applications. The 
applicability and effectiveness of optimisation techniques and refinements is, however, highly de- 
pendent on the logic under consideration and on the class of problem being solved. For example, 
in the context of tableau-based algorithms, caching must be used with care in the presence of con- 
verse modalities, and semantic branching search, while highly effective for randomly generated 
problems, may be ineffective (and perhaps even counter productive) for problems derived from 
ontology engineering applications. Similarly, in the context of translation-based algorithms, hy- 
perresolution may be the most suitable approach for randomly generated problems in the modal 
logic K,,, while ordered resolution is more effective for problems derived from ontology engi- 
neering applications. 


Regarding the two approaches, both have advantages and disadvantages. Tableau-based meth- 
ods generally require full implementation, but this allows the implementor to choose and fine- 
tune the optimisations, data structures, and algorithms for effective operation in the intended 
application. In contrast, no major implementation effort is needed for translation-based meth- 
ods, but a careful choice of translation, refinement of resolution, and operational parameters is 
required to guarantee termination and effectiveness of the first-order logic prover on the class 
of problems being solved. The choice of approach may ultimately depend on the logic in ques- 
tion: tableau-based methods seem to have some advantages in the presence of graded modalities 
(counting), for example, whereas translation-based methods can handle and may be better for 
boolean modal logics (role negation). Currently, tableau-based approaches are the most widely 
used in ontology applications, with description logic systems such as FaCT++, Racer and Pellet 
[159, 90, 160]. In contrast, translation-based methods have a number of other uses, for example, 
computing correspondence properties and modal logic programming. 


The use of implemented systems in realistic applications brings with it new challenges, both 
with respect to the expressive power of the logics being used, and the size and complexity of 
the problems to be solved. The W3C standard ontology language OWL, for example, corre- 
sponds to a logic with transitive, converse and graded modalities, as well as nominals, and 
ontology applications may call for reasoning with respect to very large background theories. 
For the logic corresponding to OWL, a tableau-based algorithm has only recently been intro- 
duced [110], a translation-based algorithm using the basic superposition calculus is still under 
development [112], and the development of computational and optimisation techniques is the 
subject of considerable ongoing research. Similarly, as mentioned in the introduction, agent 
frameworks consist of complex multi-modal logics, typically including a dynamic component, 
allowing the representation of dynamic activity via a temporal or a dynamic logic. Ongoing re- 
search is focusing on developing advanced computational methods and optimisation techniques 
for such frameworks. 
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INTRODUCTION 


Model theory is about semantics; it studies the interplay between a logical language 
(logic) and the models (structures) for that language. Key issues therefore are expres- 
siveness and definability. At the basic level these concern the questions which structural 
properties are expressible and which classes of structures are definable in the logic. These 
basic questions immediately lead to the study of model constructions; to the analysis of 
models and of model classes for given formulae or theories; to notions of equivalence be- 
tween structures with respect to the truth of formulae; and to the study of preservation 
phenomena. 

Modal logics! come as members of a loosely knit family and have various links to other 
logics — classical first- and second-order logic as well as, for instance, temporal and process 
logics stemming from particular applications. Correspondingly, the key issues mentioned 
above may also be studied comparatively, both within the family and in relation to other 
relevant logics. Such a comparative view can support an understanding of the internal 
coherence of the rich family of modal logics. It also offers a perspective to place modal 
logics in the wider logical and model theoretic context. 

In regard to the coherence of the family of modal logics, it is important to understand 
in model theoretic terms what it is that makes a logic ‘modal’. For that aim we devote 
a major part of this chapter to the discussion of bisimulation. Many other features of 
the ‘modal character’ can be understood in terms of bisimulation invariance; this is true 
most notably of the local and restricted nature of quantification. Due to these features 
modal logic enjoys very specific features, and in many respects its model theory can be 
developed along lines that have no direct counterparts in classical model theory. 

In regard to the wider logical context, there is a rich body of classical work in modal 
model theory that measures modal logic against the backdrop of classical first- and 
second-order logic into which it can be naturally embedded. But, beside this ‘classical 
picture’, there are also many links with other logics, partly designed for other purposes 
or studied with a different perspective from that of classical model theory. 

In the classical picture, both first- and second-order logic have their role to play. This is 
because modal logic actually offers several distinct semantic levels, as will be reviewed in 
the following section which provides an introduction to the model theoretic semantics of 
modal logic. So, a modal formula is traditionally viewed in four different ways, subject 
to two orthogonal dichotomies — Kripke structures (also called Kripke models) versus 
Kripke frames and local versus global. 

The fundamental semantic notion in basic modal logic is truth of a formula at a state 
in a Kripke structure; this notion is local and of a first-order nature. Semantics in 
Kripke frames is obtained, if instead one looks at all possible propositional valuations 


lIn this chapter we use the term modal logic (despite the established tradition in the literature on 
modal logic) in a typical model-theoretic sense, as a (propositional) modal language equipped with 
suitable relational (Kripke) semantics, rather than proof systems over such languages, determined by a 
set of axioms and inference rules, such as K, S4, etc. We refer to the latter as ‘axiomatic extensions’. 
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over the given frame (in effect an abstraction through implicit universal second-order 
quantification over all valuations); this semantics, accordingly, is of essentially second- 
order nature. On the other hand, the passage from local to global semantics is achieved 
if one looks at truth in all states (an abstraction through implicit universal first-order 
quantification over all states). 

While all these semantic levels are ultimately based on the local semantics in Kripke 
structures, the two independent directions of generalisation, and in particular the divide 
between the (first-order) Kripke structure semantics and the (second-order) frame se- 
mantics, give rise to very distinct model theoretic flavours, each with their own tradition 
in the model theory of modal logic. Still, these two semantics meet through the notion 
of a general frame (closely related to a modal algebra). 


History. The origins of model theory of modal logic go back to the fundamental papers 
of Jónsson and Tarski [78, 79], and Kripke [86, 87] laying the foundations of the relational 
(Kripke) semantics, followed by the classical work of Lemmon and Scott [91]. 

Some of the most influential themes and directions of the classical development of 
the model theory of modal logic in the 1970/80s have been: the completeness theory of 
modal axiomatic systems with respect to the frame-based semantics of modal logic, and 
the closely related correspondence theory between that semantics and first-order logic 
(117, 28, 123, 124, 113, 42, 51, 125, 127, 128]; and the duality theory between Kripke 
frames and modal algebras, via general frames [42, 43, 44, 45, 114]. Also at that time, 
the theory of bisimulations and bisimulation invariance emerged in the semantic analysis 
of modal languages in [125, 128]. For detailed historical and bibliographical notes see [5], 
and the survey [49] for a recent and comprehensive historical account of the development 
of modal logic, and in particular its model theory. 


Overview. The sections of this chapter are roughly arranged in three parts or main tracks, 
reflecting the semantic distinctions outlined above. 

The first part provides a common basic introduction to some of the key notions, in 
particular the different levels of semantics in section 1, followed by the concept of bisim- 
ulation and bisimulation respecting model constructions in section 2. This more general 
thread is taken up again in section 6 with some more advanced model constructions, and 
also in the final section 9 devoted to some ideas in the finite model theory of modal logic. 

A second track, comprising sections 3 to 5, is primarily devoted to modal logic as a logic 
of Kripke structures (first-order semantics): section 3 continues the bisimulation theme; 
section 4 is specifically devoted to the role of modal logic as a fragment of first-order 
logic; section 5 illustrates some of the richness of modal logics over Kripke structures in 
terms of variations and extensions. 

The third track is devoted to a study of modal logic as a logic of frames (the second- 
order semantics). This comprises more advanced constructions such as ultrafilter exten- 
sions and ultraproducts in section 6, basic model theory of general frames in section 7, 
and a survey of classical results on frame definability and relations with second-order 
logic in section 8. 

Most of the other chapters in this handbook supplement this chapter with important 
model-theoretic topics and results. In particular, we refer the reader to Chapters 1, 3, 6, 
7 and 8. 
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1 SEMANTICS OF MODAL LOGIC 


1.1 Modal languages 


A (unary, poly-)modal similarity type is a set Tr of modalities a € T. Beside 7, we fix 
a (countable) set ® of propositional variables or atomic propositions. With T and ® we 
associate the modal language ML(r,®), in which every a € 7 labels a modal diamond 
operator (a). The formulae of ML(r, ®) are recursively defined as follows: 


y:=1|p| (v1 > p2) | (a)y, 


where p € ® and a € 7, and unnecessary outer parentheses are dropped. The logical 
constant T and connectives ~, ^, V, may be introduced on an equal footing or are 
regarded as standard abbreviations. The operator [a], defined by [a] y := 7(a)n7y, is 
the box operator dual to (a). A formula not containing atomic propositions is called a 
constant formula. 

To keep the notation simple, we regard the set ® as fixed, and will usually not mention 
it explicitly. So we write ML(r), or also just ML when 7 is clear from the context or 
irrelevant. We use the same notation for the set of all formulae of ML(7,®), and in 
general identify notationally logical languages with their sets of formulae. In the mono- 
modal case of a modal similarity type consisting of a single unary modality, the only 
diamond and box are denoted by just © and O, respectively. 


DEFINITION 1. The nesting depth 6 of a formula is defined recursively as follows: 
(L) = d(p) = 0; 
d(~1 > p2) = max(4(1), 4(H2)); 


(la) p) = d(y) + 1. 
The fragment ML,,(7) comprises all formulae of ML(r) with nesting depth < n. 


1.2 Kripke frames and structures 


With the modal similarity type T we associate a relational similarity type consisting of 
binary relations Ra for a € T. For simplicity we also denote this derived relational type 
by T. 

DEFINITION 2. A (Kripke) r-frame is a relational 7-structure ¥ = (W,{Ra}aer) 
where W Æ Ø and Ra C W x W for each a € r. The domain W of ¥ is denoted by 
dom(%). The relations (Ra)acr are the accessibility or transition relations in §. The 
elements of W, traditionally called possible worlds, will also be referred to, depending 


on the context, as states, points, or nodes. A pointed t-frame is a pair (§,w) where 
w € dom(%). 


We also write wRau rather than Rawu or (w,u) € Ra. Given a t-frame § = 
(W, {Ra}acr), every Ra defines two unary operators, (Ra) and its dual [Ra], on P(W) 
as follows: 


(Ra) (X) := {w € W | wRau for some u € X} and [Ra](X) := (Ra)(X) 


where X := W \ X denotes the complement of X in W. 
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DEFINITION 3. A Kripke structure (Kripke model) over a r-frame § = (W, {Ra}aer) is 
a pair M = (F, V} where V : ® — P(W) is a valuation, assigning to every atomic propo- 
sition p the set of states in W where p is declared true. The set W is the domain of M, 
denoted dom(M). We often specify Kripke structures directly: M = (W, {Rahaer, V}. 
A pointed Kripke structure is a pair (M, w) where w € dom(2M). 


In any Kripke structure M = (F, V} the valuation V can be extended to a valuation 
of all formulae, which is again denoted by V. That extension is defined recursively as 
follows:? 

V(L) = 0) 
V(g1 > p2) = V (91) UV (92); 
V((a) p) = (Ra) (V (4)) (and V(la] p) = [Ra] V (9)). 


While first-order sentences express properties of a structure as a whole, modal formulae 
always make implicit reference to a distinguished (current) state in a Kripke structure. 
So the basic semantic notion in modal logic is truth of a formula at a state of a Kripke 
structure, with derived notions of validity also in Kripke structures and frames. 
DEFINITION 4. A T-formula ¢ is: 
(i) true at the state w of the T-structure M = (F, V}, denoted M, w = y, if w € V (4). 
This is the same as saying that ¢ is true in the pointed structure (M, w). 
A formula that is true at a state of some T-structure is satisfiable. 

(ii) valid in M, denoted M = y, if M, w H vy for every w € dom(Ẹ), i.e., if V (Y) = 
dom(%). 

(iii) (locally) valid at the state w of §, denoted $,w = y, if M,w | ọ for every 
7-structure Pt over F. 
This is the same as saying that ¢ is valid in the pointed frame (¥, w). 

(iv) valid in §, denoted ¥ E y, if §,w H ¢ for every w € dom(§). 
Equivalently: M = yọ for every 7-structure IM over ¥F. 


(v) valid, denoted E y, if § H y for every r-frame §. 


1.3 The standard translations into first- and second-order logic 


With the modal language ML(r, ®), we associate the following purely relational vocab- 
ularies: 
— the relational version of 7 itself, consisting of Ra for a € 7, and again denoted by 
just T. 
— the expansion Ta of the relational vocabulary 7 by unary predicates { Po, P:,...} 
associated with the atomic propositions po, pi,...€ ®. 
Correspondingly, FO(r) and FO(7@) are the first-order languages with vocabularies 
T and Tg, respectively. We regard a 7-frame as a 7-structure in the usual sense, and a 
Kripke structure over a T-frame as a T@-structure, with P; interpreted as V(p;). We use 
the same notation for Kripke structures and for the associated first-order structures, as 
this causes no confusion. Wherever necessary, we will highlight the distinction by writing 
Ero to explicitly appeal to first-order semantics. 


In algebraic terms (see Chapter 6), the extended valuation is the unique homomorphism from the 
free t-algebra of formulae to the modal algebra associated with the model M, extending V. 
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Truth and validity of a modal formula in a Kripke structure are first-order notions in 
the following sense. Let VAR = {2o,21,...} be the set of first-order variables of FO(t@). 
The formulae of ML(r) are translated into FO(t@) by means of the following standard 


translation [124, 127], parameterised with the variables from VAR: 

e ST (pi; xj) := Pix; for every p; € ®; 

e ST(L;2,;) := L; 

e ST(y1 > p2; z4) = ST(y1; 25) > ST (%2; xj); 
( 


e ST((a) p; zj) = dy(@7;Ray AST(y; y)), where y is the first variable in VAR \ {a}. 


Note that only x; is free in ST(y;a;). Furthermore, for the standard translation 
it suffices to use only the variables xo and x, (free or bound) in an alternating fashion. 
This yields a translation into the two-variable fragment FO? of first-order logic. Also, the 
standard translation of any modal formula falls into the guarded fragment of first-order 
logic. These observations are taken up in section 4. 

The standard translation is semantically faithful in the following sense. 


PROPOSITION 5. For every pointed Kripke structure (M, w) and p E€ ML(r), 


Mwy iff M,w Ero ST(y; 20). 


While the semantics and validity for modal formulae over Kripke structures is thus 
essentially first-order, validity of a modal formula in a frame goes beyond first-order 
logic. Indeed, paraphrasing the definition in terms of the standard translation, a modal 
formula ¢ is valid in a frame iff its standard translation is true in that frame under every 
interpretation of the unary predicates occurring in it. 


PROPOSITION 6. For every pointed Kripke frame (§,w) and p € ML(r) with atomic 
propositions among po, ..., Pn: 


Swky if F, wEVP...VP,ST(y;20). 


Consequently, FE y iff F¥ EVPo...VP,VxoST(y; xo). 


1.4 Theories, equivalence and definability 


With every logic £ comes an associated notion of logical equivalence between structures. 
Two structures of the appropriate type are equivalent with respect to £ if no property 
expressible in £ distinguishes between them, i.e., if their 2-theories are the same. In this 
sense, first-order logic gives rise to the notion of elementary equivalence. Correspondingly, 
modal equivalence is indistinguishability in modal logic. Each view of the semantics of 
modal logic — in terms of (pointed or plain) structures or frames — corresponds to a notion 
of modal theories and modal equivalence. 


DEFINITION 7. The modal theory of a pointed Kripke r-structure (Mt, w) is the set of 
all formulae of ML(r) satisfied in (M, w): Thy (9, w) := {p € ML(r) | M, w H p}. 

Correspondingly, the modal theory of M is ThmL (M) := {p € ML(r) | M = vy}. The 
modal theories of a frame and pointed frame, as well as of classes of (pointed) Kripke 
structures or frames, are defined likewise. 
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The basic notion of modal equivalence, corresponding to the notion of truth at a state 
of a Kripke structure, is an equivalence relation on the class of pointed Kripke structures 
(9, w). Natural variants cover the derived notions for plain Kripke structures, and for 
pointed or plain frames. 


DEFINITION 8. For two pointed Kripke 7-structures (M, w) and (W, w’): (Mt, w) and 
(W, w’) are ML-equivalent, denoted (M, w) =mL (W, w’), iff they satisfy exactly the 
same formulae of ML, i.e., iff Thy (2, w) = ThmL (D, w’). Modal equivalence between 
Kripke structures, frames, and pointed frames are defined likewise. 


Definability in modal logic means different things corresponding to the different levels 
of the semantics. We distinguish local versus global definability (truth at a state versus 
validity throughout a frame/structure), and definability at the level of structures versus 
frames (truth/validity for a given valuation versus for all valuations). 

Given a formula y € ML(r), the classes of pointed Kripke structures, Kripke struc- 
tures, pointed frames and frames defined by y are denoted as KS(y), PKS(y), FR(y), 
and PFR(w), respectively: 


PKS(y)={ (M, w) | M, w = p} PFR(y)={ (8, w) | e o T 


V),w = ¢ for all w 
KS(p)={M | M j y for all w € dom(M)} — FR(y)={z | & \ 
() { | P aA dom )} (P)=\8 and for all valuations V 
DEFINITION 9. A class P of pointed Kripke 7-structures is (modally) definable in the 
language ML(r) if P = PKS(y) for some formula y € ML(r). Definable classes of Kripke 
structures, frames, and pointed frames are defined likewise. 


EXAMPLE 10. Here are some examples of modally definable classes of Kripke frames 
and structures. 

The class of pointed Kripke structures (M, w), where M = (W, R, V}, such that w has 
at least one successor not satisfying p for which every successor satisfies q, is defined by 
the formula ©(-p A Og). 

The formula p — Op defines the class of Kripke structures in which the valuation of p 
is closed under the accessibility relation. 

The class of frames in which every state has a successor is defined by the formula OT; 
the same formula defines the class of pointed frames (F, w) in which w has a successor. 

The formula Op — Op defines the class of frames K in which every state has at most 
one successor. It is straightforward to show that the formula is valid in every such frame. 
For the converse: if the formula fails at some state w of a Kripke structure over a frame 
%, then p is true at some successor of w. But since Op is false at w, there must be another 
successor of w where p fails. Hence § does not satisfy the defining property of K. 

Other standard examples of modally definable classes of frames include the classes of: 
reflexive frames, defined by Op —> p; transitive frames, defined by Op — p; symmetric 
frames, defined by OUOp — p, etc. For more examples see [117, 75, 127, 128]. 


Proposition 5 implies that the definability of classes of (pointed) Kripke structures 
by modal formulae is a special case of first-order definability. Consequently, modal logic 
shares many basic model-theoretic results with first-order logic, such as compactness and 
Lowenheim—Skolem theorems (see [12, 68]). We will discuss the model theoretic aspects 
of modal logic as a fragment of first-order logic on Kripke structures in section 4. 
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On the other hand, Proposition 6 indicates that modal definability of (pointed) frames 
is a form of II}-definability, and the model-theoretic consequences of that fact will be 
discussed in section 8. In particular, we will see that it is indeed essentially second-order. 


1.5 Polyadic modalities 


In polyadic modal logics one considers modalities œ of arbitrary arities r(a) € N, 
which give rise to formulae (a)(¥1,...,¢n) if n = r(a). The interpretation of an n- 
ary modal operator a is given in terms of (n + 1)-ary relations Ra in corresponding 
frames, and an n-ary operator on subsets of these frames, in such a way that the se- 
mantics is faithfully captured in the standard translation ST((q) (Y1,..-,Yn32j)) := 
dy... dyn (aj Rayı - - -Yn A Ni ST(pi;yi)), where y1...Yn are the first n variables in 
VAR \ {z;} (and 2; Ray... Yn is just a notational variant for Rax;yi... Yn): 


Polyadic modalities were first studied from an algebraic perspective, as normal and 
additive operators in Boolean algebras, by Jónsson and Tarski [78, 79]. All the es- 
sential model theoretic features of modal logic can be generalised to this more liberal 
setting, albeit with some care and sometimes unavoidable notational complications. In 
[41] Goguadze et al define and develop systematically an interpretation of polyadic lan- 
guages into monadic ones, and simulations of polyadic by monadic logics, which transfer 
a number of important properties, such as frame completeness, finite model property, 
canonicity and first-order definability. On the other hand, so called purely modal polyadic 
languages are defined in [55], where all logical connectives except negation are treated as 
binary modalities, and modalities can be composed. Thus, all polyadic modal formulae 
are built from (composite) boxes and diamonds applied to literals, making their syntactic 
structure much simpler. 


Throughout this chapter we will only treat monadic modalities explicitly. 


2 BISIMULATION AND BASIC MODEL CONSTRUCTIONS 


A major concern in model theory is the analysis of logical equivalence of structures in 
comparison with other natural notions of structural equivalence, in particular equiva- 
lences of a more combinatorial or algebraic nature. Bisimulation equivalences as studied 
below prove to be the algebraic/combinatorial counterparts to modal equivalence. 


For first-order logic this combinatorial approach leads to the well-known characteri- 
sation of elementary equivalence via Ehrenfeucht—Fraissé games (see [68, 108, 26, 25}). 
Variations of the basic Ehrenfeucht—Fraissé idea apply to many other logics including 
modal logic. Modal equivalence can thus be put into the general Ehrenfeucht-Fraissé 
framework. We shall sketch this connection in section 4. The very natural game associ- 
ated with modal equivalence has, however, also been invented and studied independently 
and in its own right, with the notions of zig-zag relation (van Benthem) and bisimulation 
equivalence (Hennessy, Milner, Park). We therefore put an autonomous, modal treatment 
before the discussion of relationships with the general framework of Ehrenfeucht—Fraissé 
and pebble games. 
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2.1 Bisimulation and invariance 


While the notion of logical equivalence is static, it can often be characterised in more 
dynamic, game-theoretic terms. The concept of bisimulation equivalence, which is closely 
related to corresponding games, is one of the most productive ideas in the model theory 
of modal logics, temporal logics, logics for concurrency, etc. Just as it has multiple roots 
in these various branches of logic, many variants have been employed to capture specific 
notions of “behavioural equivalence” between all kinds of transition systems that are 
interesting in their own right for various application areas — and not necessarily with any 
‘logic’ in mind. 

DEFINITION 11. Let M = (W,{Ra}aer,V) and W = (W', {Ri }acr; V’) be two 
Kripke r-structures. A bisimulation between M and Mt’ is a non-empty relation p C 
W x W' satisfying the following conditions for any wpw!’: 


Atom equivalence: w and w’ satisfy the same atomic propositions, hereafter denoted 
by wr w. 


Forth: For any a € 7, if wRau for some u € W, then there is some u’ € W” such that 
wR} u’ and upu’. (Any a-transition at w in M can be matched at w’ in W.) 


Back: Similarly, in the opposite direction: for any a € 7, and w’R/,u’ there is some 
u E€ W such that wRau and upu’. (Any a-transition at w’ in W can be matched 
at w in M.) 


/ a Ne back & forth 


That p is a bisimulation between M and WM is denoted as p: M = W. If, moreover, 
p is such that every element in M is linked to some element of W and vice versa, we say 
that p is a global bisimulation and that M and W are globally bisimilar. 


DEFINITION 12. Two pointed Kripke structures (M, w) and (W, w’) are bisimilar or 
bisimulation equivalent, denoted (M, w) = (W, w’), if there is a bisimulation p between 
M and W such that wow’. 


Bisimulations between (pointed) frames can be defined likewise, by omitting atom 
equivalence. Thus, a relation p is a bisimulation between two frames § and J’, iff it 
is a bisimulation between the respective Kripke structures (§, V1) and (8’,V/) where 
the valuations V} and Ví render every atomic proposition false at every state of the 
respective frame. 


DEFINITION 13. Let C be a class of structures appropriate for the logical language £ 
(e.g., pointed Kripke structures for ML). Let ~ be an equivalence relation on C. Then 
L is preserved under ~ over C, or L is ¥-invariant over C, iff for any A ~ A’ in C and 
any pel: AE yw A’ — y, i.e., AX and W are C-equivalent. In other words: ~ is a 
refinement of =ç, or ¥ C =p. 


258 Valentin Goranko and Martin Otto 


Invariance phenomena give insights into the semantics of the logic involved, and also 
often provide key tools for the model theoretic study of the logic (e.g., model construc- 
tions guided by ~ equivalence). The relationship between modal logics and bisimulation 
equivalences provides an excellent example of such a fruitful companionship. 

It would be straightforward to prove the following by induction on the structure of 
modal formulae, straight from the definition of bisimulations. However, this will also fall 
out as a corollary of the more instructive analysis of the associated bisimulation games. 
We therefore meanwhile only state the fact. 


THEOREM 14 (bisimulation invariance). 
ML(r) is bistmulation invariant: if (M, w) = (W, w’), then (R, w) =m, (W, w’). 


Consequently, for every constant formula 0 € ML(r) and pointed r-frames (F, w) and 
(8, w): if (Fw) = (g, w’), then (F,w) = 0 iff (8, w’) E 8. 


2.2 Classical truth-preserving constructions 


Bisimulations induced by maps from one frame to another have classically been studied 
as bounded morphisms or p-morphisms. We state the corresponding back-and-forth con- 
ditions, which are slightly simpler in the case of such a functional relationship, and treat 
some particularly important special cases. The use of generated and rooted substructures, 
bounded morphic images, tree unfoldings and disjoint unions in connection with classical 
model constructions for modal logic is based on truth preservation for modal formulae. 
These constructions were introduced for basic modal logic [117, 7] before the notion of 
bisimulation was developed and its importance for modal logic realised. Via duality the- 
ory, which connects the relational semantics for modal logic with an algebraic semantics, 
bounded morphisms, generated subframes and disjoint unions correspond respectively to 
the fundamental universal algebraic notions of subalgebras, homomorphic images, and 
direct products. For details see Chapter 6 of this handbook, as well as [78, 43, 44, 114] 
and [5, Ch. 5]. 

The preservation results encountered in these special cases of a passage to bisimilar 
structures highlight to various degrees one of the key characteristic features of the se- 
mantics of modal logic: its explicit locality and restricted nature of quantification. Unlike 
first-order logic, whose global quantification over the entire universe makes truth gener- 
ally dependent on the entire structure, the truth of a modal formula in a Kripke structure 
is evaluated relative to a ‘current’ state and admits access to the rest of the structure 
only along the edges of the accessibility relations. 

Passage from a given structures to a bisimilar tree structure, obtained via a simple 
bounded morphism, shows for instance that any satisfiable formula of basic modal logic 
is satisfied at the root of a tree structure (tree model property, see Corollary 24; this 
can be further strengthened to a finite tree model property, see Lemma 35). Conversely, 
preservation results can be used to show that certain properties are not modally definable. 
We shall see some classical examples of this in section 2.3. 


Bounded morphisms 


DEFINITION 15. Let M = (W,{Ra}aer,V) and W = (W', {Ry }acr, V’) be Kripke 
structures. A function p: W — W” is a bounded morphism from IN to W if its graph is 
a bisimulation between MN and Mt’. We denote a bounded morphism as in p: M => W. 
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Bounded morphisms between frames are similarly defined. 
If p is onto, then W is a bounded morphic image of IN (and similarly for frames). 


Thus, for each u € W, a bounded morphism p uniquely singles out a bisimilar state 
p(w) in W’. The bisimulation conditions for a bounded morphism between two Kripke 
structures correspondingly become: 


Atom equivalence: w ~ p(w) for every w € W. 
Forth: For any w € W anda €7, if wRau for some u € W, then p(w) Ri plu). 


Back: For any w € W and a € 7, if p(w) Riu’ for some u’ € W’, then wu’ = p(u) for 
some u € W such that wRau. 


Bisimulation invariance yields the following preservation results. 
COROLLARY 16. Bounded morphisms preserve truth and validity of modal formulae. 
More specifically, if p: Nt — W is a bounded morphism and y € ML(r), then: 
(i) for all u € dom(¥): M, u = y iff W, plu) H o. 
(ii) If p is onto, then M = vy if W H y, i.e., ThmL(M) =ThmL (W). 
(iii) If Fu H y, then F, plu) H y. 
(iv) If p is onto, then § — ọ implies 7 = y. 


For the latter two claims one just has to note that each model W = (3’,V’) over 
the frame 3’ can be pulled back to give a model M = (F, V} over the frame F via 
V(p) := p-'[V’(p)] = {w € dom(¥) | p(w) € V'(p)}. This turns p into a bounded 
morphism from M to WM. Note, however, that not every model over § is obtained in this 
manner. 

We turn to several basic model constructions involving bounded morphisms: generated 
substructures, rooted substructures, tree unfoldings and disjoint unions. 


Generated and rooted substructures 


If R C W? is any binary relation over W, and W’ C W, we write R| W’ for the restriction 
of R to W’, RÌ W’ = RA (W' x W’). Similarly for a valuation V on W, V |W’ stands 
for its restriction to W’. 
DEFINITION 17. Let ¥ = (W,{Ra}aer) be a frame, or M = (F,V) a Kripke structure 
over §, respectively, and W’ C W. 
(i) The induced subframe of § over W’ is the frame 3’ := F |W! = (W', {Ra W" baer). 
The subframe relationship is denoted f’ < %. 
(ii) & = gW" is a generated subframe of §, denoted 3 < F, if W” is closed under all 
accessibility relations in the sense that wRau for w € W’ implies u € W”. 
(iii) The induced substructure of IN over W” is the Kripke structure W = M | W” = 
(STW, VW’), denoted W < M. If FW’ < F, then W is a generated substruc- 
ture of M, denoted W <M. 


Obviously, for WM’ < M the inclusion map p: W” — W is a bounded morphism. By 
bisimulation invariance, we therefore have the following. 


PROPOSITION 18. For all Kripke structures W < M and for every formula p of 
ML(r): 
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(i) for every u € dom(M’) : M, u = y iff W, u = y. 
(ii) M E ọ implies W E ọ. 
Likewise, for frames 7 < F and u € dom(F'): Suk y if Vu = vy, and F E vy 
implies § = y. 
The latter claim holds since every Kripke structure over §’ is induced by a Kripke 
structure on ¥. 


A particularly important case of generated subframes deals with the set of all states 
reachable from a fixed state. A path in a frame § = (W,{Ra}aer) is a sequence WU = 
(wo, Q1,W1,---, Qk, Wk), Where wi-1Ra;wi fori =1,...,k (this path is rooted at wo and 
has length k). A path of length k = 0, w = (wo), is identified with its root wo. For 
u € W, we denote the set of all paths rooted at u by W[u]. For every path w as above 
we define the ‘terminal state’ function f(W) = wp where k is the length of w. Then 


W[u] = {f(5) | we Wiel} 
is the set of all states in Ẹ reachable from u (including u itself). 
DEFINITION 19. Let § = (W,{Roa}aer) be a frame, M = (F,V) a Kripke structure 
over §, and u € W. 
(i) The subframe of § rooted at u is the frame [lu] = F | W [ul]. 
(ii) The substructure of M rooted at u is the Kripke structure IN{u] = M > W [u]. 
(iii) ¥ (respectively Mt) is rooted at u if W[u] = W. 
Clearly, for any u € W: glu] < F and Mju] < M, respectively. Therefore, we obtain 
the following. 
COROLLARY 20. For every Kripke structure W M and formula p of ML(r): 
(i) for alu E W: M, u = y iff Mļlu], u = y. 
(ii) M H ẹ implies M[u] H g. 


(iii) Likewise for (pointed) frames. 


Thus, any satisfiable formula is satisfiable at the root of a rooted Kripke structure. 


Tree unfoldings 


An important model construction based on a canonical bounded morphism is the unfold- 
ing or tree unravelling of a Kripke structure M = (W, {Ra}acr, V} from some u € W. 
This construction was introduced in [113], where the tree model property (cf. Corollary 24 
below) was proved, too. 

Recall the map f: W{ul — W, which maps the path w = (u = wo, a1, W1,.--,; Qk; Wk) 
to its terminal state f(W) = wz. The unfolding of Mu] of M at u is based on the set 
W [u] of all paths rooted at u, with the natural definition of accessibility relations and a 
valuation that turns f into a bounded morphism. 

DEFINITION 21. The unfolding (or, unravelling) of M = (W, {Ra }acr, V) from some 
u € W is the rooted Kripke structure M[u] := (W [u], {Ra}aer,V) with root u = (u), 
where E x 
Ra := {(W,(W,a,w’)) |w € Wļu], fw) Raw}, 
Vip) = FV]. 
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Indeed, M[u] is a tree structure with root u = (u) in the sense of the following 
definition. 
DEFINITION 22. A pointed frame § = (W,{Ra}aer) with distinguished state u € W 
is a tree with root u if ¥ is rooted at u and every state w € W is reachable from u by a 
unique path. Accordingly, every Kripke structure over (%, u) is a tree structure. 
OBSERVATION 23. For every pointed Kripke structure (M, u) the terminal state map 
f: W[u] — W[u] is a bounded morphism of the unfolding Mu] onto Mu}. 

As IN[u] is a tree structure with root u = (u), we obtain the following. Also compare 
Lemma 35 below. 


COROLLARY 24 (tree-model property). Every satisfiable modal formula is satisfiable 
at the root of a tree. 


Disjoint unions 

Disjoint unions are well known for relational structures: the component structures are 
put side by side without any relational links between the components. Assuming that 
the given family of Kripke structures or frames is based on universes that are pairwise 
disjoint, we may just take the set-theoretic union of the universes, accessibility relations, 
and valuations, respectively. If the given frames are not disjoint, they first need to be 
replaced by isomorphic copies over universes that are pairwise disjoint. 

To be specific, define the disjoint union of an arbitrary family {wW}, = of (not neces- 
sarily disjoint) sets as J,-,W* := U,<;(W' x {i}). With this formalisation, we have the 
natural injection or embedding ej: W —> U;er(W* x {i}) of each component set into 
the disjoint union, which maps w € W! to (w, j) € Uje;(W’ x {i}. 

DEFINITION 25. Consider a family of r-frames {§’ = (W', {Ri }aer) J;e r and a family 
of Kripke structures {Dt = (3', ag ee over these. 

(i) The disjoint union of {Sh icy is the frame Hirt = (Wier Ww’, {Ra lace) where 

(wo, io) Ra(wi, 1) iff 20 = ti = į and woke w. 
(ii) The disjoint union of {D} er is the Kripke r-structure kier DÉ = (Hicr 3, V) 
where V (p) = Wie, V‘ (p). 

It is immediate that the natural injection ej: WI — kier W’ isomorphically embeds 
MI into Hicr DË and is indeed a bounded morphism with image ej[RI] ~ MI and 
€; [DV] < tier D. We therefore obtain the following, by bisimulation invariance and 
based on previous observations. 

PROPOSITION 26. Given a family of r-frames {3' = (W* {Ri laer) bier a family of 
Kripke structures {om = (g, Voker 
(i) For every j € I and w E€ dom(M’): W, wH p if Hicr D, (w, J) 
(ii) For every j € I and w € dom(¥’): PW wEy if tirs (w, j) E ¢. 
(iii) Wier D =y iff mM’ E ọ for every i € I. 
(iv) Her SB KY if F Hy for everyic I. 

The following structural observation [127] links some of the ideas explored in this 

section. 


over these frames, and p E€ ML(r): 


g. 
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PROPOSITION 27. Any Kripke structure is the bounded morphic image of a disjoint 
union of rooted Kripke structures, and indeed of tree structures. 


For a proof of the proposition, consider the families of the {M[u]}uew or {M[u]}uew- 
The desired bounded morphisms (from the disjoint unions of these families back onto 
M) are the unions of the projection and inclusion or terminal state maps defined on the 
components of these disjoint unions. 


2.8 Proving non-definability 


To show that a given property of structures is definable in a given logic, it suffices 
simply to find a defining formula. Showing that a property is not definable, however, 
is not so straightforward, and often requires elaborate arguments. A standard method 
for establishing non-definability of a property P (i.e., of the class of structures satisfying 
that property) in a logic £ is to show that P is not closed under some construction 
preserving truth (validity) of all formulae of £. Now that we have at hand constructions 
that preserve truth and validity of modal formulae, we can use them to show that various 
properties of frames and structures are not modally definable. Compare Definition 9 for 
the relevant notions of definability. 

At the level of pointed Kripke structures, modal formulae capture only properties that 
are local in the sense that whether or not M, w = y only depends on (M|[w], w). In other 
words, modal formulae are incapable of expressing any property of (Jt, w) that involves 
points beyond IN[w]. For instance, there is no p € ML such that M, w = ọ iff M E p. 
Indeed, one can always add to Mt an extra point (as a disjoint union), not reachable 
from w, where p is false. The resulting pointed structure (W, w) is bisimilar to (Wt, w), 
whence y would have to be equally true or false at w in both. 

Likewise, at the level of Kripke structures, there is no y € ML such that M — yw iff 
the accessibility relation of the underlying frame § is reflexive. This follows for instance 
from the fact that the unfolding of any frame is irreflexive. If Mt is reflexive, then so is 
the generated substructure Mu], which however is also a bounded morphic image of the 
irreflexive M[u]. Reflexivity, however, is well-known to be definable in terms of frame 
validity by the formula Op — p. In other words, the class of reflexive frames is definable 
by the second-order sentence VPVz(Vy(Ray — Py) — Px). Intuitively, in terms of truth 
in Kripke structures, modal formulae can make very little reference to the underlying 
frame. 


We turn to properties of frames and non-definability in terms of frame validity, which 
is maybe the most interesting facet of modal expressiveness. One can show, for instance, 
that (unlike reflexivity) irreflexivity is not a modally definable frame property. This 
property is not preserved under surjective bounded morphisms, while surjective bounded 
morphisms preserve frame validity. One may consider unfoldings as above, or also the 
(irreflexive) frame ¥ = ({wi, w2}, {(wi, w2), (w2,w1)}) and its bounded morphic image 
y = ({w}, {(w, w)}), which is reflexive. Hence any y valid in the former would also be 
valid in the latter. 

Similarly, the class of non-reflexive frames (i.e., ones having at least one irreflexive 
point) is not definable in terms of validity of modal formulae, because it is not closed 
under passage to generated subframes. Likewise, the classes of finite frames, connected 
frames, or of frames with a universal accessibility relation (R = W°), are not definable in 
terms of frame validity of modal formulae, as they are not closed under disjoint unions. 
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For another interesting example, consider the property of a frame to be a reflexive 
partial ordering. It is not modally definable, because anti-symmetry is not preserved 
under surjective bounded morphisms. Indeed, (Z, <) is antisymmetric, but the mapping 
of it onto the symmetric frame § above, sending all odd numbers to w, and all even ones 
to w2, is a surjective bounded morphism (and remains so, even when we add an inverse 
or past modality, as in basic temporal logic). 

However, the preservation results we have discussed so far are insufficient to capture 
frame non-definability. A witness is the following more subtle example: the property of 
continuity, or Dedekind completeness is not modally definable in modal logic, but to see 
that using a non-preservation argument is not easy. Ultimately, this follows from the fact 
that (R, <) (which is continuous) and (Q, <) (which is not) have the same modal theory 
(i.e., the same formulae of basic modal logic are valid in these frames); see [46].° 


Finally, note that preservation under generated subframes, surjective bounded mor- 
phisms and disjoint unions is not sufficient to guarantee modal definability in terms of 
frame validity, even for first-order definable properties. For instance, the class of frames 
defined by the first-order sentence Vady(~Ry A yRy) (see [51, 128, 74]) is not modally 
definable, despite being closed under these three constructions. We will come back to 
this example in section 6.1. 

For more examples of modal non-definability see [5, Section 3.3] and [128] where 
syntactic characterisations of the first-order properties preserved by each one of the three 
constructions mentioned above have been obtained. 


3 BISIMULATION: A CLOSER LOOK 


3.1 Bisimulation games 


Bisimulation relations may be understood as descriptions of (non-deterministic) winning 
strategies for one player in corresponding model comparison games. We illustrate the 
concept in the case of bisimulations for basic modal logic — or Kripke structures with a 
single binary transition relation R — writing © and O for the associated modalities. All 
considerations admit canonical ramifications to the more general poly-modal setting (as 
well as to polyadic modalities). 

Let M = (W, R, V) and W = (W’, R', V’) be Kripke structures of this basic type. 
The bisimulation game over Wt and Wt is played by two players I and II with one pebble 
in M and one in 9’ to mark a single ‘current’ state in each structure. A configuration in 
the game consists of a current placement of the two pebbles and is described by the pair 
of pointed Kripke structures (IN, w; WN’, w’), with distinguished w and w’ for the current 
states (pebble positions). 


A single round in the game is played as follows. The first player, I, or challenger, 
selects one of the two pebbles and moves it forward along an edge in the respective 
structure to a successor state. The second player, II, or defender, has to respond by 
similarly moving forward the pebble in the opposite structure. 


3On the other hand, continuity is definable in temporal logic by the formula O([P]p — (F) [P]p) — 
([P]p > [F]p), where F and P are respectively the future and past modality, and Ly = [P]lpA yA [Fle 
is the always modality. See [46]. 
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During the game, II loses when no such response is possible or if the resulting new 
configuration fails to have the two pebbles in atom equivalent states (i.e., the new posi- 
tions are distinguished by at least one atomic proposition, cf. Definition 29 (ii) below). 
I loses during the game if no further round can be played because both pebbles are 
in states without successors. An infinite run of the game, which continues through an 
infinite sequence of rounds played according to the above rules, is won by II. 

We say that II has a winning strategy in the bisimulation game starting from config- 
uration (M, w; IM’, w’), if she has responses to any challenges from the first player that 
guarantee her to win the game (either because I gets stuck, or because she can respond 
with good moves indefinitely). 

Intuitively, we think of I as challenging the claim of bisimilarity in the current config- 
uration, while II defends that bisimilarity claim. This is borne out by the following. 


PROPOSITION 28. Player II has a winning strategy in the bisimulation game starting 
from the initial configuration (IN, w; IN’, w’) if, and only if, (R, w) = (W, w’). 


Indeed, an actual bisimulation p: (M, w) = (W, w’) is a non-deterministic winning 
strategy for II: she merely needs to select her responses so that the currently peb- 
bled states remain linked by p. The atom equivalence condition on p guarantees that 
atom equivalence between pebbled states is maintained; the forth condition guarantees a 
matching response to challenges played by I in M; the back condition similarly guarantees 
a matching response to challenges played in WW. 

Conversely, the set of pairs (u, u’) in all configurations (M, u; MN’, u’) from which II 
has a winning strategy, if non-empty, is a bisimulation. 


38.2 Finite bisimulations and characteristic formulae 


The games view of a bisimulation suggest that we look at finite approximations corre- 
sponding to the existence of winning strategies for a fixed finite number of rounds. These 
approximations also hold the key to the connection between bisimulation equivalence and 
modal equivalence. Natural approximations to =p are induced by the stratification of 
ML with respect to the nesting depth of modal formulae (cf. Definition 1), as follows. 


DEFINITION 29. For two pointed Kripke r-structures (M, w) and (DW, w’): 
(i) For n > 0, (M, w) and (W, w’) are ML,,-equivalent, denoted (M, w) =R, (W, w’), 
iff they satisfy exactly the same formulae of ML,. 
(ii) At the level of =}, we write w ~ w’ instead of (Wt, w) =ù}; (W, w’) and say that 
w and w’ are atom equivalent (or, isomorphic when viewed as isolated states with 
atomic propositions according to V, V”). 


The n-round bisimulation game is played like the (unbounded) bisimulation game but 
terminates after n rounds (or beforehand if either player loses during one of these rounds). 
Now II also wins if the n-th round is completed without violating atom equivalence. The 
notion of a winning strategy is correspondingly adapted. 


DEFINITION 30. Let n > 0. Two pointed Kripke structures (M, w) and (W, w’) are 
(i) n-bisimilar, or n-bisimulation equivalent, denoted (M, w) n (W, w’), if IT has a 
winning strategy in the n-round bisimulation game starting from (M, w; W, w’). 
(ii) finitely bisimilar, (M, w) È ~ (W, w’), if (M, w) =n (W, w’) for all n € N. 
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Note that 0-bisimulation equivalence is atom equivalence or modal equivalence =f), 
indistinguishability at the propositional level. 

Clearly n-bisimulation equivalence implies m-bisimulation equivalence for any m < n; 
(full) bisimulation equivalence implies finite bisimulation equivalence; and finite bisim- 
ulation equivalence implies n-bisimulation equivalence for any n. We shall return to 
the interesting relationship between finite and full bisimulation equivalence below, in 
connection with the Hennessy—Milner Theorem (theorem 38 below). 

A first connection between —,, and n-equivalence is made in the following. 


LEMMA 31. (M, w) n (W, w) > (M, w) =u, (W, w’). 


Indeed, if M, w E p and W, w H ~y for some y € MLy, then I has a winning 
strategy in the n-round game from (M, w9, w’). This is shown by induction on the 
nesting depth n of the distinguishing formula y. At level n = 0, a distinction in MLo 
means atomic inequivalence — corresponding to a configuration in which IT has lost. 

In the induction step, assume that (M, w) is distinguished from (W, w’) by a formula 
p € ML, 41. Propositional connectives in y can be unravelled so that without loss of 
generality y is of the form Ow for some y € ML,. Suppose then that for instance 
MN’, w’ = ng, while M, w = y. Let in that case I move the pebble in MN from w to some 
u, where M, u = w. As W, w H 7Ow, any available response for II can only lead to a 
configuration (M, u; W, u’) in which (M, u) and (W, u’) are distinguished by y € ML». 
Therefore, by the inductive hypothesis, I has a winning strategy for the remaining n 
rounds of the game. 


Characteristic formulae 


For the converse to the previous lemma, or for capturing the bounded bisimulation game 
in terms of modal logic, it is essential that the underlying vocabulary is finite: both 7 
and ® need to be finite. We again stick with the case of a single binary accessibility 
relation R, but that restriction is purely for expository simplicity. 

The crucial step in the transition from the bisimulation game to modal logic is the 
formalisation, as a formula Xion, w] € ML,y, of 

“II has a winning strategy in the n-round game from (M, w; W, w)” 
as a property of (I, w’), for fixed reference structure (M, w) and depth n. In fact Xim w] 
may be constructed by induction on n, simultaneously for all (M, w). Along with the 
induction one observes that —,, has finite index, and that, correspondingly, we generate 
only finitely many non-equivalent formulae Xfig j] at level n (for finite 7 and ®!). 

For n = 0, XIM, w] is purely propositional and consists of the conjunction of all p € ® 
that are true in w and all ~p for those that are false at w. This fixes the atomic 
equivalence type, as it should. 

Inductively, let 


n+1 .— .0 n n 
Xim, w] T XM, w] ^ \ OX tou] A VV X{M,u] - 
(w,u)ER (w,u)ER 


forth back 
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Even for infinitely branching Wt, the conjunctions and disjunctions in this formula 
remain finite up to logical equivalence as there are only finitely many formulae of the 
respective kind. 

Clearly M, w H Xai] But for arbitrary (W, w’), DWY, w” H Xu] indeed guarantees 


II a wining strategy in the (n+ 1)-round game from (M, w; DWY, w’). The conjunct X fone] 
guarantees that the game is not lost already. The back-and-forth attributions in the two 
main conjuncts suggest how these are used to guarantee suitable responses, in the first 
round, to challenges from I played in either M (forth) or W (back), respectively. 


The forth part says that for all moves from w to some u in M, W, w’ —& OX fom up and 
/ 


any R’-successor u’ of w such that W, u’ Xu] provides a response for II that will 
allow her to succeed through another n rounds. 

Similarly the back part says that for all moves from w’ to some u’ in M, W, u’ = Xu] 
for some R-successor u of w in M — a response that is good for another n rounds for IT. 


/ 


That failure of IN’, w’ to satisfy Xip „u affords I a win within n rounds follows from 
Lemma 31. Together, these observations yield the following tight connection between 
the bisimulation game and modal equivalence. 


THEOREM 32. Let (M, w) and (W, w’) be pointed Kripke structures of the same finite 
type with finitely many atomic propositions. Then the following are equivalent: 

(i) (M, w) n (W, w’). 

(ii) II has a winning strategy in the n-round game from (IM, w; DW, w’). 


(ii) W, w E xim, w: 
(iv) (M, w) =f, (W, w’). 


As corollaries we obtain a corresponding characterisation of full modal equivalence, 
and a normal form for ML formulae. 


COROLLARY 33. Over Kripke structures of finite type and with finitely many atomic 
propositions, finite bisimulation equivalence —,, coincides with modal equivalence. 


COROLLARY 34. Any formula y € ML, is logically equivalent to the disjunction 
Von, wHo XIM, w]? which is in fact finite as there are only finitely many such x” up to 
logical equivalence (in the vocabulary of p). 

Similarly, for finite vocabularies, any class C of pointed Kripke structures that is closed 
under n-bisimulation is definable in ML, by the disjunction V on,w)ec XIM, w)” 


Bisimulation-invariance of ML, Theorem 14, also becomes a simple corollary of the 
analysis of the game. Indeed, y € ML, is even invariant under n-bisimulation equivalence 
=r, which of course implies invariance under (full) bisimulation. 


3.3 Finite model property 


A logic £ has the fimiteimodelproperty (FMP) iff every satisfiable formula of £ is satis- 
fiable in a finite model, i.e., if satisfiability and satisfiability in finite structures coincide 
for £. 

For specific modal logics (e.g., normal extensions of basic modal logic) the implicit 
restriction to a prescribed class of admissible frames corresponds to a relativisation of 
the above criterion to the respective classes of (infinite or finite) admissible models. So 
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the finite model property for S5 say, states that any formula of ML that is satisfiable 
over some equivalence frame is also satisfiable over some finite equivalence frame. 
The finite model property is a characteristic feature of many modal logics. For any) 
modal logic with a recursive axiomatisation (such that it is recursively enumerable for 
the finite 
model property provides a standard method for proving decidability.4 Here we briefly 
discuss the general filtration method for establishing the finite model property for modal 
logics. For basic modal logic we illustrate in section 3.3 that it even has a finite tree 
model property: every satisfiable formula has a finite tree model.” 


Filtration 


Sita is the most widely used method for proving the finite model property in modal 
logics, particularly those determined by classes of frames with specific properties of the 
‘accessibility relation. This method is originally due to McKinsey who first applied an 
algebraic version of it in modal logic. Filtration was introduced in its present form by 
Lemmon and Scott [91] and further developed and applied by Segerberg [117]. Gabbay 
[31] introduced a different version, called Selective filtration. Later, Fisher and Ladner 
[29] proved the finite model property of propositional dynamic logic PDL using filtration. 

Given a formula ¢ of a modal logic L and a Kripke structure MN (of type appropriate 
for L) satisfying y, we want to produce a finite Kripke structure Mt (of appropriate 
type) satisfying y. The method of filtration provides a transformation from models Mt 
to finite models IN in a uniform manner with respect to y and M. Before outlining the 
construction let us note that the satisfiability of a modal formula y in a Kripke structure 
only depends on the truth of the (finitely many) subformulae of y across that structure. 
Therefore, two states in a Kripke structure that satisfy the same subformulae of y are 


indistinguishable from the viewpoint of p. Sometimes it is necessary to extend the set of 
subformulae of (p to a wider but still finite set of formulae, called the €losuré of p and 


denoted by cl(y). Thus, cl(y) partitions the model into finitely many equivalence classes 
of states, all states in each class satisfying the same subset of cl(y). The underlying idea 


of the filtration method is to collapse the infinite model to its finite quotient with respect. 
to the equivalence relation generated by that partition, in a way that preserves the truth 
of all formulae in cl(y), and hence of ¢ itself. 


The equivalence relation itself can be thought of as coarse-grained approximation to 
bisimulation equivalence that is specific to the given formula y. It is meant to preserve 
y but needs to do so at a coarser level than bisimulation to be of finite index. Note 
that n-bisimulation —, can also serve as a finite index approximation but, because of 
its graded nature, does not lend itself to taking quotients in the desired global manner. 
This is because M, u ¿p Mu’ (i.e., that u and u’ are of the same n-bisimulation type) 
does not imply that the same n-bisimulation types are accessible from u and uw’. 

Here are the formal details. Take any Kripke structure M = (W,R,V) and a set 


4However, not every modal logic with the finite model property is decidable; see for instance K x K x K 
in [35]. 

5In general, the finite model property and the tree model property are independent. While the tree 
model property can account for the decidability of the basic systems of modal logic and many of its 
extensions and variations (see section 5), it does not apply to axiomatic extensions which impose specific 
restrictions on the frames that are incompatible with tree-like structures like symmetry or confluence of 
the accessibility relation. 
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of formulae T, which is assumed to be closed under subformulae, single negation (i.e., 
if y €T is not a negation itself, then ay € T) and under O/Ċ duality. Define an 
equivalence relation ~r on W as follows: 


u ~r w iff for every WET: M, u F y M, wE y. 


Let [w]p be the equivalence class of w with respect to ~r and Wr = {[w]r | w € W}. 
Note that if I is finite, then Wr is finite, too. Further, the valuation V is collapsed to 
a valuation Vr in Wr for all p € T canonically: Vp(p) = {[w]r | w € V(p)}; for all other 
variables q, Vr is defined arbitrarily, e.g., Vr(q) = 0. 

Now, we say that a Kripke structure M = (Wr, R, Vr) is a filtration of M with respect 
to T if for every y € T and w € W : M, w E 4 iff M,[w]p F y. With a slight abuse of 
terminology, we also say that R is a filtration of R with respect to T. 

There are two simple conditions on the relation R which guarantee that it is a filtration 
of R with respect to I. They give lower and upper bounds for that relation, respectively: 


MIN. For every u,w € W, if uRw, then [u]pR[w]p. 


MAX. For every [ulp, [w]r € Wr, if [ulr R[w]r, then for every Oy €T: 
if M, u E Oy, then M, w E w.® 


By induction on w one can prove that for every R satisfying these conditions, the 
structure M = (Wr, R, Vr) is indeed a filtration of Mt with respect to T, and this claim 
is known as the filtration lemma. Often, the conditions MIN and MAX are adopted as 
the definition of a filtration of R, and the filtration lemma then claims that they imply 
that Mr has the desired property. 

Does every Kripke structure have a filtration with respect to any set of formulae T? 
Yes: converting the implication to equivalence in either of the conditions MIN and MAX 
defines a relation that satisfies the other condition, too, and hence renders a filtration: 


e the minimal filtration WP = (Wr, RE™, Vp), RE” = { ([u]r, [w]r) | (u, w) € R}; 


e the maximal filtration MP = (Wr, REX, Vr), where [u]r RF®*|w]r holds iff for 
every Ow €T, M, u F Oy implies M, w E w. 


Clearly, every relation R such that prin ERG RP? is a filtration, too. 

Now, given a formula y and a pointed Kripke structure (t, u) such that M, u F 
p, applying the filtration construction to IT = cl(y) produces a finite pointed Kripke 
structure (M, [u]r) that satisfies p, whence basic modal logic (modal logic K) has the 
finite model property. 

This method can be refined to establish the finite model property for axiomatic ex- 
tensions L of K, too, by adjusting the definition of R so as to preserve the desired 
properties of the original structure M, such as transitivity, linearity etc., or to impose 
such properties on the resulting structure Pt and thus to eventually guarantee that it is a 
model appropriate for the desired modal logic L. Examples of filtrations for a number of 
important modal and temporal logics, such as T, K4, S4, and the logics of various linear 
orderings can be found in [91, 117, 46]. A more general result, extending a theorem of 
Lewis [92], is [122, Theorem 2.6.8] stating that every modal logic axiomatised by a finite 
set of shallow formulae (see Section 8.2) admits filtration. 


6This condition does not depend on the choice of representatives u and w, as ~,Ow € I. 
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Finite tree model property 


Before returning to the relationship between bisimulation and finite bisimulation in the 
next section, we apply the preservation result of Lemma 31 to an alternative, simple 
proof of the finite model property for basic modal logic, by establishing a stronger (finite 
tree model property. 


LEMMA 35 (finite tree model property). For every n € N, every pointed Kripke struc- 
ture of finite relational type is n-bisimilar to a finite tree structure. Consequently, any 
satisfiable formula of ML is satisfied at the root of a finite tree. 


Proof. According to section 2.2 the unfolding IN[u] of (Mt, u) provides a bisimilar tree 
structure. As we only need n-bisimulation equivalence, we may cut off Mfu] at depth 
n from its root u, to obtain a tree structure (M[u] [U"(u),u) Œn (M, u) whose depth 
is bounded by n, where U"(u) stands for the set of nodes at distance up to n from u. 
This tree structure may still be infinite, due to infinite branching. In that case, however, 
we may prune successors at every node to retain at most one representative of each @,, 
equivalence class. As =n has finite index (for finite vocabulary; see section 3.2), the 
resulting tree structure is finite. m) 


Finite branching, as well as a finite bound on the number of bisimulation types, are 
obvious for finite M, but a finite pointed Kripke structure (Mt, u) in which a directed 
cycle is reachable from u cannot be bisimilar to a finite tree structure. Locally, however, 
this can be achieved in partial unfoldings. 


LEMMA 36. Letn € N. Every finite pointed Kripke structure (M, u) is bisimilar to a 
finite pointed structure (M, à) whose restriction to depth n from the distinguished node 
a is a tree structure. 


Proof. Let (M[u] [U"(u), u) be as in the proof of the last lemma (now finite). For each 
leaf node of this structure, take a new disjoint isomorphic copy of M% itself and identify 
the leaf node with its bisimilar partner node in that copy of M. The resulting structure 
is finite, bisimilar to (M, u) and tree-like up to distance n from the distinguished node. 

QO 


Remarks. Results of this type can be carried much further. For instance, a more involved 
construction yields finite two-way bisimilar companions which are acyclic in restriction 
to the n-neighbourhood of any node [106, 107]. Such locally acyclic finite bisimilar covers 
are available also in restriction to various other non-elementary classes of frames, e.g., 
within the classes of all (finite) rooted frames or finite equivalence frames [17]. 

It is also interesting to note that finite and bisimilar (Mt, u) and (W, u’) admit finite 
bisimilar companions (M, a) and (W, ai’), respectively, whose restrictions to depth n 
from their distinguished nodes ĉ and @ are even isomorphic tree structures. For this, we 
take (Mt, û) and (WY, a’) as from the proof above and modify them by merely attaching 
extra isomorphic copies of substructures at nodes in the tree parts so as to achieve equal 
multiplicities for all bisimulation types at each node in the tree parts. It then follows 
that the tree parts are isomorphic. 
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3.4 Finite versus full bisimulation 


For the relationship between finite and full bisimulation equivalence, we note that finite 
bisimulation equivalence can be strictly weaker in structures with infinite branching. A 
typical example of tree structures with (M, w) =~ (W, w’) but (M, w) Æ (W, w’) is 
the following. 


EXAMPLE 37. Let (M, w) and (I, w’) be tree Kripke structures with trivial valuations, 
rooted at w and w’, respectively. Let the roots have countably many distinct successors 
ui, i > 1 in Mand uj, i > 0 in W. For i > 1, we let each of u; and u, be the starting 
point of a simple finite path of length i. We let the extra node ug in WM be the root of 
a simple infinite path. Then (M, w) Æ (W, w’): let I move in W from w’ to ug; the 
second player must move to one of the u; for i > 1 in M; let then I lead the play in W 
along the infinite path: II gets stuck and loses in round i+2 when the end of the length 7 
path from u; has been reached. On the other hand, (IM, w) =n (W, w’) for every n € N, 
since any two paths of lengths greater than or equal to n look exactly the same in an 
n-round game. 


However, infinite branching is essential to this phenomenon, as the following shows. 


THEOREM 38 (Hennessy—Milner theorem). Let IN and W both be finitely branching, 
i.e., every state in either structure has only finitely many immediate successors. 

Then (M, w) Ay (W, w) implies (M,w) = (W, w). Consequently, over finitely 
branching Kripke structures, modal equivalence coincides with bisimulation equivalence. 


Proof. The argument is best given via the games. We claim that II can maintain 
(IM, w) =, (W, w) indefinitely — which gives her a winning strategy for the infinite 
game. For instance, let I play in Wt and move the pebble from w to u. Suppose that 
for all responses u’ available to II in W, (M, u) A. (W, u’). As there are only finitely 
many choices for u’ due to finite branching, we can find a sufficiently large n € N such 
that (M, u) Fr (W, u’) for all u’ with (w’,u’) € R’. But this would imply (M, w) Æn+1 
(W, w’), contradicting the assumption (M, w) =, (OW, w’). O 


Unlike the Hennessy—Milner theorem, which is rather specific for bisimulation, the 
following observation rests on arguments from classical model theory, to do with satu- 
ration properties, and highlights a more general principle that applies to any finitary 
versus unbounded game equivalences of the Ehrenfeucht—Fraissé variety; see for instance 
[108]. Saturation properties refer to the realisation of types. We think of a type as the 
formalisation of the properties of an element, through a set of formulae using constants 
for parameters from a given structure. 

With a first-order language L and a set of parameters A C W of the universe W of 
some structure Mt, associate the expansion of La of L with a constant name for each 
element of A; the corresponding expansion of IN is denoted My. 


DEFINITION 39. An element type with parameters in A (in the first-order language L 4) 
is a set X of L.4-formulae in a single free element variable x. The type © is a type of Ma 
if it is (finitely) consistent with the theory of Nt, in the sense that Ma H Ax A No for 
every finite No C X. The type © is realised in Ma if Nt4,w H È for some element w. 

A structure Jt is w-saturated if for every finite subset A every type of M4 is realised 
in Ma. 
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Interesting properties are often expressible by types rather than by an individual 
formula. For instance, an R-successor of w € M from which there are arbitrarily long 
R-paths is described by the type Xu := {Rwx} U{ST(O"T; x) |n € N} with parameter 
w from M. Note that this is a type of Mt iff there are arbitrarily long R-paths from 
w E€ Mt. This does not imply that Mt itself has a realisation of the type — a successor u 
of w that simultaneously satisfies all the requirements in Xw. By compactness, however, 
every structure Mt has an w-saturated elementary extension, cf. [12]. Let M* be such 
an elementary extension of M. For w € M, X is a type of M* if it is a type of Mt. 
If Xu for w € M* is a type of Mt*, then there also is some R-successor u of w in M* 
such that M*,u = O"T for all n; hence X, will also be a type of M* and repeating 
the argument inductively we find that Mt* has an infinite path from w. In w-saturated 
models, therefore, any element from which there are arbitrarily long paths, will also have 
an infinite path. Similar reasoning extends to provide responses for II in the infinite 
game over M* to meet any challenge from I, provided she has responses that are good 
for n rounds, for each n. In other words, playing over w-saturated structures, II has a 
winning strategy in the infinite game whenever she has, for every n, a winning strategy 
for the n-round game. The proof is analogous to that given for Proposition 87 below; 
in the terminology to be introduced there, the class of w-saturated structures has the 
Hennessy—Milner property. 


REMARK 40. As shown in section 6.3, =œ coincides with = in restriction to w- 
saturated structures. 


In the bisimulation context weaker forms of saturation suffice, and in that sense the 
Hennessy—Milner theorem may be regarded as a special case. See section 6.3 for more on 
(modal) saturation. 


Bisimulation and infinitary modal equivalence 


Since, over infinitely branching structures, equivalence with respect to ordinary modal 
logic only reaches up to the level of finite bisimulation equivalence, —,,, the question 
of the actual logical counterpart to full bisimulation equivalence arises. The situation is 
entirely similar to that in classical first-order logic, where it is clarified by Karp’s theorem 
[82] (see also [68]). While the classical Ehrenfeucht—Fraissé theorem associates finitary 
game equivalence (the back-and-forth notion of finite isomorphism between structures) 
with elementary equivalence, full infinitary game equivalence (the back-and-forth notion 
of partial isomorphism between structures) corresponds to equivalence with respect to the 
infinitary logic Low whose syntax allows for disjunctions and conjunctions over arbitrary 
sets of formulae, [68, 108]. In order to extend modal logic ML to its infinitary variant 
ML, we put the following additional clause for formula formation. If Ų is any set 
of formulae of ML, then A WY and V © are formulae of ML... These formulae have 
an ordinal-valued nesting depth, based on the usual rules for the finitary constructors 
of ML (see Definition 1) together with the extra stipulation that the nesting depth of 
an infinitary conjunction or disjunction is the supremum of the nesting depths of the 
constituent formulae. The semantics of the infinite conjunctions and disjunctions is the 
natural one; with, e.g., M, w = V Y iff M, w H y for some w E€ Y. 

Completely analogous to the treatment of the finitary game in relation to finitary 
modal logic, we then get the following. (As a side effect of the availability of infinitary 
conjunctions and disjunctions, we need not restrict the underlying vocabularies to be 
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finite.) Comparison with the classical version of Karp’s theorem highlights the observa- 
tion that bisimulation is for modal model theory what partial isomorphism is for classical 
model theory. 


THEOREM 41 (Karp’s theorem for modal logic). Let (M, w) and (W, w’) be Kripke 
structures of the same type. Then the following are equivalent: 

(i) (M, w) = (W, w’). 

(ii) II has a winning strategy in the infinite bisimulation game from (WR, w; W, w’). 
(iii) (WM, w) =m. (W, w’). 


Proof. (i) (iü) is obvious. For (ii) => (iii) compare Lemma 31: similar to there, 
if (MM, w) is distinguished from (W, w’) by a formula of nesting depth a, then one can 
find a move for I which will force a successor configuration in which the positions are 
distinguished at some nesting depth @ < a. By well-foundedness this gives I a winning 
strategy. For (iii) = (ii) one observes that II can maintain ML equivalence indefinitely. 

Q 


Remark. Characteristic formulae Xn, u] with an ordinal parameter a for their nesting 
depth, can still be defined inductively in a canonical way. (The analogous infinitary for- 
mulae for the infinite first-order Ehrenfeucht—Fraissé game are known as Scott formulae, 
see for instance [68].) For the infinite game over infinitely branching M, a position in 
which players may have infinitely many non-equivalent choices for a next move, is ad- 
equately described by an infinite conjunction A Oy; in conjunction with O V y;, where 
each y; describes the bisimulation type of one potential successor in the game over M, 
at a nesting depth level that typically needs to be an infinite ordinal. A sufficiently high 
nesting depth that can be used uniformly across a given Mfu] is the least ordinal a such 
that any two states in Mfu] that are equivalent at nesting depth a in ML. are equivalent 
at nesting depth a+ 1. For this a, equivalence at nesting depth a implies equivalence 
at any nesting depth, i.e., full ML. equivalence, and hence bisimilarity. (The minimal 
such @ is the closure ordinal of the co-inductive definition of the bisimulation relation 
over Mju], also compare section 3.5.) 

That a given a has this property for Mu] is itself expressible in ML... The defining 
property of a is equivalent to the assertion that, for all v E€ Mfu], Mu] H Xfor,o} T Xa 
Let Y“ be the conjunction of all formulae 


"A Oma > Xa) 
vEemM[u] 


Then M, u = Y° iff within Mu], the ML type at nesting depth a+1 is fully determined 
by the type at nesting depth a. The conjunction Xim,u] := Y% A X ona] for suitable a, 


characterises (M, u) up to bisimulation, thus providing a canonical characteristic formula 
in ML. 

Unlike the definability assertion of Corollary 34, however, bisimulation closure of a 
class C of Kripke structures on its own does not guarantee definability in ML... In 
the example of Observation 42 below, the relevant disjunction of characteristic formulae 
would be class-sized, and hence not in ML... However, definability of C in ML does 
follow, for instance, if C comprises only set-many different bisimulation types (which 
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is in particular the case for the setting of finite model theory, or in restriction to any 
other class of bounded cardinality). This is sufficient to ensure that C is definable by a 
disjunction over characteristic formulae analogous to Corollary 34. 


OBSERVATION 42. Well-foundedness, or the class of all pointed Kripke structures 
(M, u) in which there is no infinite path from u, is not definable in infinitary modal 
logic MLo. 


This class is definable by the modal p-calculus L, formula uX.OX (see section 5.2) 
and hence in monadic second-order logic MSO.” On the other hand, well-foundedness is 
not even definable in infinitary first-order logic Leow, [95]. We sketch a direct proof of 
non-definability in MLoo. 

For an ordinal a consider the Kripke structure Ma = ({8 | 8 < a}, R} with R = 
{(G, 8’) | B’ < B < a} the inverse of the order relation on these ordinals, and its 
modification W, with R replaced by R’ = RU {(a,a)}. We show by induction on the 
ordinal y that (W, a) =, (Ma, 8) (equivalence in ML. up to nesting depth y) for all 
a> B > y. It follows that no formula of ML, can separate the well-founded (Ma, a) 
from the non-wellfounded (W, a) for all a. 

The claim is obvious for y = 0; also the limit steps are trivial. For the successor 
step, from y to y +1, consider a > 6 > y+ 1; it suffices to show that then even 
Mak Ow & Ma, 8 H Ow for y of nesting depth y. The only non-trivial instance 
of this assertion is when M,a H Oy because W, a H y. But then Ma, y H w by the 
inductive hypothesis. It follows that Ma, 8 = Oy as B > y+ 1 implies that (6,7) E€ R. 


3.5 Largest bisimulations as greatest fixed points 


The union of all bisimulation relations between two given Kripke structures is again a 
bisimulation relation, and hence a maximal bisimulation in the sense of set inclusion. 
Such largest bisimulations can also be defined co-inductively, and be understood as the 
greatest fixed-point of suitable monotone operators. Again, and purely for expository 
purposes, we sketch this approach in the simple case of a single accessibility relation R. 

Let X CWxW’, and let w € W and w’ € W” be atom equivalent (w ~ w’). Let us say 
that the pair (w, w’) has the back-and-forth property w.r.t. X iff player II has a single 
round strategy to lead the bisimulation game from (M, w; It’, w’) to a configuration 
(M, u; DW, u’) such that (u,u’) € X. (Note that the back-and-forth conditions for a 
bisimulation relation say that each of its pairs has the back-and-forth property w.r.t. the 
relation itself.) 

Consider the following operator F on subsets X C W x W’: 


F(X) := {(w,w’) € X | (w,w’) has the back-and-forth property w.r.t. X}. 


The operator F is monotone in the sense that X C Y > F(X) C F(Y). It therefore 
has a unique greatest fixed point in restriction to any subset of W x W’. We are interested 
in the greatest fixed point of F that respects atom equivalence, and therefore consider the 
restriction Fo of F to Xo := {(u,uw’) E W x W’ |u ~ u'}. Let p := gfp(Fo) C Xo be this 
greatest fixed point. Being a fixed point of F within Xo, p respects atom equivalence; 


"Note that this is definability in the sense of (local) Kripke structure semantics, albeit in a logic which 
is itself of a second-order nature, and should not be confused with the modal definability of the class of 
transitive well-founded frames. 
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being a fixed point of F, p has the back-and-forth property. So p is a bisimulation. As 
any bisimulation between M and Mt’ must also be a fixed-point of Fo, p is the largest 
such. 


REMARK 43. The stages of the evaluation of gfp(Fo) produce a monotone decreasing 
ordinal-indexed sequence of subsets Xa C W x W” according to 


Xo = {(uw)ewxWw’|urw} 
Xa+ı = Fo(Xq) (successor stage) 
Xa = lee, Xa (limit stage) 


which is eventually constant with value gfp(Fo). The least ordinal œ such that Xq41 = 
Xa is called the closure ordinal of this greatest fixed point evaluation over M and W. 
This closure ordinal is bounded by the number of bisimulation types realised in Wt and 
W. For cardinality reasons it is in particular strictly less than the successor cardinal of 
|W] + |W". 

Over finite Kripke structures in particular, the limit gfp(Fo) is reached within a number 
of iterations bounded by |W|+|W’|, whence the largest bisimulation is polynomial time 
computable. 

One verifies by induction that, for n € N, Xn is the subset 


XE {(u, u’) EW x W' | (M, u) =n (W, u')} 
and correspondingly that 
Xo = {(u,u’) E W x W' | (M, u) Sy (W, u’) }. 


Closure within m := |W| + |W’| steps for finite Kripke structures, implies that, in 
restriction to Mt and W, m-bisimulation equivalence m and hence equivalence in ML,, 
coincide with full bisimulation equivalence = and equivalence in ML. This quantitative 
analysis provides a direct proof of the Hennessy—Milner theorem (with additional a priori 
bounds) in the special case of finite (rather than just finitely branching) Kripke structures. 


3.6 Bisimulation quotients and canonical representatives 


Bisimulation quotients provide canonical minimal bisimilar companions, in which every 
bisimulation type is realised only once. They thus form succinct representations of the 
overall bisimulation type of a structure M. There is an analogy with filtrations (compare 
section 3.3), but here the quotient is taken with respect to the largest bisimulation within 
the given structure, rather than with respect to some coarser equivalence induced by some 
set of modal formulae. Passage to bisimulation quotients is often desirable for complexity 
reasons, for instance for model checking of bisimulation invariant properties. Bisimulation 
quotients of finite structures are polynomial time computable, as the largest bisimulation 
is polynomial time computable over finite structures as a greatest fixed point. 

For a Kripke structure M = (W, {Ra}aer, V}, consider the largest bisimulation within 
M itself, p = {(u,u’) | (WM, u) = (M, u’)} C W?, as an equivalence relation on W. 
Let us write [u], for the equivalence class of u € W. Note that p is a congruence 
w.r.t. the valuation V (by atom equivalence). Therefore V induces a natural quotient 
valuation V/p™ on the quotient W/p™". While p™ is not in general a congruence w.r.t. 
the Ra, clearly (w,u) € Ra implies that for any w’ € [w], there is u’ € [u], such that 
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(w’,u’) E€ Ra (by the back and forth conditions). A natural quotient interpretation for 
the Ra over W/p™ therefore is 


Ra/p™ = {([w]p, [u]p) € (W/p™")? | (w, u) € RẸ} 


DEFINITION 44. The bisimulation quotient IN/p™ is the Kripke structure with universe 
W/p™ = {[u], | u € W}, accessibility relations Ro/p™ and valuation V/p™. 


LEMMA 45. The canonical projection n: W — W/p™ from M onto its bisimulation 
quotient N/p™ is a surjective bounded morphism. 


M/p™ is minimal among all globally bisimilar companion structures of M, as any 
other such must also have at least one representative of each bisimulation type realised 
in Mt. Moreover, any global bisimulation between two such quotient structures is uniquely 
determined by bisimulation types and is necessarily an isomorphism. The analogue 
for ordinary (rather than global) bisimulation equivalence of pointed Kripke structures 
(Mt, u) needs to be based on quotients M|[u]/p™ taken after restriction to the generated 
substructure rooted at u. The bisimulation quotient associated with a (pointed) Kripke 
structure thus provides a canonical representative of its bisimulation type, ‘canonical’ in 
the sense of being uniquely determined up to isomorphism. 


COROLLARY 46. Kripke structures M and W are globally bisimilar iff their bisim- 
ulation quotients are isomorphic. Pointed Kripke structures (M, u) and (W, u’) are 
bisimilar iff the bisimulation quotients (Mul /p", [u]? and (M'[u’|/p™ , [w] ) are iso- 
morphic. 


For other kinds of canonical representatives of the bisimulation type of a pointed 
Kripke structure we may look to trees. Via tree unfoldings any pointed Kripke struc- 
ture is bisimilar to a tree structure. In order to associate a companion tree structure 
which is uniquely determined up to isomorphism, though, one needs to impose condi- 
tions on the multiplicities among bisimilar siblings in the tree. For countably branch- 
ing Kripke structures, for instance, in which every state has at most countably many 
immediate successors, w-branching tree unfoldings M [u] may be used. These are de- 
fined in complete analogy with ordinary tree unfoldings, cf. Definition 21, but based 
on the set of all w-labelled paths rooted at u. An w-labelled path in Wt is a sequence 
wW = (wo, Q1, M1, W1,---, Qk; Mk, Wk), Where w = (Wo, Q1, W1,- .., Qk, Wk) is a path in M 
in the usual sense, and with labels m; € N. Two w-labelled paths w, w’ are linked by 
an Ra-edge in Mt [u] if w is an a-extension of w: w = (wW,a,m,w’) for some m E N. 
Through the w-labelling, the multiplicity of each bisimulation type in each successor set 
w.r.t. Ra is countably infinite. It is then easy to see that any two bisimilar w-branching 
tree unfoldings of countably branching Kripke structures are isomorphic. 


This observation may be extended in a straightforward manner to «-tree unfoldings 
M [u] based on «-labelled paths, for any infinite cardinal x. 
COROLLARY 47. For any infinite cardinal x, and pointed Kripke structures (IN, u) and 
(IN’, u’) whose branching degree is bounded by k: (IM,u) = (M',u’) if, and only if, 
(ont [u], u) ~ (W'[u'], u’). 
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3.7 Robinson consistency, local interpolation, and Beth definability 


We illustrate the usefulness of the canonicity property expressed in Corollary 47 with 
a proof of the following analogue of the Robinson joint consistency property [12] for 
poly-modal logic. 


PROPOSITION 48 (Robinson consistency). For i = 1,2 lett be modal similarity types; 
PÀ sets of atomic propositions; andT® C ML[r™, ®@]. IFT°AL© is a complete modal 
theory (in the local sense), and if both lT™ andT® are consistent, then T =T®UT® is 
also consistent. 


Proof. Let 7 := 7% NAT, 6 = PO NO, PO = LTO ATA, 

Let M,u ET and N,v H re. Without loss of generality assume that both struc- 
tures are w-saturated, which implies that also their (7,®) reducts M and NO 
are w-saturated. Then (IN, u) =m, (N,v), as both satisfy the complete theory I. 
By the Hennessy—Milner property for w-saturated structures: (IN, u) = (M,v) (cf. 
Remark 40). 

Let « > |M], |N] and consider the «-tree unfoldings M =m [u] and St =9 [v]. The 
generated (7, &)-subtrees of (M, u) and ($t, v) are themselves «-tree unfoldings of 
corresponding generated (7, ®)-substructures of M and N. So they are isomorphic 
as (7, &)-trees. We may assume that (Dt, u) and (St, v) intersect precisely in these 
isomorphic subtrees. Let then & := MU MN be their union (note that u = v). The 
component structures (Ùt, u) and (St, v) are the generated (7, &“)-subtrees for i = 1 
and i = 2, respectively. By bisimulation invariance, R, u = I for i = 1,2. Therefore T 
is satisfiable. Q 


Consistency properties can usually be directly related to interpolation [12]. Here we 
obtain the local interpolation theorem for poly-modal logic as a corollary. For modal 
similarity types and sets of atomic propositions as above: let = y —> w be a valid (local) 
consequence, y E€ ML[7r™,®™], y € ML[7r, ®”]. We want to show that there is an 
interpolant x € ML[7r, ®] (i.e., in the common language): 


F (py > x) A(x y). 


Assume there was no interpolant. One can then find a complete theory I in the 
common vocabulary for which both T™ :=T® U {yp} and r® := 1 U {ay} are consis- 
tent (see below). With the consistency property established above, however, this would 
show that y A 7 is satisfiable, invalidating the implication y —> y. Assuming without 
loss of generality that the common language ML[r, 6] is countable, one generates T 
inductively as a union of an increasing chain of finite sets rT. The sets [ are induc- 
tively augmented towards completion, by adding one formula or its negation at a time, 
guided by the condition that there be no interpolant x with T = (y > vy) A (x> 4). 


COROLLARY 49. Poly-modal logic satisfies the interpolation theorem for local conse- 
quence. 


The interpolation property can be relativised to particular modal logics or classes of 
frames. We mention one general result of this kind. Following [122], a subframe ¥ of 
the direct product [],<, 5: (see section 6.2) is said to be a bisimulation product of the 
family of frames {§j}ier if the canonical projection m; : ¥ — F; is a surjective bounded 
morphism, for each i € I. The following has been established in [122, Thm 2.5.3]. 
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PROPOSITION 50. Let K be an elementary class of frames closed under generated sub- 
frames and bisimulation products. Then modal logic over K has interpolation. 


The interpolation property is intimately related to the Beth definability property which 
links implicit with explicit definability. 

Consider a fixed (poly-)modal language ML|r, ®]. For any list of propositional vari- 
ables q from ®, we denote by ML|q] the sublanguage of ML|r, ®] restricted to the propo- 
sitional variables listed in q. Let p € ©® be a propositional variable not in q, and 
T =I (p,q) C ML[p,q] a modal theory. Intuitively, [ defines p implicitly if it uniquely 
determines the valuation of p relative to the rest. Formally, let p’ be a propositional 
variable not occurring in I'(p,q) and I” = [(p’,q) the result of substituting p’ for p 
throughout I. T defines p implicitly if the following is valid (in the sense of local conse- 
quence): 


TUM Fpe Dp. 


On the other hand, p is said to be explicitly definable relative toT if for some y(q) € 
ML{q] (thus, not containing p): 


TE ps ¢(q). 


Such y is then called an explicit definition of p relative to I. 

Clearly, explicit definability entails implicit definability. Beth’s definability theorem 
(proved in the early 1950s for first-order logic) states the converse: implicit definability 
entails explicit definability. A standard proof technique is by reduction to interpolation. 


Let T (p,q) UP (p',q) F p = p’. By compactness, (p,q) A 7(p',a) E p e p’ for some 
formula y from T (assuming I closed under A). This implies the validity of 


F (y(p,a) A p) > (p,a) > p’). 


Local interpolation yields an interpolant y € ML|q] in the common language and thus 
not containing p or p’, such that both F (y(p,q) A p) > y and E y > (y(p',q) > p’). 
Together these two establish that y explicitly defines p relative to y and hence relative 
to [. We have thus obtained the following. 


COROLLARY 51. Modal logic satisfies Beth’s definability theorem for local consequence. 


The notions of interpolation, implicit and explicit definability, and the Beth definabil- 
ity property admit global versions, with respect to the global consequence relation (i.e., 
with respect to validity in Kripke structures). Beth’s definability theorem for global con- 
sequence can be proved just like the local one above, by noting that [ implies w globally 
iff OX F y, where O*T = {O"y|neEN,y7 Er}. 

Semantically, global implicit definability means that, in any Kripke structure M for 
ML(q), there is at most one valuation for p such that the resulting expansion MP satisfies 
T(p,q). Thus, in order to show that I does not define p implicitly it suffices to find two 
models of T (p,q) that differ in the valuation of p but are otherwise identical. This is the 
idea of Padoa’s method for disproving definability in classical logic. 

As for global explicit definability in modal logic, Conradie [13] has shown that it can be 
characterised semantically as follows. p is explicitly globally definable relative to T (p,q) 
iff for every two Kripke structures M, and Mə satisfying P(p,q): Mı =mrjq) M2 > 
Mı =MLip,a] M2- Here =mrjq} denotes equivalence in ML[q]. In fact, =mLja] may be 
replaced for this condition by the corresponding bisimulation relation mL ja]: 
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For more on interpolation and Beth definability in modal logic, see Chapter 8 of 
this handbook, [98, 10, 73], as well as [15] for uniform interpolation in the modal mu- 
calculus, [122] for results on interpolation in extended modal languages, and [36] for a 
comprehensive exposition of the state of the art on interpolation and definability. 


3.8 Bisimulation-safe modal operators 


It is easy to find examples of bisimilar pointed Kripke structures (M, w) = (W, w’), over 
the modal similarity type with a single modality associated with an accessibility relation 
R say, such that the corresponding expansions with new accessibility relations interpreted 
by the converse relations R~! := {(u,v) | (v,u) € R} are not bisimilar. On the other 
hand, p: (M, w) = (WM, w’) for pointed (poly-modal) Kripke structures (Mt, w) and 
(IN’, w’) implies that the same p also is a bisimulation for the expansions by accessibility 
relations generated from the Ra by the constructors provided in propositional dynamic 
logic PDL: union, composition, star, as well as test (compare Lemma 70). Thus, the 
question arises: which operations on relations are ‘safe for bisimulations’, i.e., preserve 
bisimulations which hold for their arguments? This question was raised and analysed 
by van Benthem. In particular, he answered that question completely for the case of 
first-order definable operations on binary relations (see [130, Section 5.3], also [5, Section 
2.7|). The operation ~ of domain-complementation is defined as an operation on binary 
relations according to ~R := {(a,x) | =3z Rxz}. 


THEOREM 52. A first-order definable operation O(Rı,..., Rn) on binary relations is 
safe for bisimulation iff it can be constructed from Rı,..., Rn using atomic tests p?, 
unions, compositions and the operation of domain-complementation. 


This characterisation was extended in [131] to operations definable in infinitary lan- 
guages, by allowing infinite unions, too. Since the star operation or iteration, *, is 
definable as an infinite union of compositions, this accounts for the bisimulation safety 
of PDL as stated above. The notion of bisimulation-safety and the results above were 


further extended by Hollenberg [72]. 


4 MODAL LOGIC AS A FRAGMENT OF FIRST-ORDER LOGIC 


The embedding of modal logics into a fragment of first-order logic via the standard trans- 
lation makes results and techniques for that fragment directly available to the analysis 
of the modal logic. In this section we discuss further aspects of the relationship between 
modal and first-order logic. 


4.1 Finite variable fragments of first-order logic 


DEFINITION 53. Over a purely relational vocabulary and for k > 1 let k-variable first- 
order logic be the syntactic fragment FO* C FO consisting of those FO formulae that 
only use k distinct variable symbols, say £o, ...,£ķ—1, free or bound. 


Gabbay [32] first observed that the standard translation, with thrifty re-use of variables 
as presented in section 1.3, embeds basic modal logic ML into FO”, the two-variable 
fragment of first-order logic. (For polyadic modalities of arities up to m, one similarly 
gets an embedding into the (m + 1)-variable fragment.) 
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LEMMA 54. The standard translation based on ST(—; xo) and ST(—; x1) embeds ML 
into FO?. 


For instance, for ML with a single unary modality © associated with the binary ac- 
cessibility relation R, the standard translation operates with an alternate use of two 
variables, xg and x4, as in 


ST(© Op; zo) = Jr, (Rzoxı A YTo (Rzızo > Ar, (Rxox1 A Px,))). 


It should be noted that this re-use of variable symbols is at odds for instance with 
a prenex formalisation in first-order logic. It has several other benefits, however, to be 
discussed below. And even though the embedding into the guarded fragment of first- 
order logic which has emerged more recently (see section 4.3 below) may have greater 
explanatory power for some characteristic features of modal logics, the straightforward 
embedding into finite variable fragments has also been put to good use. 

Consider the embedding of basic modal logic into FO”. By results of Scott [116] 
(valid for FO? without equality) and Mortimer [102] (with equality), FO? has the finite 
model property. In fact FO? has an exponential bound on small models [59]. Therefore, 
the finite model property for basic modal logic and decidability for satisfiability may be 
inferred via the translation into FO”. The complexity and small model bounds obtained 
in this way, however, are not optimal. 

The fact that ML embeds into a finite-variable fragment also provides upper bounds on 
its model checking complexity. Consider the so-called combined complexity of checking 
whether M, w = y, with both the finite structure Wt and the formula y as input. The 
standard translation of modal logic into FO is itself linear time computable. While the 
combined model checking complexity for FO over finite relational structures is complete 
for Pspace, it becomes Ptime for FO*. Moreover, even for FO? and basic modal logic 
the problem is Ptime-hard. For FO? one also obtains a bound of O(|y||9t|), linear in 
both input components.® FO? thus constitutes a natural syntactic fragment of classical 
first-order logic which matches the finite model property, the decidability and model 
checking complexity of basic modal logic. These parallels and their limitations are further 
discussed in [60, 135, 57]. 


Remark. At the level of FO? and higher, which becomes relevant for instance for polyadic 
modalities, the target logic FO* fails to have the finite model property and is just as 
undecidable for satisfiability as full first-order logic, and also does not have linear time 
model checking. For many purposes, including satisfiability and model checking, however, 
natural reductions from polyadic into unary modal logics are available that still make 
the special status of the two-variable fragment available for polyadic modal logics. See 
for instance [41]. 


The k-variable fragments of FO play an interesting role in finite model theory and 
for algorithmic issues, primarily because they give rise to natural and algorithmically 
manageable pebble games. The k-pebble game is precisely the variant of the classical 
(first-order) Ehrenfeucht—Fraissé game associated with the restriction to k variable sym- 
bols. Bisimulation games in their turn may be regarded as restrictions of these k-pebble 
games. 


8This bound refers to a random access model of computation and a succinct representations of the 
binary accessibility relations Ra through adjacency lists. The input size for the structure is then linear 
in the number of states plus the number of accessibility edges. 
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Just as the ordinary n-round Ehrenfeucht—Fraissé game captures elementary equiva- 
lence up to quantifier rank n [26, 68, 108], and just as the n-round bisimulation game 
captures modal equivalence in ML, so the n-round k-pebble game captures equivalence 
in FO” up to quantifier rank n. 

In the classical (variable-unconstrained) Ehrenfeucht-Fraissé game for FO over two 
relational structures 2 versus 2’, the players, I and II, mark finite configurations of 
elements in these structures with matching pebbles. A configuration in the game is 
specified by two tuples of marked elements a in 2% and a’ in W, denoted (XA, a; 2’, a’). 
In each round, I chooses one of the structures, and places another marker on one of 
the elements of that structure; II has to respond by marking an element in the opposite 
structure. In one round the game thus proceeds from a configuration (2, a; W, a’) to some 
configuration (A, a, a; 2’, a’, a’) with newly pebbled elements a and a’. II loses as soon 
as the partial map induced by the correspondence between pebbled elements f: a +> a’ 
is not a local isomorphism. The existence of a winning strategy for II in the n-round 
game then precisely captures elementary equivalence up to quantifier rank n. 

The variant for FO* is obtained by changing the rules in such a manner that no more 
than k elements of each structure are ever pebbled simultaneously; the game is restricted 
to configurations X, a; M,a’ with tuples a and a’ of lengths up to k. In any round 
starting from a configuration of full length k, I first removes one of the pebbles and then 
repositions that same pebble in its structure, and II has to do likewise with the matching 
pebble in the opposite structure. This game then captures levels of equivalence in FO*, 
[25]. 


It is an obvious consequence of Lemma 54 that equivalence in FO? implies equivalence 
with respect to basic modal logic with unary modalities. However, this may also be 
inferred directly at the level of the games. One observes that the relevant bisimulation 
game can be emulated by the 2-pebble game in the sense that 


— any challenge available to player I in the modal game is also available in the 2- 
pebble game. 

— any responses for II that are good for the 2-pebble game are good in the modal 
game, too. 


A move along an R-edge in the bisimulation game is emulated in the two-pebble game 
by means of a placement of the second pebble in the target node. The formerly active 
pebble now only plays the auxiliary role to guarantee that the right kind of edge is used 
in an admissible manner also in the response by II. But, clearly a strategy in the two- 
pebble game guarantees more than just bisimulation equivalence, illustrating the gap in 
expressive power between modal logic and the two-variable fragment of first-order logic 
into which it can be embedded. 

Consider the expressive power of basic (poly-modal) ML over corresponding Kripke 
structures M = (W,{Ra}aer,{P;}). Unlike ML, FO? formulae generally define binary 
predicates over Kripke structures. However, the expressive power of FO is also very 
limited in this respect. As can be inferred from the 2-pebble game, any FO?-formula 
(xo, 21) is logically equivalent to a Boolean combination of quantifier free formulae of 
FO? (atomic formulae, including equality) and FO? formulae in a single free variable 
(xi), i = 0,1. In other words, the expressive power of FO”, too, is essentially governed 
by its expressive power in terms of unary relations (properties of single elements in 
Kripke structures, state properties in process logics). Comparing the expressive power 
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of basic modal logic ML with that of FO? for defining properties of elements and the 
discriminating powers of bisimulation versus two-pebble game equivalence, basic modal 
logic is lacking 

(i) relativised quantification along backward R,-edges. 

(ii) quantification relativised by (positive or arbitrary) boolean combinations of acces- 

sibility relations (including equality). 

(iii) unrelativised, global first-order quantification in one variable. 
Corresponding features can be added to basic modal logic, as for instance through exten- 
sions via inverse modalities (in temporal settings: past modalities) interpreted w.r.t. to 
the converses RZ = {(v,u) | (u,v) € Ra}; a global modality interpreted w.r.t. to the full 
binary relation U = W x W over universe W; or other constructors for derived accessi- 
bilities.2 An extension of basic modal logic that provides a minimal set of constructs in 
the above vein so as to precisely capture the expressive power of FO?, is provided in [96]. 
A comparison of the satisfiability problems of these two logics shows that there is no 
polynomial time translation from FO? into its modal counterpart, under suitable com- 
plexity assumptions. Furthermore, on certain classes of frames extended modal logics can 
reach the full expressiveness of first-order logic. The most prominent example is Kamp’s 
result in [80] that the temporal language with Since and Until is expressively complete 
for all first-order definable connectives on the class of Dedekind complete linear orders. 
This line of work was further developed by others, including Stavi, Gabbay, Venema, 
Reynolds. For further details see [32, 34], as well as Chapter 11 of this handbook. 


4.2 The van Benthem—Rosen characterisation theorem 


The fundamental observation that modal logics are embedded into (fragments of) first- 
order logic via the standard translation immediately calls for the following question. 
Given an arbitrary first-order formula (in an appropriate vocabulary of Kripke struc- 
tures), under which conditions is it equivalently expressible in modal logic? In other 
words, precisely which first-order properties of pointed Kripke structures are expressible 
in modal logic? Bisimulation invariance is obviously a necessary condition; van Ben- 
them’s Theorem says that it is sufficient as well. 

Another point of view is also illuminating. Take bisimulation invariance as the funda- 
mentally important semantic notion. It deserves this status for many non-logical reasons, 
since it is the natural notion of process equivalence (thinking of Kripke structures as tran- 
sition systems), game equivalence (transition systems for games), knowledge equivalence 
(Kripke structures for knowledge representation), et cetera. From the perspective of first- 
order logic, then, one would want to isolate the bisimulation invariant properties because 
just these conform with the underlying semantic intuition. For instance, a first-order 
property of transition systems captures a property of processes if, and only if, it does not 
distinguish between bisimulation equivalent transition systems. 

Bisimulation invariance is not a decidable property of first-order formulae, as can 
be seen through reduction of the satisfiability problem. For y € FO(rẹ \ {R}), the 
formula (x) := y A Rxz is bisimulation invariant iff y is unsatisfiable. The syntactic 
subset consisting of those first-order formulae that happen to be bisimulation invariant is 


9 An example of that is the union (or) on program formulae in PDL, which, however, is reducible to 
plain ML in this context, since, for instance [a U Bly = [aly A [Gly and (aU Bye = (ajy V (Bye. 
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therefore not the syntax of a reasonable logic. But the characterisation theorem says that 
modal logic precisely fills this gap. ML, or its translation into FO, provides decidable 
syntax for just the bisimulation invariant first-order properties; ML is the first-order logic 
for bisimulation respecting properties. 


THEOREM 55 (van Benthem). Let y(x) € FO be in a vocabulary of Kripke structures. 
Then the following are equivalent: 


(i) vy is bisimulation invariant: (MN, w) = (W, w’) implies M, w = y & M,w' E y. 
(ii) y(x) is logically equivalent to a formula ġ € ML. 


Note that (ii) = (i) is just Theorem 14 again. The crucial point here is expressive 
completeness of ML for all bisimulation invariant first-order properties. The core idea 
for that is to establish the following — which is reminiscent of a compactness property. 


LEMMA 56. If p(x) € FO is bisimulation invariant, then it is invariant under n- 
bistmulation for some n EN. 


The lemma implies (i) => (ii) in the theorem, as any n-bisimulation invariant property 
is clearly definable in ML,,. Indeed, by Corollary 34, ọ is then equivalent to a disjunction 
of characteristic formulae for n-bisimulation equivalence classes. For the lemma, we 
sketch a version of the classical proof and an alternative argument more closely based on 
the games. 


Via classical model theory. Assume to the contrary that y was not invariant under n- 
bisimulation for any n € N, and hence not equivalent to any modal formula. Enumerate 
all modal formulae of the appropriate type as (wW;)ien. Successively choose one of y; or 
ay); to obtain a maximally consistent set T of modal formulae consistent with both y and 
ay. By compactness one obtains pointed Kripke structures (M, w) and (W, w’) such that 
both satisfy T, while M, w = y and W, w’ = ~g. As (M, w) and (W, w’) satisfy the 
same complete modal theory, (M, w) =m, (W, w’) and therefore (M, w) =, (W, w’). 
Passage to w-saturated (or modally saturated, see section 6.3) elementary extensions of 
(M, w) and (M’, w’) would then give us structures (IM, w) = (DW, w’) (cf. Remark 40), 
which are still distinguished by y, contradicting bisimulation invariance of y. 


Via games. This alternative proof of the crucial step towards the characterisation the- 
orem admits ramifications that persist where the classical argument fails, in particular 
in finite model theory. In its present form this argument is based on [105, 107] building 
on ideas from Rosen’s finite model theory version of the characterisation theorem [112], 
as further discussed below (Theorem 61) and in section 9. The n-neighbourhood of an 
element u in a Kripke structure M consists of all elements whose Gaifman distance from 
uis at most n. Here Gaifman distance is graph theoretic distance in the undirected graph 
induced by the symmetrised accessibility relation. We write INt|U"(u) for the induced 
substructure on the n-neighbourhood of u in W. 


DEFINITION 57. A formula y(x) is n-local if for any two pointed tree Kripke structures 
(M, w) and (W, w’) that are isomorphic in restriction to the n-neighbourhoods of their 
distinguished nodes, M, w = y & W, w E y. 


It is easy to see that, if p(x) is bisimulation invariant and n-local, then it is n- 
bisimulation invariant. In fact, this is obvious for trees and then extends to arbitrary 
pointed Kripke structures through their unfoldings into trees (see section 2.2). See 
[105, 106] for the following. 
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LEMMA 58. Let y(x) € FO have quantifier rank q. If p is bisimulation invariant, then 
it is n-local, and hence invariant under n-bisimulation, for n = 2% — 1. 


The first-order locality argument is in fact a ramification of the much more general 
Gaifman locality property of first-order logic [38], which is a useful tool in classical as well 
as finite model theory [25]. In the context of bisimulation invariant properties, locality 
together with the exponential bound may however also be derived from a straightforward 
and self-contained analysis based on first-order Ehrenfeucht—Fraissé games. In fact, the 
lemma holds for any (x) that is invariant under disjoint unions, which itself is an easy 
consequence of bisimulation invariance (see section 2.2). Let y(x) € FO have quantifier 
rank q. Consider a pointed Kripke structure (M, w) or, because it may be conceptually 
easier though not necessary for the argument, without loss of generality a pointed tree 
structure (M, w) with root w. Let W = MT U” (w) be the substructure induced on the 
n-neighbourhood of w. It suffices to show that M, w = ọ iff W, w E g. 

Let N be the disjoint union of q copies of M and WM each. Using invariance under 
disjoint unions, it suffices to show that NW M, w = y iff Nw W, w = y. 


VV Yvy yyy 


q copies q copies q copies q copies 


It is not hard to exhibit a winning strategy for IT in the ordinary q-round Ehrenfeucht- 
Fraissé game on these structures. II merely needs to respect, in round m of the game, 
the critical distance dm = 24~™: if Ps move in round m goes to within distance dm 
of an already pebbled element, II plays according to a local isomorphism in the dm- 
neighbourhoods of previously pebbled elements; if I’s move goes to an element further 
away from all previously pebbled elements, II responds in a fresh isomorphic copy of 
type M or Mt’, correspondingly. 

The exponential bound expressed in the lemma is actually optimal. For a bisimulation 
invariant property expressible in FO, but not in ML, for any n < 2% — 1 consider 
the property that a state in which p holds is reachable on a path of length less than 
27. It should be noted that the classical proof of van Benthem’s theorem provides no 
corresponding quantitative information. 


COROLLARY 59. For y(x) € FO of quantifier rank q, the following are equivalent for 
n= 27-1: 

(i) y is bisimulation invariant. 

(ii) ~ is invariant under n-bisimulation and equivalently expressible in MLy. 
The exponential bound on the modal nesting depth is sharp: FO is exponentially more 


succinct than ML for expressing bisimulation invariant properties. 


Some of the underlying ideas of these results are very robust and extend to various 
ramified settings, some of which are to be discussed in section 5. The classical proof of 
the characterisation theorem, in particular, carries through for many natural extensions 
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of basic modal logic associated with refined notions of basic bisimulation equivalence; 
we mention in particular the corresponding characterisation theorem for the guarded 
fragment of first-order logic [1] (see Theorem 65 here). But also the game based approach 
extends to a wide range of settings. One of its main strengths is that it goes through 
in the setting of finite model theory, as explained below. Another variation that comes 
naturally from the game based proof is its relativisation to arbitrary bisimulation closed 
classes [105]. The classical proof, on the other hand, clearly relativises to elementary 
classes of structures. 


COROLLARY 60. LetC be a class of Kripke structures that is closed under bisimulation. 
Then p(x) € FO is bisimulation invariant in restriction to C iff it is equivalent to a 
formula @ E€ ML in restriction to C. Similarly for any elementary class C. 


Theorem 55 characterises the elementary properties of pointed Kripke structures which 
are definable by single modal formulae. In section 6.4 we will obtain more general preser- 
vation results, characterising properties and classes of Kripke structures which are defin- 
able by finite or infinite sets of modal formulae, by employing constructions and results 
from classical model theory. 


Ramifications of the characterisation theorem 


We sketch a version of the game and locality based proof of van Benthem’s character- 
isation theorem given above, which applies in finite model theory as well as classically. 
We thus get the finite model theory version due to Rosen [112], even with the same tight 
exponential bound on succinctness as in Corollary 59. 


THEOREM 61. For p(x) € FO of quantifier rank q, the following are equivalent: 
(i) y is bisimulation invariant over finite Kripke structures. 


(ii) y is equivalent to a formula of ML,, over finite Kripke structures, for n = 29 — 1. 


Proof. We merely need to adapt the proof outlined above in minor ways to avoid 
passage through infinite structures. For that we may replace bisimilar companion tree 
structures by the finite, local versions provided by Lemma 36 rather than full unfoldings. 
For the proof of n-locality of p (cf. Lemma 58) no modifications are necessary in the 
game argument, as it applies to arbitrary relational structures exactly as for trees. In 
fact we only need to use partial tree unfoldings to argue that n-locality and bisimulation 
invariance together imply n-bisimulation invariance also in restriction to finite structures, 
as follows. 

Let y(x) be bisimulation invariant and n-local over finite structures. Consider finite 
structures (M, w) =n (M’,w’). We need to show that M,w = y iff M’,w’ = y. 
As is bisimulation invariant, we may replace (Mt, w) and (W, w’) by bisimilar finite 
companion structures whose restrictions to U"(w) and U"(w’) are trees, by Lemma 36. 
As ¢ is n-local, these structures may further be replaced by their restrictions to the 
n-neighbourhoods of w and w’, which are n-bisimilar tree structures of depth n, hence 
bisimilar. So ọ is true in w iff it is true in w. a 


Compare section 9 for further discussion of the finite model theory context; for fur- 
ther ramifications concerning modal logics based on refined notions of bisimulation also 
compare section 5; for relativisations to other non-elementary classes of frames, see in 
particular [17]. 
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4.3 Guarded fragments of first-order logic 


The standard translation (see section 1.3) immediately suggested finite variable fragments 
as an appropriate framework for the study of modal logic within first-order logic. In some 
ways, however, the finite variables feature fails to give satisfactory insights into the model 
theoretic behaviour of modal logics. The comparatively smooth finite model theory (see 
section 9) of modal logics and most notably also their decidability properties (considering 
robustness under extensions [135]; see section 5.2) are not reflected by the finite variable 
fragments or even FO? in particular [61, 60]. 

Guarded fragments of first-order logic were introduced by Andréka, van Benthem and 
Németi in [1]. Compared to the finite variable fragments, the guarded fragment GF of 
first-order logic is much closer to the qualitative characteristics of modal logics. It has 
greater explanatory power as a framework for the study of modal logics within first- 
order. For instance, GF and some of its further extensions mirror the decidability as 
well as finite and tree model properties of modal logics. Crucially, there is a natural 
notion of guarded bisimulation at the root of some of these features. On the other hand 
guarded logics considerably extend the expressive power of standard modal logics, and 
in particular still encompass many of their important extensions. Guarded logics have 
thus come to play an important role in the quest for more expressive fragments of first- 
order logic that share many of the model theoretic and algorithmic properties that make 
modal logics so useful for various applications. GF and its relatives extend the scope of 
essentially modal model theory, including algorithmic and finite model theory aspects, 
in the direction of first-order. 


The guarded fragment GF of FO generalises the relativised nature of modal quan- 
tification. Let a(x,y) be an atomic first-order formula in variable tuples as displayed, 
and consider existential and universal quantification over variables y where the range of 
quantification is restricted to those y that satisfy a(x, y) in relation to x (a is called 
the guard of the quantification). The following shorthand syntax is useful for this a- 
relativised quantification: 


(y.a) := dy (a(x, y) A y(x,y)), and its dual (Vy.a)p := Vy (a(x, y) = y(x,y)). 


Modal quantification (or its standard translation into first-order) displays just this 

kind of relativisation, where the guards are the atoms Raxy for accessibility relations 
R,.'° GF admits relativised quantification of this kind, for any atom a, provided that 
the variables that occur in œ comprise all the free variables in the formula ọ that is 
being quantified. The standard translation of modal logics (section 1.3) clearly obeys 
these restrictions. 
DEFINITION 62. For an arbitrary relational vocabulary 7, the formulae of GF(rT) C 
FO(r), the guarded fragment, are generated from the atomic formulae by closure under 
boolean connectives and guarded quantification; i.e., if p(x,y) € GF(r) and if a(x,y) 
is a T-atom (also allowing equality) such that free(y) C var(a), then (Vy.a)y(x,y) and 
(Sy.a) y(x,y) are also in GF(r). 


The atom a in these last formulae is called the guard of the (universal or existential) 
quantification. The nesting depth is declared for formulae of GF similar to the first-order 


10This is good also in the polyadic case, where an n-ary modality a associated with an (n + 1)-ary 
relation Ra gives rise to quantification with guard Ra(z,y). 
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quantifier rank, with the only exception that it increases by just 1 with every guarded 
quantification (rather than by the number of quantified variables in y). The semantics 
of GF is just that of first-order logic. It makes sense, however, to look at the crucial 
restriction with a view to a semantic understanding. 


DEFINITION 63. Let X be a 7-structure. A subset s C A is guarded if s is a singleton 
set or if s = {a,,..., ax} for some tuple (a1,...,a,%) € R” for some relation R € 7. A 
tuple a over 2 is guarded if its components are elements of some common guarded subset. 


Guarded quantification essentially is quantification over guarded tuples. Intuitively, 
only the elements of guarded subsets are simultaneously visible in the guarded perspec- 
tive; this intuition is borne out in the concept of guarded bisimulation (see Definition 64 
below). 


Clearly the standard translation embeds ML into GF, and actually into the two- 
variable fragment of GF, GF N FO?, which is strictly between ML and FO? in expressive 
power, comprising some but not all the features that separate ML from FO? as discussed 
at the end of section 4.1 above. GF naturally comprises 

(i) inverse (or past) modalities, as guardedness is non-directional. 

(ii) positive Boolean operations on accessibilities (including equality), as for instance 
in [aN Sly = (Vy.(Razy A Rary)) oy) = (Vy-Raty)(Rexy > ply)). 

(iii) a global modality, or universal/existential quantification over a single free variable, 
as any singleton set is guarded. 

Moreover, it should be noted that GF is genuinely polyadic in the sense of representing 
no restriction on the arities of definable predicates, whereas even polyadic modal logics 
are still monadic in that sense. But GF indirectly also has a finite variable nature to it. 
Note that guarded sets are bounded in size by the width (maximal arity) of the available 
relation symbols. It is not hard to show that any formula in GF(r), for 7 of width 
k, is equivalent to a boolean combination of atomic formulae and formulae that are in 
GF N FO* (up to a possible renaming of variables). 


Guarded bisimulations form the backbone of the model theory of GF, playing the same 
role for GF that ordinary bisimulations play for modal logics. In essence a guarded bisim- 
ulation is a back-and-forth equivalence based on local isomorphisms between guarded 
subsets. 

DEFINITION 64. A guarded bisimulation between r-structures 2 and B is a non-empty 
set Z of local (partial) isomorphisms between 2 and B such that 

(i) for every p € Z, the domain and image of p are guarded subsets of 2 and B, 

respectively. 
(ii) Z satisfies the following back-and-forth conditions w.r.t. guarded subsets: 
forth: for every p € Z with domain s and every guarded subset s’ of 2, there is 
some p’ € Z with domain s’ such that p and p’ agree on ss’. 
back: analogously, w.r.t. to the inverse maps p~' and for guarded subsets of B. 


Guarded bisimulations preserve the semantics of GF just as bisimulations preserve 
the semantics of ML. Moreover, bounded guarded bisimulations — best defined in terms 
of the restriction of corresponding guarded bisimulation games to a fixed finite number 
of rounds — precisely capture the levels of equivalence w.r.t. guarded formulae of cor- 
responding nesting depth. Finally, GF is semantically characterised as a fragment of 
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FO precisely through guarded bisimulation invariance. This analogue of van Benthem’s 
characterisation of modal logic is due to Andréka, van Benthem and Németi [1]. 


THEOREM 65. For any first-order formula p E€ FO(r) the following are equivalent: 
(i) y is invariant under guarded bisimulation. 


(ii) vy is logically equivalent to a formula p € GF(r). 


It is interesting to note that the full analogue of this characterisation theorem in finite 
model theory is currently still open. For relational vocabularies of width up to two 
(essentially coloured directed graphs), the analogue is proved in [106]. 


Perhaps the most important model theoretic consequence of an analysis of GF w.r.t. 
guarded bisimulations is a corresponding generalisation of the tree model property. 
For arbitrary relational structures one obtains guarded bisimilar companion structures 
through a process of guarded unravelling or unfolding. These relational structures are 
close to trees in being tree-decomposable by means of guarded subsets. Tree decomposi- 
tions provide a representation of the underlying relational structure by a tree. This notion 
from graph and hypergraph theory (see for instance [4]) has been fruitfully employed in 
relational structures also in applications to relational databases [3]. Tree representations 
based on guarded subsets work with tree structures whose nodes describe all the guarded 
substructures of the given structure. Guarded unravellings [56, 58] provide tree decom- 
positions by guarded subsets. As the size of guarded subsets in 7-structures is bounded 
by the width of r (the maximal arity of relations in 7), one automatically obtains a 
bound on the tree width. The resulting generalised tree model property from [56] is the 
following. 


THEOREM 66. Any satisfiable formula p E€ GF(T) has a model which is tree decompos- 
able in terms of its guarded subsets and consequently of tree width m—1, where m is the 
width of T. 


Such a generalised tree model property can be of eminent model theoretic importance, 
especially with a view to algorithmic questions, because properties of tree decomposed 
models may be determined in terms of their tree representations. Using classical model 
theoretic tools for trees, and in particular automata theoretic methods, the generalised 
tree model property has strong consequences for decidability and complexity issues. For 
instance, GF and some of its extensions beyond first-order logic that are invariant un- 
der guarded bisimulation and hence satisfy the generalised tree model property, can be 
decided for satisfiability via reductions to the monadic second-order theory of trees (Ra- 
bin’s theorem). A direct reduction to emptiness problems for suitable tree automata 
moreover typically yields optimal complexity bounds. Even finite models for formulae of 
GF can be built from infinite tree-like models, using finite saturation arguments based 
on Herwig’s extension theorem for partial isomorphisms [67], thus providing an elegant 
proof of the finite model property for GF [56]. 


THEOREM 67. Any satisfiable formula of GF has a finite model: GF has the finite 
model property. 

The clique guarded fragment pushes the basic idea of guarded quantification a bit 
further by relaxing the notion of guarded subsets. A subset s of a relational structure is 


clique guarded if any pair of elements from the set is guarded (the subset forms a clique 
in the Gaifman graph). In the clique guarded fragment, quantification is restricted to 
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clique guarded rather than guarded subsets. The resulting logic naturally embeds the 
first-order translation of the Until operator of temporal logic: 


(y Until p) (x) = Iy(x < yA Vy) AV2((a < zAz<y) > o(2))), 


because the relevant x,y,z triples form cliques w.r.t. comparability under <. The clique 
guarded fragment is no longer restricted to finite variables as clique guarded subsets can 
have any size. (The Until operator, which crucially requires three variables, is expressible 
in terms of clique guarded triples w.r.t. a binary relation.) 

Despite the increase in expressiveness, the clique guarded fragment is still decidable 
for satisfiability [56] and it also satisfies the finite model property [69, 70] (with links 
between clique guardedness and extension theorems for partial isomorphisms). 


5 VARIATIONS, EXTENSIONS, AND COMPARISONS OF MODAL LOGICS 


There is a considerable body of work on ramifications of the familiar classical modal 
logics. At the level of ordinary semantics in (pointed) Kripke structures or transition 
systems, many variations and extensions have been proposed. These largely aim at 
preserving some of the key model theoretic features of basic modal logics while adapting 
or boosting the expressive power — either for the purposes of a systematic investigation or 
for the modelling of situations that cannot be captured by the standard modal languages. 
The many application areas of modal logics contribute to interesting ramifications and 
continue to trigger new developments. We give but a few examples. Variants of basic 
modal languages for the purposes of description logics, as treated in depth in Chapter 13 
of this handbook, naturally use for instance inverse modalities (for inverse roles) or graded 
modalities (for number constraints). Various constructors for new modalities based on 
composite accessibility relations (e.g., relational composition or transitive closures) have 
long been studied in temporal and process logics (see Chapters 11 and 12 among others). 
More recently similar extensions have been employed in formalisms developed for the 
navigation and retrieval of information in data formats like XML (see [100]). 

While a more comprehensive concept of a generalised modal model theory may lead 
to further consolidation of the big picture, we can here only attempt to exemplify some 
simple model theoretic ideas in this direction. For a tentative framework, let us regard 
the underlying notion of bisimulation invariance as the key feature of a specifically modal 
model theory (at the level of Kripke semantics). We may then tentatively explore this 
theme along two axes: variations in the sense of variations of the underlying notion of 
bisimulation; and extensions of expressive power subject to the requirement of invariance 
w.r.t. the given notion of bisimulation. 

For two typical examples of these orthogonal directions consider, on the one hand, the 
addition of past modalities (backward moves in the bisimulation game), and, on the other 
hand, the extension by path quantification (as for reachability assertions or unbounded 
iteration of ©). 

For this largely informal sketch we limit ourselves to just a few logics that play a 
prominent role in connection with transition systems and the behaviour of processes. 
Some of these and many others are treated at much greater depth in other chapters 
of this handbook, in particular Chapters 11, 12 and 17 of this handbook and several 
others in Parts 3 and 4. As criteria for the model theoretic character of the logics 
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under consideration, over and above their expressive power, we look in particular at the 
corresponding bisimulation games and model theoretic characterisation theorems, at the 
tree model property and the finite model property, and at satisfiability issues, which are 
particularly relevant in many applications (compare Chapters 3 and 17 of this handbook). 


5.1 Variations through refined notions of bisimulation 


A refinement of bisimulation equivalence ought to be matched, on the logic side, by 
a more expressive logic. We thus encounter extensions of basic modal logic to more 
expressive fragments of first-order logic, like those considered in sections 4.1 and 4.3. 

In terms of the bisimulation game (or the back-and-forth conditions) over Kripke 
structures with binary accessibility relations one can introduce a variety of additional 
moves, in order to capture the expressiveness of some natural extensions of basic modal 
logic, for instance: 


e unconstrained moves to arbitrary states (global bisimulation). This corresponds 
to the addition of a universal modality (or V/A quantification) to basic ML, which 
also allows for an explicit transition between global and local semantics (see, e.g., 
(54, 22]). 


e backward moves along edges (two-way bisimulation). This corresponds to the ad- 
dition of past or inverse modalities to basic ML. 


e counting moves, in which the number of available responses is controlled (counting 
or locally bijective bisimulation). This corresponds to the extension of basic ML 
by graded or counting modalities (see [21]). 


(Also compare [88] for bisimulations for a hierarchy of description logic languages). 

In terms of further reaching variations that also involve the format of the underlying 
structures and game positions, we discussed in section 4.3 guarded bisimulations for 
arbitrary relational structures — corresponding to guarded rather than ordinary modal 
quantification and guarded fragments of first-order logic as important intermediaries 
between modal and first-order logics. 

As indicated, these variations typically correspond to natural extensions of ML. These 
correspondences manifest themselves in terms of 

(i) Ehrenfeucht-Fraissé relationships: equivalence in the extended logic is charac- 
terised by the existence of winning strategies for player II in the corresponding, 
refined bisimulation games. 

(ii) characterisation theorems in the style of Theorems 55 or 65 that characterise the 
respective logic as a fragment of first-order logic, in terms of invariance under the 
refined notion of bisimulation. 

For instance, the global bisimulation game gives player I the option to switch, for an 
individual round, to moves in which both players are allowed to move the pebbles to 
any element of the respective structure rather than just along accessibility edges. This 
is the Ehrenfeucht—Fraissé game for the extension ML[V] of basic ML, in which a global 
modality is available (corresponding to unrestricted universal first-order quantification 
in the standard translations). Then II has a winning strategy for the n-round game on 
(M, w) and (W, w’) iff (Mt, w) and (W, w’) satisfy exactly the same formulae in MLIV] of 
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quantifier rank up to n. Also the classical proof pattern for the characterisation theorem 
(compare the classical proof argument for Lemma 56) goes through. This uses compact- 
ness and w-saturated or modally saturated extensions and the analogue of Remark 40, 
which is good also for this refined bisimulation game. So we have obtained the following. 


PROPOSITION 68. A first-order formula p(x) is invariant under global bisimulation 
iff it is equivalent to a formula of MLN]. 


This proposition may serve as a representative for a whole family of similar characteri- 
sation results for many other variants of basic modal logic. In fact, these game techniques 
are not at all even restricted to the modal setting. Analogous Ehrenfeucht—Fraissé and 
characterisation theorems hold for instance also for the finite variable fragments FO" 
in relation to k-pebble game equivalence. Interestingly, as far as the characterisation 
theorems are concerned, the picture becomes more varied when we shift attention to the 
finite model theory versions (cf. section 9, in particular Theorem 130). 


5.2 Extensions beyond first-order 


Extensions induced by variations of the underlying notion of bisimulation in the first 
instance all lead to modal logics of (pointed) Kripke structures that are still fragments of 
first-order logic. There is the orthogonal direction of extension that adds expressiveness 
through stronger constructors in the logic while still adhering to invariance under the 
given notion of bisimulation. These extensions address some of the expressive deficiencies 
inherent in first-order, in particular its restriction to essentially local properties (in the 
sense of Gaifman’s locality theorem). Major process logics, aimed at formalising dynamic 
properties of processes in terms of Kripke structures as transition systems, need to express 
fundamental properties — like reachability or well-foundedness — that are non-local and 
hence not expressible in FO. 

The process logics discussed below specifically aim for the formalisation of proper- 
ties of programs or processes, based on the modelling of states and state transitions in 
Kripke structures as transition systems: atomic propositions model atomic state proper- 
ties, and accessibility relations between states model atomic state transformers or atomic 
programs. This setting calls for logics of a fundamentally modal nature — especially since 
the intended processes are captured by transition systems only up to bisimulation equiv- 
alence. Bisimilar transition systems describe exactly the same processes in the sense that 
there is a complete correspondence of possible runs at the level of individual transitions 
and in terms of mutual step-wise simulation (bi-simulation). 

We fix a finite similarity type with modalities a corresponding to binary predicates 
Ra (transition relations for atomic programs @) and a set of atomic propositions p cor- 
responding to unary predicates P interpreted as the set of states satisfying p. The 
framework of basic modal logic ML provides modalities for the atomic programs a for 
assertions about the possible results of single-step state transformations. Various ad- 
ditional constructors have been proposed for the formalisation of dynamic, non-local 
properties, involving for instance unbounded iterations of transitions. We illustrate the 
examples of PDL, CTL” and L,,. For one simple concrete example of a dynamic, non-local 
property, we consider the following (at a state): 


(y) in any possible future state of the system, there will be 
a reachable state in that state’s future where p holds. 
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Propositional dynamic logic 


Propositional dynamic logic PDL [29] is based on a dual perspective involving both states 
and transitions as primary objects of its semantics. Correspondingly, PDL distinguishes 
two kinds of formulae, state formulae and program formulae. State formulae, like the 
familiar modal formulae are evaluated at the states of a transition system and thus define 
unary predicates on the universe; program formulae on the other hand are evaluated on 
pairs of states and define binary predicates on the state space, i.e., derived transition 
relations. Here we work with the following definition; for more on PDL see Chapter 12 
of this handbook. We use y,w,... for state formulae, 7,¢,... for program formulae. 


DEFINITION 69. State and program formulae of PDL are generated by mutual induc- 
tion. 

State formulae: the Boolean closure of atomic propositions p, and modal quantification 
of the form (7)y and [n]y for program formulae 7 and state formulae g. 

Program formulae: the closure of the atomic program formulae a and of all formulae vy? 
(“test” operator on state formulae p) under union (7U¢), composition (7; Ç) and star or 
iteration, (7*). 


The semantics of state formulae is the natural one based on the semantics of the 
corresponding program formulae that define modalities 7 in terms of new transition 
relations Ry. For those, the specific constructors are defined in relational terms: atomic 
program formulae a refer to the given transition relations Ra; the union operator is 
set union: Ryuc = Ry U Re; composition is relational composition: Ry.¢ = Rn o Re = 
{(u,w) | (u,v) € Rn, (v,w) E€ Re for some v }; the star operation corresponds to the 
reflexive transitive closure: Ry» = U„>o(Rn)”; finally, the test operator defines a loop 
relation according to Ry; = {(u, u) | M, u = p}. 


The PDL state formula (7n*)y, for instance, expresses reachability on an 7-path of a 
state that satisfies y. Note that this is not expressible in FO, even for atomic 7 and y. 
(x) of the example above is expressible in PDL using 7 := Use, a, as x = [n*](n*})p. 


We turn to bisimulation invariance. While the standard notion refers to state formulae, 
the constructors for PDL program formulae also respect bisimulation equivalence, in the 
sense of bisimulation safety (see section 3.8). 


LEMMA 70. For Kripke structures WM, let M” denote the expansion with all the acces- 
sibility relations defined by PDL program formulae. Then any bisimulation p: M = W 
is also a bisimulation between these expansions, p: m 2 on”. 


Bisimulation invariance for state formulae is then straightforward. In fact it falls out 
of the inductive proof of the claim of the lemma, which is best understood in terms 
of the underlying games. Consider the operations of union, composition and star on 
accessibility operations. For moves along Rjuc = Ry U Rg, the responses of II merely 
need no longer respect 7/¢ individually; moves along R,,¢ can be responded to as if 
they came as individual moves in two consecutive rounds; similarly, a move along an 
R,~-edge corresponds to a finite sequence of moves along R,,-edges, which is similarly 
covered by IT’s strategy. If, for some state formula y, (u, u’) € p implies that M, u = y 
iff Nt’, u’ = y, then it follows that play according to p guarantees that (stationary) 
R 7-moves are available in M iff they are available in W. 


COROLLARY 71. Any state formula of PDL is invariant under bisimulation. 
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Computation tree logic 


For computation tree logic CTL*, the emphasis is on branching time temporal behaviour 
rather than process algebra. It is customary to study CTL* over transition systems with 
a single binary transition relation R (corresponding to a single unary modality ©) which 
moreover is required to have no terminal nodes, i.e., we assume Mt = OT. 


The intuitive idea in CTL* is to associate the runs from a state u of a transitions 
system Pt with the tree structure Mfu] (the unfolding or tree unravelling, as defined 
in section 2.2). The infinite branches of the tree Mfu] are the computation paths of M 
at u. Besides state formulae, which define properties of states as usual, CTL* has path 
formulae that define properties of such computation paths. Here a path at u is an infinite 
R-path rooted at u in the usual graph theoretic sense; we write o = uo, u1,... for a path 
at u = uo. 


DEFINITION 72. State and path formulae of CTL* are generated by mutual induction. 
State formulae: Boolean closure of atomic propositions p and formulae Ey and Ay for 
path formulae y (existential and universal path quantification). 

Path formulae: Boolean closure of all state formulae y and formulae Next y (temporal 
“next” operator) and y Until ô (temporal until operator) for path formulae y, 6. 


The semantics of atomic propositions (as state formulae) and of the Boolean connec- 
tives is the natural one. We just highlight the specific constructors for state and path 
formulae. The semantics of a state formula ọ is given in terms of a state u € M, the 
semantics of path formulae y, 6 in terms of a path o = uo, u1,... in M, whose suffixes 
we denote as in o? = Uj, Uj+1;---: 

M, u H Ey iff there is a path o at u such that M, o = y, similarly for the dual A. 

Mio = y iff M, uo E vy. 

M, o H Next y iff M, ot H y. 

M, o H y Until ô iff for some j > 0: M, ot = 6 and for 0 < i < j, M, ot Ky. 

Reachability of a state satisfying y, for instance, becomes expressible as E(T Until 9). 
The formula T Until y is also abbreviated Fy, “eventually p”. Using this abbreviation, 
our sample property (x) is expressible as x = ~ EF EF p. 


PROPOSITION 73. Any state formula of CTL* is invariant under bisimulation. 


This is a straightforward consequence of the fact that any bisimulation p: M = IM’ 
preserves paths in the sense that for (u, u’) € p, every path o = uo, u1,... at uo = u in 
Mt has a bisimilar companion path o’ = up, uj,... at ug = u’ in W, which is bisimilar 
in the sense that (ui, ui) € p for all i. 

Interestingly, CTL* admits a characterisation as the bisimulation invariant fragment 
of monadic path logic, that fragment of monadic second-order logic (over trees) in which 
second-order quantifiers range over paths. In the light of Theorem 76 below, this char- 
acterisation also clarifies the relationship between CTL* and the much more expressive 
modal p-calculus. The following is due to [101] over arbitrary tree models and to [65] 
over the binary tree. 


THEOREM 74. State formulae of CTL* precisely define those state properties that are 
bisimulation invariant and definable in monadic path logic. 
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Modal p-calculus 


The modal pi-calculus L, is a particularly natural and powerful extension of basic modal 
logic, which encompasses both PDL and CTL*. In many ways it may be regarded as 
the extension of modal logic for the purposes of temporal reasoning about processes 
and corresponding model checking applications. Its theory is well developed, ranging 
from more classical model theoretic issues to computational and in particular automata 
theoretic analysis; see Chapter 12 of this handbook for a thorough treatment. Here, we 
only very selectively comment on some aspects of L, and essentially restrict ourselves to 
its role as an extension of ML in our bisimulation-oriented perspective on modal model 
theory. 

L, is the canonical fixed point extension of basic modal logic. Least (and dually, 
greatest) fixed points of monotone operators capture natural forms of recursion closely 
related to inductive (and dually, co-inductive) definitions. In L, basic modal logic is 
augmented by the means to define, as fixed points, the results of recursions based on 
definable monotone operators. 

Consider basic modal logic with free monadic-second order variables X,Y,... (treated 
like monadic predicate letters or variables for propositions). A formula 7 = 7(X) is 
positive in X if X only appears within the scope of an even number of negations in 
w. Positivity in X ensures that, for each structure Wt that interprets all the remaining 
variables, the following operation on the power set P(W) of the universe W of M is 
monotone (in the sense that X C X’ implies =X] C w[X’]): 


ye P(W) — PW) 
X — yY”jiX] = {we W |M, X, wH y}. 


This operation therefore has unique C-minimal and -maximal fixed points, the least and 
greatest fixed points of Y(X), respectively. 


DEFINITION 75. The syntax of L, is based on basic modal logic ML with free monadic 
second-order variables, plus closure under the least and greatest fixed point constructors: 
if ù € L, is positive in X, then uX.y and vX. are also formulae of L, (in which X is 
bound). 

The semantics of formulae y € L, is inductively defined in terms of Kripke structures 
M with interpretations for the free second-order variables; M, u = uX.y (respectively 
vX.) if u is in the least (respectively greatest) fixed point of the operator associated 
with Y over M. 


The least fixed point uX.y(X) in M is also definable as the limit of stages X° gener- 
ated by induction over the ordinal a, where X° = Ø, X°+! = w™"[X] for successor steps, 
and X* = Uae, X® for limits AÀ. By monotonicity, the sequence of the X® is increasing. 
Over each W it eventually must become constant for cardinality reasons. Then the least 
fixed point of Y” is X° =U, X® = X? for the minimal y such that X+! = X7. (This 
y is the closure ordinal of the fixed point over M.) 

The L, formula uX.y(X) for Y(X) = y V OX, for instance, expresses reachability of 
a state satisfying y. The monotone operator Y% maps X C W to the union of y™ with 
O(X). Stage X” consists of those states from which a state satisfying y is reachable on 
an R-path of length less than n. The least fixed point is reached within w stages over any 
M, with X° = X” being the set of states satisfying (R*)y. Similarly, well-foundedness 
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of the converse of R, i.e., non-existence of infinite R-paths from a state, is captured by 
the least fixed point of the operator defined by the formula Y(X) = OX. 

Our sample property (x) is expressible as x = vY.(OY A uX.(p V OX)). 

Least and greatest fixed points as provided in L, admit straightforward explicit defini- 
tions in monadic second-order logic MSO, and L, may be regarded as a fragment of MSO 
via a corresponding translation. The following theorem of Janin and Walukiewicz [77] 
characterises L,, as the bisimulation invariant fragment of MSO. This is entirely similar 
in spirit to Theorem 55 for basic modal logic at the first-order level. Covering a far more 
expressive setting, its proof is also entirely different and based on a sophisticated use of 
tree automata that recognise corresponding classes of tree models. 


THEOREM 76 (Janin—Walukiewicz). For any MSO formula p = y(x) the following are 
equivalent: 


(i) vy is bisimulation invariant. 


(ii) y is logically equivalent to a formula of Ly. 


We note that, in a similar modal spirit, fixed point extensions have been explored 
under variations of the underlying notion of bisimulation. In particular, the so-called full 
p-calculus with inverse modalities, as related to two-way bisimulation, is studied in [136]; 
guarded fixed point logic GF, [62], is the natural extension of the guarded fragment GF 
by fixed points. For the latter, an analogue of the above characterisation theorem has 
also been obtained, with a stronger fragment of second-order logic, guarded second-order 
logic, in place of MSO, [58]. 


Infinitary modal logics 


We encountered ML, the extension of basic modal logic ML by conjunctions and dis- 
junctions over arbitrary sets of formulae, in section 3.4. Theorem 41 characterises bisim- 
ulation equivalence as equivalence in ML. The restriction to set-size (rather than 
class-size) disjunctions (or unions) is crucial. Remarkably, L, (and CTL") cannot be 
embedded into ML: the well-foundedness property expressed by wX.OX € Ly, for 
instance, is not globally definable in ML (see Observation 42). In fact, L, (or CTL") 
and ML, are incomparable in expressive power. 

On the other hand, the individual stages in the generation of any modal least or 
greatest fixed point are globally definable in ML... In the example of wX.OX, the 
stages X° are definable by formulae ya E ML according to yp = L, Ya+1 = UYe and 
Pa = Vaca Pa. The reason that the fixed point X% is not ML definable is that there is 
no bound on the closure ordinal of this induction. For many natural (restricted) settings, 
however, ML. is a maximal bisimulation-invariant logic. For the following compare the 
remark on characteristic formulae below Theorem 41. 


OBSERVATION 77. Over any class of structures that intersects only set-many bisimu- 
lation equivalence classes, every bisimulation closed state property is definable in ML. 


Several extended logics, including PDL as an important fragment of L,, also admit 
direct translations into ML, though. For PDL this is a consequence of the fact that 
the closure ordinal of the fixed points needed to capture PDL constructs is uniformly 
bounded by w. In fact, PDL therefore embeds into that fragment of ML. in which 
disjunctions and conjunctions over countable, rather than arbitrary, sets of formulae are 
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admitted, ML, C ML. The PDL reachability assertion (a*)y, for instance, globally 
translates into V peu (a)? p, where (a)” is the n-fold iteration of the diamond operator. 

ML,,, may be studied as a fragment of the corresponding infinitary extension of first- 
order logic, Luw, which itself has a well developed classical model theory [83]. Similar 
to Lu,w, ML, also admits a complete proof system (including infinitary rules) and even 
satisfies (Craig and Lyndon type) interpolation theorems. Characterisation, complete- 
ness, and preservation theorems for ML,,, and some of its fragments have been obtained 
along such lines by Radev [110] and Sturm [119, 120]. 


5.8 Model theoretic criteria 


We briefly discuss three particularly relevant model theoretic properties in the light of 
some of the variations and extensions mentioned above. These may serve as examples that 
among others could contribute to a framework for a more comprehensive comparative 
model theory of modal logics. 


Finite model property (FMP). As noted in section 3.3, the basic modal logic itself has 
the finite model property, as do many of its variations and extensions. The variations 
of ML discussed in section 5.1 above, by inverse and global modalities, as well as the 
guarded fragment GF, have the FMP. For the extensions beyond FO the finite model 
property for L,,, due to Streett and Emerson [118], implies FMP for all of its sub-logics, 
like CTL* and PDL.*! The full u-calculus, L, with inverse modalities, on the other 
hand lacks the FMP [136]. The following counterexample illustrates this. The formula 
vX.((R)X A uY. [R-t] Y) requires an infinite (forward) R-path along which every node 
is well-founded w.r.t. R (does not admit an infinite backward R-path). This implies that 
the infinite path cannot fold back onto itself; the formula therefore only admits infinite 
models. 


Tree model property. Recall that a logic has the tree model property if every satisfiable 
formula is satisfied in a tree model. Basic modal logic has the (finite) tree model property 
(cf. Lemma 35). In fact any bisimulation invariant logic has the tree model property, 
based on the existence of bisimilar tree unfoldings (cf. section 2.2). In this sense the 
tree model property, more than the finite model property, is a hallmark of modal model 
theory. Moreover, many important variations, even though no longer invariant under 
ordinary bisimulations, still retain (variant) tree model properties. This phenomenon 
carries particularly far in the case of GF (see Theorem 66, which also generalises to any 
guarded bisimulation invariant logic). 


Decidability. | Decidability and complexity of the satisfiability problem provides one 
measure for the comparison of the variations and extensions discussed above. Basic 
modal logic may be seen to be decidable for a number of distinct reasons, as it were. 
Firstly, as FO is recursively enumerable for validity, ML is decidable as a fragment of 
FO that is recursively enumerable for satisfiability due to its finite model property. More 
specifically, however, the finite (tree) model property for basic modal logic (cf. Lemma 35) 
may be strengthened by effective bounds on depth and branching degree of the candidate 
tree models — indeed, a Pspace (or alternating Ptime) procedure for satisfiability can be 


11 The finite model property of many variations and extensions of modal logic, such as PDL and CTL, 
can be obtained by filtration, see [46]. However, this method does not work for some of the more complex 
systems such as CTL* and Ly, where tableau-like and automata-based methods are applied instead. 
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extracted (cf. Chapter 3 of this handbook). Alternatively, decidability of ML may be 
attributed to just its tree model property and the fact that its tree models are recognised 
by tree automata, for which emptiness is decidable (cf. Chapters 3 and 17). In view 
of the extensions that go beyond FO this second line of reasoning carries much further. 
Extensions that are ‘modal’ in the sense of being bisimulation invariant share the tree 
model property. Allowing for the appropriate variations of bisimulation, this approach 
covers not only L,, but even the full -calculus [136] or the fixed point extension of 
the guarded fragment [62], which fail to have the FMP. See [57, 135] in this connection 
for a discussion of the robustness of decidability of modal logics, with a focus on tree 
models and the accompanying automata theoretic techniques; also see Chapter 17 of this 
handbook. A comparison between FO? and ML in relation to their extensions by natural 
constructs (e.g., counting, path quantification, transitive closures, fixed points) has also 
highlighted the special status of modal logic in regard to decidability of such extensions: 
even comparatively weak extensions of FO? along these lines are highly undecidable [61]. 


6 FURTHER MODEL-THEORETIC CONSTRUCTIONS 


One of the traditional directions of development for model theory of a given logic is to 
identify a sufficiently rich collection of constructions on models, preserving truth in the 
logic, so that the fundamental concepts of logical definability and logical equivalence can 
be characterised in terms of these constructions. 

In section 2 we introduced the basic model-theoretic notions of generated substruc- 
tures, bounded morphisms and disjoint unions of Kripke structures and frames, and 
established corresponding preservation results. These constructions, however, are not 
sufficient for a complete description of the modal definability of properties or modal 
equivalence of structures. In this section we introduce and study two more advanced 
constructions: ultrafilter extensions and ultraproducts. The former, stemming from the 
Jénsson—Tarski representation theorem for Boolean algebras with operators in [78], was 
introduced in modal logic by Goldblatt [43, 44] and used for model-theoretic characteri- 
sations of modal definability in [51, 126, 28]. See also section 8. The latter comes from 
first-order logic, as the most characteristic construction preserving first-order validity 
(see [12]). Since modal logic on Kripke structures is a fragment of first-order logic, it 
is a natural truth-preserving construction here, too, and features in the model-theoretic 
characterisations of modal definability in Kripke structures in section 6.4. Later in this 
section we indicate how ultrafilter extensions and ultraproducts are linked with each 
other, and how they relate modal equivalence between Kripke structures with bisimula- 
tions, through the notion of saturation. 


6.1 Ultrafilter extensions 


Let § = (W,{Ra}aer) be a 7-frame and let U(W) be the set of all ultrafilters over W. 
For every w € W, ulw] = {X C W | w € X} is the principal ultrafilter generated by w. 
Further, for every X C W we define u(X) := {u € U(W) | X € u}. 

For each a € 7 we define a binary relation R° on U(W) as follows. For u,w € U(W): 


uR% w iff (Ry) (X) € u for every X € w. 


In particular, note that for every a € 7, and x,y EW, zRay iff ula] RY uly]. 
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DEFINITION 78. Given a 7-frame ¥ = (W,{Ra}aer): 
(i) The ultrafilter extension of § is the T-frame ue(¥) := (U(W), {Re baer). 
(ii) For every Kripke 7-structure M = (%,V), the ultrafilter extension of M is the 
Kripke r-structure ue(M) := (ue(F), V"°) where V"*(p) = u(V(p)) for each p € ®. 


Thus, the subframe of ue(Ẹ) consisting of the principal ultrafilters on § is isomorphic 
to ¥ but in general, it is not a generated subframe of ue(¥) (see [5, Example 2.58]). 
However, every finite frame is isomorphic to its ultrafilter extension. For a proof, see 
e.g. [5, Proposition 2.59]. 

Here are two concrete examples of ultrafilter extensions from [129]; also compare [129] 
for a detailed study of ultrafilter extensions and their use in characterising modal defin- 
ability in some special classes of frames. 


e ue((Z,<)), where (Z,<) is the linearly ordered set of integers, comprises an iso- 
morphic copy of (Z,<) represented by the principal ultrafilters, and two infinite 
clusters of free ultrafilters, one consisting of elements less than all ‘standard’ inte- 
gers, and the other of elements greater than all ‘standard’ integers. All ultrafilters 
in each cluster are <"*-related. 


ue((Q, <)), where (Q, <) is the linearly ordered set of rationals, looks similar. It 
consists of a copy of the rationals, with infinite clusters on each end, but, since 
every real number can be approximated from either side by a sequence of rationals, 
it also has for every real number a pair of ‘infinitesimally’ close clusters, one on 
either side. 


LEMMA 79. For every Kripke r-structure M = (§,V) and any formula p of ML(r): 
V= (p) = u(V(y)), ie, ue(M), u E p if V(y) €u. 

This lemma shows that the notion of ultrafilter extension is canonical: a state, being 
an ultrafilter, contains precisely the valuations of those formulae which are true at that 
state. 


COROLLARY 80. For every Kripke T-structure M = (3, V), w € dom(¥F), and any 
formula p of ML(r): 
(i) M, w H y iff ue(M), ulw] H g. 
(ii) Tf ue(M) = y, then ME y. 
(iii) If ue(S), ulw] E y, then Fw = y. 
(iv) If ue(¥) H y, then § H o. 


We say that a class of r-frames C reflects ultrafilter extensions if a T-frame § belongs 
to C whenever ue(§) € C. Thus, FR(T) reflects ultrafilter extensions for every set of 
modal formulae T. 

That the converses of the latter 3 claims above do not hold can be seen from the follow- 
ing example. The modal formulae preserved in ultrafilter extensions will be characterised 
in Proposition 114. 

EXAMPLE 81. By Proposition 114, the Gédel-Léb formula: O(Op — p) > Op is not 
preserved in ultrafilter extensions because it is not canonical (see [75]). 

Non-reflection of ultrafilter extensions can be used to prove modal non-definability in 

frames in cases where the other truth preserving constructions introduced earlier may not 
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work. Going back to the example at the end of section 2.3: the sentence 6 = Vady(xRy A 
yRy) is not captured by frame validity of any ML formula, despite being preserved under 
generated subframes, surjective bounded morphisms and disjoint unions, because it does 
not reflect ultrafilter extensions. Indeed, (N, <) Fro ô while ue((N, <)) Ero ô because 
every free ultrafilter is a maximal element with respect to the quasi-order <“* (see [128] 
or [5, Example 2.58] for details). 


6.2 Ultraproducts 


The constructions of direct products and ultraproducts of first-order structures can be 
applied to frames, considered as FO(r)-structures, and to Kripke structures, considered 
as FO(r@)-structures. 
DEFINITION 82. Let {W*}ic; be a family of sets indexed by a set T. 
(i) The direct product of {W*}ier is the set 
Iler W* = {9:1 Ujer WŻ | gli) € W’ for all i € T}. 


(ii) For any ultrafilter U on T, the ultraproduct of {W'}icr over U, [Lew , is 
the quotient of J] [iez Wt w.r.t. the equivalence relation ~y defined by g ~u ef iff 
{i €I | g(i) = g'(i)} € U. We write gY for the ~y equivalence class of g. 


(iii) For any family {X* C W* hier, 
IR; X’ = {gY € Thier W’ | {ie T| g(t) € X*} € U}. 


DEFINITION 83. Let {3 = (W#, {Ri jaer) bier be a family of 7-frames indexed by a 
set I, and {9 = (#',V")}, cy be a family of Kripke 7-structures over these frames. 
(i) The direct product of {8'}ier is the r-frame [Jier == (Iler Ste ees 
where for a € T: goRagi iff go(t)Rigi(t) for every i € I. 
(ii) The direct product of {IN'}icr is the Kripke 7-structure [Jier DY := (Thier 8’, V), 
where V(p) := [ J;e; V’ (p) for each p € ®. 
If, further, U is an ultrafilter on T: 
(iii) The ultraproduct of {8* }ier over U is the r-frame m SoS (ey W?, {RU Jaer), 
where for a € T: gU RU GP iff {i € I | go(i) Rigi (i)} € U. 
(iv) The ultraproduct of {9 eee over U is the Kripke r-structure 
IR, 9t := (12, 8, VY) such that for each p € 6, VY(p) := JIZ; Vi(p). 
If 3’ = % for every i € I, the ultraproduct is called an ultrapower of §, denoted il; 83 
similarly for Kripke structures, where the ultrapower is denoted fe M 
By the fundamental theorem of Log (see, e.g., [12, 68]), every first-order definable 
property holds in an ultraproduct iff it holds in a ‘large’ (i.e., in the ultrafilter) set of 
component structures. Moreover, every /t-definable property is preserved by ultraprod- 
ucts [12, Corollary 4.1.14]. Therefore, validity of modal formulae in (pointed) frames, 
being a II}-definable property in terms of the standard translation, is reflected (i.e., its 
negation is preserved) by ultraproducts. Using these, we obtain the following preservation 
results. 
PROPOSITION 84. For every family of Kripke T-structures {mm = (5$, es ultra- 
filter U on I, gY € k, and formula p of ML(r): 
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(i) eW, gY Ey of {j EI |D, gl) Ey} EU. 
(ii) ar Fas if {j € I| D E y} EU. 
(iii) If k,g, gY = y, then {j € I| Í, g) Ev} eU. 


(iv) If k; Ey, then {jE I| F Ev eu. 


Since, however, not every valuation in an ultraproduct of frames can be obtained as 
an ultraproduct of valuations in the components, the converse of the latter two claims 
above does not hold. 

The following observation due to Goldblatt [44, 47] blends first-order and modal con- 
structions. 


PROPOSITION 85. For any family 18 her of T-frames and any ultrafilter U on I, 
Ik, Fİ is embeddable as a generated subframe into I” (Hicr g’) 


The embedding is defined canonically as gY ++ g¥-+, where gU'+ := (w(i), i) for each 
i € I. Furthermore, as shown in [129], any eae of frames m3 Şt is embeddable 
as a subframe of ue (,<; 8"). 


wel 


6.8 Modal saturation and bisimulations 


A class of (pointed) Kripke structures C is said to have the Hennessy—Milner property if 
modal equivalence between structures in C implies (and hence is equivalent to) bisimu- 
lation equivalence. For instance, as noted in Theorem 38 the class of all finite structures 
has the Hennessy—Milner property. Compare Definition 39 for first-order types and w- 
saturation. The following weaker notion of saturation is more specific to modal logic. 


DEFINITION 86. A Kripke 7-structure M = (W, {Ra}aer, V) is modally saturated at a 
state w € W if for every a € T and set of modal formulae IT, the following saturation 
condition holds: 

if M, w H (a) ATo for all finite To CT, then there is some u € W such that wRau and 
M,u Hr. 
M is modally saturated if it is modally saturated at each of its states. 


It is clear from Definition 39 that w-saturated Kripke structures are modally saturated. 


PROPOSITION 87. The class of modally saturated Kripke structures has the Hennessy- 
Milner property. 


Proof. If 9% and SN’ are modally saturated, then p := { (w, w) € W x W’ | (M, w) =r 
(W, w')} is a bisimulation between M and DM. Atom equivalence is obvious. Consider 
for instance the forth condition. Let (M, w) =mL (W, w’) and let (w,u) € Ra. Put 
T := Thm (M, u). For finite [9 CT, M, w H (a) A To and hence also W, w H (a) A To. 
By modal saturation of SW’ at w’ therefore, there is some u’ such that (w, u’) € Ra and 
DW, u’ ET. But this means that (M, u) =m (W, u’), and wu’ is as desired for the forth 
requirement. m) 


COROLLARY 88. The class of w-saturated Kripke structures has the Hennessy-Milner 
property. 

It is well-known from classical model theory [12, Corollary 4.3.14] that the ultrapower 
of any (pointed) Kripke structure w.r.t. a regular ultrafilter is an w-saturated elementary 
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extension of that structure. Furthermore, two (pointed) Kripke structures are modally 
equivalent iff any pair of their w-saturated ultrapowers are modally equivalent, and hence, 
by Corollary 88, bisimilar. Thus, we obtain the following characterisation of modal 
equivalence between Kripke structures from [20], as a corollary of the above. 


THEOREM 89. Two (pointed) Kripke structures are modally equivalent iff any pair of 
their w-saturated ultrapowers are bisimilar. 


A parallel with first-order logic can be drawn here if we think of bisimulations as 
the modal analogue of partial isomorphisms between Kripke structures, and note that 
elementary equivalence on w-saturated structures coincides with partial isomorphism 
between them (see [108, 68, 23]). Then Theorem 91 below completes the match. Before 
getting there, we need the following result, due to van Benthem [126], building on a 
construction of Fine [28]. 


THEOREM 90. For every Kripke T-structure M, ue(M) is a bounded morphic image of 
an w-saturated ultrapower of W. 


Proof. Let M = (7, V) where § = (W,{Rahaer)- 

The structure §* = (W,{Ra}aer,{X | X C W}) has in particular every V(y) as a 
distinguished predicate. Take an w-saturated ultrapower §* = ly >% and for each 
fU € [JF W define v(fY) = {X CW | JY € [IP X}. It is immediate to check that 
v( fY) € U(W). Considering v as a mapping from ite M onto ue(Mt) one can show that 
it is a bounded morphism. The most difficult step (proved in [126] for the case of one 
unary modality, see also the proof of [5, Proposition 2.61]) is to prove the back condition, 
which uses the saturation of 3%. QO) 


Using this theorem we can now obtain a strengthening of the model-theoretic char- 
acterisation of modal equivalence, first proved by Hollenberg [71]. See also [138] and [5, 
Theorem 2.62]. 


THEOREM 91. For any pointed Kripke structures (M, w) and (DW, w’), 


(M, w) =m (W, w) iff (ue(M), ulw]) = (ue(M’), u[w’]). 


Proof. The direction from right to left is immediate from Lemma 79 and bisimulation 
invariance, Theorem 14. For the converse direction, suppose (M, w) =m; (W, w’). Then, 
by Theorem 89, F M, g9) 2 F mm’, gU,) for the w-saturated ultrapowers defined in 
the proof above, where g,,(i) = w for each i € I, and likewise for gw’. Note that v(gU) = 
u[w] and v(gU,) = u[w’]. Composing this bisimulation with the surjective bounded 
morphisms v : (iy M, gY) => (ue(M), ufw]) and v’ : (Ty DW, gY) => (ue(M’), ufw’]), 
we obtain a bisimulation between the ultrafilter extensions. Q 


The following observation is immediate from the definitions. 


LEMMA 92. Bisimulations preserve modal saturation at a state: if (M, w) = (W, w’), 
then M is modally saturated at w iff DW is modally saturated at w’. Consequently, global 
bisimulations preserve modal saturation of models. 


From this lemma and Theorem 90, since surjective bounded morphisms are global 
bisimulations, we obtain the following result from [48], (see also [5, Proposition 2.61]) 
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COROLLARY 93. The ultrafilter extension of every Kripke structure is modally satu- 
rated. 


As Venema argues quite aptly in [138], this result along with Theorem 91 indicates 
that, for modal logics, ultrafilter extensions can play the role that ultrapowers play in 
first-order logic for the construction of saturated extensions of structures. 


6.4 Modal definability of properties of Kripke structures 


Kripke structures serve to give model theoretic semantics to modal logic. Conversely, 
focusing on Kripke structures in their own right, we regard modal logic as a language for 
defining classes of Kripke structures. We may ask the natural model-theoretic questions 
from this angle, like, for instance: what classes/properties of (pointed) Kripke structures 
are definable by (sets of) modal formulae? A definitive answer to that question was 
given in the case of elementary properties of pointed Kripke structures defined by single 
modal formulae, by Theorem 55. Here we address the general question by using classical 
model-theoretic tools and the constructions introduced earlier in this section. 

Since modal formulae express first-order conditions on (pointed) Kripke structures, 
these are special cases of first-order definable (by a single first-order sentence), respec- 
tively elementary (definable by any set of first-order sentences) classes and properties. 
Keisler’s theorem [12, Theorem 4.1.12] characterising elementary and first-order defin- 
able classes is therefore relevant here: a class of first-order structures is elementary iff 
it is closed under elementary equivalence and ultraproducts; it is first-order definable iff 
both the class and its complement are elementary. Since modal formulae cover only a 
fragment of the first-order language FO(r#), these results give necessary but not suf- 
ficient conditions for modal definability of classes of (pointed) Kripke structures. But 
‘elementary equivalence’ for modal logic is modal equivalence. Would that adjustment 
of Keisler’s theorem suffice to guarantee modal definability? The answer is ‘yes’ in both 
cases. The following is from [22]. 


THEOREM 94. A class K of (pointed) Kripke structures is definable by a set of modal 
formulae iff it is closed under modal equivalence and ultraproducts; K is definable by 
a single modal formula iff both K and its complement are definable by a set of modal 
formulae. 


Proof. These can be proved by adapting the proof of Keisler’s theorem. Alternatively, 
we may invoke a corollary of the Keisler-Shelah theorem (cf. Corollary 6.1.16 and Theo- 
rem 6.1.15 in [12]) which states that a class of first-order structures is elementary iff it is 
closed under isomorphism and ultraproducts while its complement is closed under ultra- 
powers. The latter condition here follows from closure under modal equivalence. Once 
K has been shown to be elementary, a general argument can be applied that works not 
only for modal formulae but for any other natural fragment A of first-order logic (see [12, 
Lemma 3.2.1]): if A C FO is closed under negation and disjunction, then an elementary 
class is axiomatisable with formulae from A iff it is closed under A-equivalence. 

For definability by a single formula, one may use compactness for ML just as for FO 
to show that whenever both the given class and it complement are definable by a set of 
formulae, then the class (and its complement) are definable by a single formula. Alterna- 
tively, one may first establish first-order definability of K, and then use Theorem 55 and 
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bisimulation invariance to see that the defining formula must be equivalent to a modal 
formula. Q 


Note that, as an immediate consequence of (the classical proof of) Theorem 55, an 
elementary class of (pointed) Kripke structures is closed under modal equivalence iff it 
is closed under bisimulations. Therefore, we can strengthen somewhat the results above, 
by replacing closure under modal equivalence by bisimulation closure, but at the expense 
of demanding closure of the complement under ultrapowers. See [22] and [5, Theorems 
2.75, 2.76] for the following. 


THEOREM 95. For any class K of pointed Kripke structures: 
(i) K is definable by a set of modal formulae iff it is closed under bisimulation and 
ultraproducts, while its complement is closed under ultrapowers. 
(ii) K is definable by a single modal formula iff it is closed under bisimulation, while 
both it and its complement are closed under ultraproducts. 


Proof. For the non-trivial part of (i): assuming the closure conditions for K and its 
complement, we consider the modal theory ThmL(K) and show that it defines K, i.e., 
every model of it is in K. For details see [22], [5, Theorem 2.75]. Alternatively, we can 
take a shortcut: by Theorem 89 the closure conditions imply that K is closed under 
modal equivalence, and hence Theorem 94 applies. 

For the non-trivial part of (ii) we may use (i) and a standard compactness argument 
as in the proof of Keisler’s theorem (see [22] and [5, Theorems 2.76]), or use Theorem 94 
again. m) 


Similar results can be obtained for classes of Kripke structures; we leave these to the 
reader. 

Finally, we mention the following results of Venema [138] which characterise modal 
definability of classes of (pointed) Kripke structures in purely modal terms, i.e., without 
involving the typical constructions from classical logic. In what follows, a bisimulation 
p: M = W is surjective if every state in Mt’ has a bisimilar one in M; an ultrafilter 
union of a family of pointed Kripke structures {0’, w}, cz 8 a pointed Kripke structure 
(ue (tier DM) ,w), where w is an ultrafilter containing every co-finite subset of {w; | i € 


THEOREM 96. A class of Kripke structures is modally definable iff it is closed un- 
der disjoint unions, surjective bisimulations, and ultrafilter extensions, while it reflects 
ultrafilter extensions. 

A class of pointed Kripke structures is modally definable iff it is closed under bisimu- 
lations and ultrafilter unions, and reflects ultrafilter extensions. 


To summarise: model theory of modal logic over Kripke structures essentially derives 
from first-order model theory, with the crucial extra feature of bisimulation invariance. 
The additional requirement of bisimulation invariance leads us from classical model the- 
ory to modal model theory and allows us to develop the analogy between them further. 


7 GENERAL FRAMES 


Neither of the two kinds of semantic structures we have considered so far, viz. Kripke 
frames and Kripke structures, provides a completely satisfactory framework for the se- 
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mantics for modal logic. On the one hand, truth and validity in Kripke structures, with 
its crucial dependency on given valuations, does not reflect the richer semantics in terms 
of validity in frames. On the other hand, validity in frames, being an essentially second- 
order notion, is in general deductively intractable. As a consequence, frame-incomplete 
modal logics are the rule, rather than the exception (see Chapter 7 of this handbook). 
It is therefore necessary to look for a new type of semantic structures, ‘hybrids’ between 
Kripke structures and frames, combining the expressive richness of the frame-based se- 
mantics with the flexibility and good deductive behaviour of the one based on Kripke 
structures. 

Such structures, called general frames, were introduced in modal logic by Thomason 
in [124], with precursors in [97] and [28]. General frames are analogues to Henkin’s 
‘general models’ for second-order logic, extending first-order structures with a family 
of ‘admissible sets’, and restricting the second-order quantification to such sets only. 
Independently, general frames essentially arose from the seminal study by Jónsson and 
Tarski [78] of Boolean algebras with operators (see also Chapter 6 of this handbook), 
since they appear as the ‘concrete’, set-theoretic counterparts of modal algebras, arising 
in the Jénsson—Tarski representation theorem, and thus providing the link between the 
algebraic and relational semantics. 

In this section we introduce the modal semantics based on general frames, develop the 
basic model theory of general frames and briefly mention the duality theory which relates 
them to algebras. We then discuss the relevance and use of general frames to the model 
theory of the frame-based modal semantics, in terms of persistence of modal formulae 
with respect to various important classes of general frames. 


7.1 General frames as semantic structures in modal logic 


Note that the operators (R} and [R] defined in section 1.2 are monotone. Besides, the op- 
erators (R) are normal (preserving falsum) and additive (distributive over disjunctions); 
see Chapter 6 of this handbook. Hence every structure (P(W); N, —,9,{(Ra)}aer) is 
a (complete and atomic) Boolean algebra with operators in the terms of [78] (see also 
Chapter 6), called a modal r-algebra. 


DEFINITION 97. Given a r-frame § = (W,{Ra}aer), a general T-frame over § is a 
structure (§,W) expanding § with a r-algebra of admissible subsets of P(W), closed 
under boolean operations and the operators {(Ra)}aer, ie, W is a 7-subalgebra of 
(P(W); A,—, 2, {(Ra) faer). 

Given a general r-frame 6 = (§, W) we denote § by 6y and the t-algebra W by 6+. 


EXAMPLE 98. For every Kripke structure M = (3,V), (8, {V(y) | p € ML(7)}) isa 
general 7-frame over §, generated by M. In particular, the general 7-frame 6; generated 
by the canonical Kripke structure Mz (see Chapter 7 of this handbook) of a normal 
modal logic L is called the canonical general frame of L. 


Among the general frames over § = (W,{Rasaer) there is a least one, viz. min = 
(8, Wimin) generated from the Kripke structure Mmin = (8, Vmin) Where Vinin(p) = Ø for 
every p € ®, and a greatest one, viz. the full general T-frame Fmax = (8,P(W)). Clearly, 
local (as well as global) validity in ¥ and max coincide. So we can safely identify the 
tT-frame § with max. Furthermore, the family of all general frames over a 7-frame 
3 = (W, {Ra }ac+) forms a complete lattice. 
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DEFINITION 99. Given a general r-frame 6 = (¥, W), a valuation over © is any valu- 
ation V : ® — W. A Kripke structure (§,V) where V is a valuation over 6 is a Kripke 
structure over 6, also denoted by (6,V) or (¥, W, V). 


It follows by a routine induction that if M = (g, W, V}, then V(w~) € W for every 
yp € ML(r). 
DEFINITION 100. Given a formula y € ML(r), a general r-frame 6, and w € W, we 
say that y is (locally) valid at w in 6, denoted 6,w = yọ, if y is true at w in every 
Kripke structure over 6. y is valid in 6, denoted 6 = y, if y is valid in 6 at every 
w € W, i.e., y is valid in every Kripke structure over 6. 


Note that local validity of modal formulae in a general 7-frame is preserved under 
the rule Modus Ponens and under taking uniform substitutions, while validity is also 
preserved under Necessitation. 

All general frames generated from Kripke structures have an at most countable algebra 
of admissible sets, so not every general frame is of that type. On the other hand, every 
general frame can be generated from a Kripke structure in an extended language with 
an appropriately large cardinality of the set of atomic propositions. This observation is 
sufficient to transfer various results and constructions from Kripke structures to general 
frames. 

However, as semantic structures for modal logic, general frames match most closely 
modal algebras. Indeed, as already noted, every general 7-frame 6 generates a ‘complex 
t-algebra’ 6+. Conversely, every T-algebra 2 determines a general frame A, based on 
the ultrafilter frame of that algebra (see section 7.2), and is moreover embedded in (U4 )* 
in a way extending the Stone representation for Boolean algebras. That embedding is the 
subject of the celebrated Jénsson—Tarski representation theorem (see [78], [5, Section 5.3], 
or Chapter 6 of this handbook). Furthermore, there exists an algebraic-categorial duality 
between general frames and modal algebras, systematically developed by Goldblatt in 
[43, 44, 47] and later, from a topological perspective by [114] (see also [5, Section 5.4]), 
discussed in detail in Chapter 6 of this handbook. 


7.2 Constructions and truth preservation results on general frames 
Bisimulations and special cases 


DEFINITION 101. Let 6 = (§,W) and 6’ = (%’,W’) be two general 7-frames. A 

bisimulation p between § and 3’ is a bisimulation between 6 and 6’ if for every valuation 

V over 6 there is a valuation V’ over 6’ such that p: (6,V) = (6’,V"), and vice versa. 
A bisimulation between pointed general frames is defined likewise. 


Note that not every bisimulation between Kripke frames is a bisimulation between 
them as full general frames, because not every valuation over one of them must have a 
matching valuation satisfying atom equivalence. 


COROLLARY 102. If p: (6,w) = (6’,w’) is a bisimulation between pointed general 
T-frames (6,w) and (6’,w’) then (6,w) =i (6’,w’). Likewise, if p: 6 = 6’, then 
6 =ML 6’. 

The definitions of generated subframes, bounded morphisms, and disjoint unions can 
be extended to general frames. 


Model Theory of Modal Logic 305 


DEFINITION 103. Given a general 7-frame 6 = (%,W), a generated subframe of È is 
any general r-frame 6/ = (3’, W’) where # < § and W’ = {X N dom(3"’) | X € W}. 

DEFINITION 104. Let 6 = (¥,W) and 6’ = (3’,W’) be two general 7-frames and 
p: § © 8 a bounded morphism. Then p is a bounded morphism from 6 to ©’ if for 


every Y € W, p-"[Y] € W; p is a bounded strong morphism from © to ©’ if it is a 
bounded morphism from 6 to 6’ and for every X € W, p[X] € W’ and X = p7![p[X]]. 
DEFINITION 105. The disjoint union of the family {6t = FW’) her of general 7- 
frames is Wier 6' = (Hicr 5’, WY), where W = {Her X’ | X’ € W for each i € I}. 

We leave it to the reader to check that generated subframes and disjoint unions of 
general frames produce general frames indeed, and to see that they, as well as bounded 
strong morphisms, are particular cases of general frame bisimulations. The associated 
preservation results are immediate, and are left to the reader, too. As for bounded 
morphisms of general frames, in general they are not general frame bisimulations and 
only preserve validity in the forward direction. 


Ultrafilter extensions and ultraproducts 


The construction of ultrafilter extensions of frames can be generalised to the Stone rep- 
resentation of modal algebras (see Chapter 6 of this handbook), which in turn are es- 
sentially general frames, thus defining ultrafilter extensions of general frames. More 
precisely, given a general r-frame 6 = (W, {Ra}acr, W) over a frame §, let U(W) be the 
set of all ultrafilters over the algebra 6+. For each a € 7 we define a binary relation RW 
on U(W) just like R4* in ue(F), i.e., for any u,w € U(W) : 


uRWw iff (Ra) (X) € u for every X € w. 


The frame (6+), = (U(W),{RW}aer) is called the ultrafilter frame of the T-algebra 
6t, 


Finally, we put W": := {uw(X i I € W} where uw(X) = {u c U(W) | X €u}. It 
is routine to check that (RW) (uw = uw((Ra) (X)) and hence W"* is a modal r- 
algebra. 


DEFINITION 106. Given a general r-frame 6 = (W, {Ra}aer, W), the ultrafilter exten- 
sion of © is the general 7-frame ue(6) := (U(W), {Re }acr, W"*), also known as the 
general ultrafilter frame of the t-algebra 67. 

From the basic properties of ultrafilters, and the closure of W"* under (RYD; it follows 
that 6+ S ue(G)* for any general 7-frame 6. Note, however, that ue(6) S 6 does not 
hold in general, and in section 7.3 we will characterise the general frames for which this 
is the case. Still, since validity of modal formulae in 6 and in 6+ coincide, we obtain 
the following. 


THEOREM 107. For any general r-frame 6, ue(6) =m 6. 

DEFINITION 108. Let {6t = (3t, W’)}ier be a family of general r-frames indexed by 
a set I. For any ultrafilter U on J, the ultraproduct of {6"};c; over U is the general 
r-frame []\2,; 6 := (JX; 3, WY), where WY = {[[ X; X* | X* © W’ for each i € I}. 


Note that the ultraproduct of a family of Kripke frames regarded as full general frames 
is not a full general frame itself, so it differs from the ultraproduct of frames, as defined 
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earlier. To distinguish these, we call the former general ultraproduct of frames. Unlike the 
latter, every valuation in it is an ultraproduct of respective valuations in the components, 
whence the following preservation result (see [43, 44, 47]). 


PROPOSITION 109. For every family of general r-frames {6i = (FW) her ultrafil- 
ter U on I, element wu € Ik, 3t, and formula y of ML(r) : 

(i) Ther S’, wu E g if {j € I| 6, w(i) H p} € U. 

(i) Miert Fy if {j EI |6 H y} EU. 


7.3 Special types of general frames and persistence of modal formulae 


Let G be the class of all general t-frames of a fixed modal type 7, and let C be any 
subclass of G. 

DEFINITION 110. A formula p € ML(r) is locally C-persistent, if for every general 
7-frame 6 = (§, W) € C, and w € dom(%), 6,w = vy implies F,w E y; ọ is C-persistent, 
if for every general 7-frame 6= (F,W) € C, 6 H y implies § E vy. 


Clearly, local persistence implies persistence, but the converse does not always hold. 
While often the practically important notion is the latter, the former is more natural. 

A general frame can be thought of as a frame in which a restriction on the valua- 
tions is imposed by allowing only those valuations which assign admissible sets to the 
propositional variables (and hence, to all formulae). Thus, the idea of persistence is that 
it enables one to conclude (local) validity, i.e., truth under every valuation, of a modal 
formula in a frame, based on its truth under some special valuations, viz. the admissible 
ones. In other words, a formula is C-persistent if, whenever it is falsified in a Kripke 
frame §, it is falsified by some admissible valuation in each general frame from C over §. 
Thus, persistence gives a measure of the ‘semantic complexity’ of a formula, in terms of 
its falsifying valuations. Note that a modal formula is locally G-persistent iff it is seman- 
tically equivalent to a constant formula (i.e., a formula without propositional variables). 
Indeed, every constant formula is G-persistent. Conversely, if y is G-persistent, then for 
every pointed frame (¥,w), 3,w H y iff (3,VL),w = y, where V, assigns Ú to every 
atomic proposition, iff §, w = p1 where y] is obtained from ¢ by replacing all atomic 
propositions by L. 

We will introduce some important classes of general frames, persistence with respect 
to which provides sufficient conditions for good expressive or axiomatic behaviour of the 
formulae. 


DEFINITION 111. Let 6= (W,{Ra}acr,W) be a general 7-frame and a € T. The 
relation Ra is tight in 6 if for every u,w € W: uRaw iff for all X € W, w € X implies 
u € (Ra)(X); equivalently, iff u € (Ra) (X)| X EW andwe x}. 

Recall, for the compactness property below, that a family of sets F has the finite 
intersection property (FIP) if the intersection of every finite sub-family of F is non- 
empty. 


DEFINITION 112. A general 7-frame (W, {Ra}acr, W) is: 


— differentiated, if for every u, u’ € W, if u Æ u’ then there is X € W such that u € X 
and u’ ¢ X; 
— tight, if Ra is tight for every a € T; 
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discrete, if {u} € W for every u € W; 


elementary, if every subset of W that is FO(r)-definable with parameters (in the 
sense of Definition 39) is admissible; 

compact, if every family of admissible sets in 6 with FIP has a non-empty inter- 
section; !? 

refined, if it is differentiated and tight; 

descriptive, if it is refined and compact. 


Amongst all discrete general frames over a Kripke frame ¥, there is a least one, viz. 
D(F), generated from all singletons by closing under the Boolean and modal operators. 
It contains all finite and co-finite sets in §. Likewise, amongst all elementary general 
frames over a Kripke frame %, there is a least one, viz. €(Ẹ), in which the admissible sets 
are precisely the subsets of the domain of § that are parametrically first-order definable 
in FO(r). 

Assuming the type 7 is fixed, the class of all differentiated (resp. tight, discrete, elemen- 
tary, refined, descriptive) general 7-frames will be denoted by DF (resp. T, DI, E, R, D). 

Here are some relationships between these classes. 


Every full general frame is discrete, and therefore, refined (see below). Every finite, 
but no infinite, discrete general frame is descriptive, for otherwise the intersection 
of all sets W \ {w} would have to be non-empty; on the other hand, every finite 
differentiated frame is full. 


Every discrete frame is refined. Indeed, for tightness note that in every discrete 
frame «Raw holds iff x € (Ra)({w}). The converse need not hold, e.g., canonical 
general frames (see Chapter 7 of this handbook) are refined, even descriptive, but 
not discrete, being infinite. 


Every elementary frame is discrete, while the converse does not hold, as we will see 
further. 


To summarise: E CDI GR=DF NT; DER; DEDTI ED. 
Below, we list some remarks on the various notions of persistence and relationships 
between them. Analogous remarks apply to local persistence. 


First, note that if C1 C C2, then C2-persistence implies C,-persistence. 


A formula is DZ-persistent iff it is valid in a frame § whenever it is valid in D($). 
Likewise, a formula is €-persistent iff it is valid in a frame § whenever it is valid in 


ES). 


While every (locally) R-persistent formula is DZ-persistent, the converse does not 
hold, a simple witness being e.g., the ‘density’ formula Op > ©©p (see [5, p.319]). 


Also, not every (even locally) D-persistent formula is DZ-persistent (and hence, 
even less R-persistent), a witness being Geach’s formula Op — Op, defining 
the Church—Rosser confluence property of the accessibility relation (see [5, p.305]). 


12This is equivalent to the requirement that every ultrafilter over 6+ consists of all admissible sets 
containing a fixed state in 6. 
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Moreover, not every D-persistent formula is €-persistent, as we will see in sec- 
tion 8.2. 


e Not every (even locally) €-persistent is DT -persistent, again witnessed by Geach’s 
formula. 


e Finally, not every (even locally) DZ-persistent formula is D-persistent. The formula 
vB = OOT > O(O(Op — p) > p), proposed by van Benthem in [127], is an 
example. First, note that for every discrete general frame 6 = (§,W) and w € 
dom(%), 6,w H} vB implies 6,w | OOT — OL; hence 64,w H| OST > OL. 
Indeed, assuming 6,w H= OOT A -UL, for any successor u of w the valuation 
W\{u} for p falsifies vB at w. Furthermore, for every frame § and w € dom(%), 
$,w = UOT — OL implies §,w H vB. Hence vB is locally DZ-persistent. On 
the other hand, vB is not D-persistent. Indeed, as shown in [127] (see also [5, 
p.216]) vB is valid in a certain general frame J, the modal logic KvB of which is 
incomplete. That is because LOT — OL, not being valid in J, is not a theorem of 
KvB while, as seen above, it is valid in every frame for KvB. Thus, while vB is 
valid in the (descriptive) canonical frame of KvB, it fails in the underlying Kripke 
frame which falsifies DOT — OL. 


Consequently, not every locally E-persistent formula is D-persistent. 


To summarise again, if we denote by C? the set of all C-persistent formulae, we have 
the following: DF? NT? = R? G DI? G EP; RPS DP; DI? $ DP g EP. 

The same relationships hold for local persistence. 

Now, we discuss some important results about refined and descriptive frames and the 
related persistence properties, while elementary frames and elementary persistence will 
be discussed in section 8.2. 

First, note ({124]) that every general frame 6 = (¥, W) can be ‘refined’ by constructing 
a refined quotient of it over the set W~ of all equivalence classes modulo the equivalence 
relation ~, defined as v ~ w iff VX € W(v € X 4> w € X), and taking as admissible 
all sets of the type X~ = {w~ | w € X} for X € W. It now remains to ‘tighten’ all 
accessibility relations by closing under the definition of tightness: for every u~,w~ € W”, 
u~ R~w™ holds iff for all X~“ € W“ and u’ ~ u,w' ~ w, if w € X then w’ € (Ra)(X). 
Note, however, that (see [10, p.263]) while for finite frames this construction produces a 
bounded morphic image, this is not necessarily the case when applied to infinite general 
frames. 

Descriptive frames typically appear as the canonical general frames (see Chapter 7 of 
this handbook) of every normal modal logic without any special inference rules. Thus, 
all D-persistent formulae are valid in the underlying canonical Kripke frames, and hence 
they axiomatise Kripke complete logics. For that reason the D-persistent formulae are 
also called canonical.!3 However, in hybrid logics with nominals (see Chapter 14 of this 
handbook) or in logics with special additional rules of inference, e.g., the non-€ rules in 
[137], D-persistent formulae need not be canonical, because the canonical general frames 


13Note that across the literature on modal logic the term ‘canonicity’ is used in somewhat different, 
and not entirely equivalent, senses (see [126, 127]). For instance, Fine defines in [28] canonicity of a set 
of formulae as validity of every formula of that set in any canonical frame built for a modal language 
with any cardinality of propositional variables. Since all canonical models generate descriptive frames, 
the notion of canonicity adopted here following [126] is at least as strong as Fine’s. 
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for such logics are only discrete (for hybrid logics) or refined (in logics with additional 
‘context’ rules, see [52]). In such cases, DT-persistence or R-persistence is the right notion 
of canonicity. DZ-persistent formulae have the important property to remain canonical 
when added as axioms to hybrid logics with nominals, while R-persistent formulae remain 
canonical not only in the presence of other axioms, but even if additional rules of inference 
of the type mentioned above are added to the axiomatic system. 

Descriptive frames feature prominently in the duality theory between general frames 
and modal algebras, as they turn out to be precisely the fixed points of ultrafilter exten- 
sions of general frames, which are essentially the Stone representations of modal algebras 
(see Chapter 6 of this handbook). 


PROPOSITION 113. A general r-frame © is descriptive iff 6 S ue(6). 


Indeed, the proof that every ultrafilter extension is descriptive is just a variation 
of the proof that every canonical general frame is descriptive (see Chapter 7 of this 
handbook). For the converse, the crucial observation is that, given a descriptive general 
frame 6 = (%, W), for every w € F, the set uw[w] = {X € W | w € X} is an ultrafilter 
in W, and every ultrafilter in W, due to the compactness of 6, is of this type. Thus, the 
mapping Aw.uw[w] is a bijection (since 6 is differentiated) between 6 and ue(G). This 
bijection is in fact an isomorphism, due to the tightness of 6. 

Consequently, by Theorem 107, every general frame is modally equivalent to a de- 
scriptive frame. Therefore, every D-persistent formula y preserves its validity from a 
frame § to the ultrafilter extension of the full general frame Fmax, which is based on 
ue(¥). Since ue(Fmax) is descriptive, by D-persistence, y preserves validity from § to 
ue(¥). Conversely, if p preserves validity in ultrafilter extensions of frames, then it is 
D-persistent by Theorem 115. Thus, we obtain: 


PROPOSITION 114. A modal formula is (locally) D-persistent iff its validity is (locally) 


preserved in ultrafilter extensions of frames. 


Every general 7-frame 6 = (W, {Ra}aer, W) determines a topological space T(®) with 
a base of clopen sets W, and a set of closed sets denoted by C(W). For a detailed study 
of this topology, its properties and applications in modal logic see [114]. Hereafter, a 
closed set in the general 7-frame 6 will mean a subset of the domain closed with respect 
to the topology T(6), i.e., an intersection of a family of admissible sets. 

A number of important properties of general frames can be phrased in terms of their 
topology. For instance, in every discrete frame 6 the topology T(6) is discrete. Indeed, 
every non-empty set is a union of its singleton subsets, which are open in T(6); hence 
every subset of 6 is open. Also, differentiatedness of a general frame is equivalent to 
To-separability (Hausdorffness) of its topology, while compactness, as defined above, is 
equivalent to the standard topological notion of compactness. Thus, for any compact 
and differentiated 7-frame 6, T(6) is a compact Hausdorff space. 

Finally, it is instructive to explore which constructions on general frames preserve each 
of the classes discussed above. For instance, differentiatedness, tightness, and discrete- 
ness are preserved in generated subframes and disjoint unions, while compactness is not. 
Conversely, bounded morphisms preserve compactness, but not discreteness, differentiat- 
edness and tightness. Besides, discreteness, differentiatedness, and tightness (and hence, 
refinedness), being properties definable in a suitable first-order language for states and 
admissible sets, and membership between them, are preserved in ultraproducts, while 
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descriptiveness is preserved in finite disjoint unions, but never in infinite ones, nor nec- 
essarily in ultraproducts [44, 47]. 

How does persistence determine the expressiveness of a formula? We will discuss this 
issue in section 8.2 in connection with first-order definability of modal formulae. 


Before closing this section, let us highlight again the role of general frames in the 
modal theory of modal logic: 


e general frames provide a natural link between the first-order semantics on Kripke 
structures and the second-order semantics on frames, and are thus analogous to 
Henkin’s general models for second-order logic. 


e general frames are essentially equivalent to modal algebras, via the duality theory 
outlined in Chapter 6 of this handbook, and thus provide algebraic semantics for 
modal logic. 


e the notion of persistence of (the truth/validity of) modal formulae with respect 
to natural classes of general frames is instrumental in characterising their model- 
theoretic behaviour. 


8 MODAL LOGIC ON FRAMES 


So far we have mainly studied modal logic as a fragment of first-order logic over Kripke 
structures. In this section we discuss modal logic as a logic of frames, and thus as a 
fragment of universal monadic second-order logic MSO. 

This fragment, while generally not very expressive and missing many simple first-order 
properties, nevertheless penetrates deeply into MSO. Perhaps its most interesting fea- 
tures are the recursive axiomatisability of validity and its finite model property, together 
implying decidability — a rare phenomenon in second-order logic when considered over 
arbitrary structures rather than special ones. 

In this section we present some classical results characterising modally definable classes 
of frames, and discuss how persistence of modal formulae with respect to various classes 
of general frames can be used to determine their model-theoretic properties. 


8.1 Modal definability of frame properties 


Here we address the question which classes of frames are definable by modal formulae. A 
classical result from [51] answers this question in a traditional model-theoretic fashion, 
albeit using a somewhat ad-hoc construction, called SA-construction (‘state-of-affairs 
construction’). Algebraically, it corresponds to taking a subalgebra of a homomorphic 
image, thus allowing a ‘translation’ of Birkhoff’s theorem in terms of frame constructions, 
and so characterising equational classes of algebras as those closed under subalgebras, 
homomorphic images and direct products (see Chapter 6 of this handbook). Theorem 117 
gives a more natural characterisation of the modally definable elementary classes. Here 
is another definability-by-preservation result, due to van Benthem (see [126, Theorem 
3.5], [127, Theorem 16.5], [129]). 


THEOREM 115. A class of frames K is modally definable by a set of D-persistent for- 
mulae iff it is closed under generated subframes, bounded morphisms, disjoint unions and 
ultrafilter extensions, and reflects ultrafilter extensions. 
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Proof. We already know from sections 2 and 6, and Proposition 114 that every D- 
persistent formula satisfies all preservation conditions of the theorem, whence the easier 
direction. Conversely, let K satisfy the preservation conditions. We show that K = 
FR(Thu(XK)). Let ¥ H ThmL(K). Recall that Fmax denotes the full general frame over 
the frame §. Using the duality theory between general frames and modal algebras, and 
Birkhoff’s theorem, one can show that ue(max) is isomorphic to a generated general 
subframe of a bounded morphic image of ue(©max) where © is a disjoint union of frames 
from K. Now, 6 € K; hence ue(6) € K. So, tracing the underlying frames and using the 
closure conditions, we eventually find that ue(¥) € K, whence § EK. Q 


We note that checking the conditions of the theorem above, even in the case when 
the class of frames is first-order definable, may be a practically very difficult task. A 
testimony for that is the fact that preservation of first-order formulae under ultrafilter 
extensions is It-hard [122, Thm 2.3.17]. 

In the rest of this section we compare the expressiveness of modal logic over frames 
with first-order logic and some of its extensions within monadic second-order logic. 


8.2 Modal logic versus first-order logic on frames 


We have already seen that modal languages are generally incomparable with first-order 
languages in terms of definability of frame properties. Indeed, while simple elementary 
properties, such as irreflexivity, escape the basic modal language, it can capture non- 
elementary properties such as the one defining the class of all transitive frames in which 
there are no infinite chains of successors. By a simple compactness argument, this class 
is not elementary, while it is well-known to be defined by the Gödel-Löb formula GL 
(see e.g. [75]). This example also shows that the compactness theorem with respect to 
frame validity fails in modal logic. The downward Löwenheim-Skolem-Tarski theorem 
fails here, too. E.g., McKinsey’s formula OOp — OOp (see [127], or [5, p.133]) is 
valid in a certain uncountable frame, but not in any countable elementary subframe of 
it. Another important example of a non-elementary modal formula (in the extended 
setting with the star operation for transitive closures) is Segerberg’s induction axiom 
[117] IND : [a*](p > [a]p) > (p > [a*]p). 


The model-theoretic interplay 


We compare modal formulae (respectively, modally definable properties of frames) and 
first-order formulae (respectively, properties definable in FO(r)) from two perspectives: 


e Which modally definable frame properties are first-order definable? 
e Which first-order properties of frames are modally definable? 


As already mentioned, there are two natural notions of first-order definability: by 
means of single sentences and by means of theories (possibly infinite sets of sentences). 
Regarding modally definable classes, however, these turn out to be equivalent. Indeed, 
if the class of frames FR(vy) is the class of models of an infinite set of FO(r)-formulae 
T, then T | y with respect to frame validity, which is a II{-property. The compactness 
theorem of first-order logic applies here, and 9 — wy for some finite [9 C I. Hence 
FR(y) is defined by the conjunction over Fo. We can therefore refer to modally definable 
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classes which are first-order definable, and to modal formulae defining such classes, as 
elementary without risk of confusion. 

On the other hand, it seems to be still unknown whether there is any FO-sentence 
equivalent to an infinite set of basic modal formulae but not to a single formula.!4 

The validity preservation results from sections 2 and 6 imply that every modally 
definable class of frames FR(y) is closed under generated subframes, bounded morphic 
images (in particular, isomorphic copies), and disjoint unions, while it reflects ultrafilter 
extensions and ultraproducts. If, moreover, the formula y is elementary, then FR(y) 
is closed under ultraproducts, too. Conversely, if FR(y) is closed under ultraproducts 
then, by the Keisler-Shelah theorem, FR(y) is elementary. Moreover, by Proposition 
85, closure of FR(y) under ultrapowers suffices, and therefore, closure under elementary 
equivalence in FO(r) suffices, too. The latter, in turn, characterises UA-elementary 
classes, i.e., unions of elementary classes. Thus, we have the following model-theoretic 
characterisation of the elementary modal formulae (see [44, 47, 127]). 


THEOREM 116. For any modal formula y the following are equivalent: 
(i) y is elementary. 
(ii) FR(y) is closed under ultraproducts. 
(iii) FR(y) is closed under ultrapowers. 
(iv) FR(y) is closed under elementary equivalence, i.e., UA-elementary. 


The result above correspondingly characterises elementary classes of frames that are 
known to be modally definable. This raises the natural question how to characterise, 
in model theoretic terms, modal definability of an elementary class of frames. Again, a 
classical result from [51] answers that question. Here is a somewhat strengthened version 
(see [5, Theorem 5.54]). 


THEOREM 117 (Goldblatt-Thomason). Jf a class of frames K is closed under ultra- 
powers (in particular, if K is elementary), then K is modally definable iff it is closed 
under generated subframes, bounded morphisms, and disjoint unions, and reflects ultra- 
filter extensions. 


Proof. One direction is a direct application of the preservation results from sections 2 
and 6. For the other direction note that, by Theorem 90 reduced to underlying frames, 
K is closed under ultrafilter extensions, too. Thus, Theorem 115 applies, so K is modally 
definable, moreover by a set of D-persistent formulae. QO 


We end with an important related result, originally due to Fine [28], later strengthened 
and proved by van Benthem [127, Theorem 16.7] as a corollary to Theorem 115.15 

We call a modal formula y complete if the modal logic axiomatised by y is complete 
for the class of frames defined by y. 


THEOREM 118 (Fine-van Benthem). 
Every complete and elementary modal formula p is D-persistent. 


Proof. FR(ọ) satisfies all closure conditions of Theorem 115, so FR(y) = FR(L) for 
some set of D-persistent formulae I. The modal logic K, +T, axiomatised with the set 


14There are known cases, however, where a first-order definable property is infinitely, but not finitely, 
axiomatisable in some extended modal languages. See, e.g., [54]. 

15For a stronger algebraic version of this theorem see [45], [5, Theorem 5.56], or Chapter 6 of this 
handbook. 
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of axioms I, is canonical and therefore complete. Hence K, +T F vy. By compactness 
of modal derivations, K, +To F y for some finite subset [9 of I. By completeness of y, 
all formulae from To are theorems of K, + y. Hence ọ is axiomatically equivalent, and 
therefore frame-equivalent, too, to the conjunction of l'o, which is itself a D-persistent 
formula. m 


It is known ([28], see also section 8.2) that the converse to the above theorem does 
not hold, viz. not every D-persistent formula is elementary. An example is OO (pV q) > 
©(Op V Og) (see [28]). Nor is every elementary modal formula D-persistent, as there 
are incomplete elementary modal formulae (e.g., van Benthem’s formula vB discussed in 
section 7.3, see [128, p.72], also in [5, p.216]). 

It had been a longstanding open problem, posed by Fine, whether every modal logic 
axiomatised by D-persistent formulae is complete with respect to some elementary class. 
This question has recently been answered negatively in [50]. 


Persistence and first-order definability 


Some persistence properties of modal formulae imply that they are elementary. Perhaps 
the first interesting result in that vein is due to Lachlan [89] who proved that every R- 
persistent formula is elementary. A strengthening of Lachlan’s result, using the argument 
in Goldblatt’s proof of it in [44], is that every (locally) DZ-persistent formula is (locally) 
elementary. First, note that local non-validity of a modal formula, being a ©}-property, 
is preserved by ultraproducts [12, Corollary 4.1.14]. By the Keisler-Shelah theorem it 
suffices to show that local validity of locally DZ-persistent formulae is preserved under 
ultraproducts. This follows from the fact that local validity of modal formulae is locally 
preserved in ultraproducts of general frames (Proposition 109), and that any ultraproduct 
of full general frames is a discrete general frame. 

Let us now turn to €-persistent formulae. They were first studied by van Benthem 
in [127] in connection with the substitution method which can be used to establish the 
first-order definability of Sahlqvist formulae (see section 8.2). The idea of the substitu- 
tion method is to identify finitely many ‘characteristic’ first-order definable valuations 
of the variables occurring in a given formula, such that the formula is (locally) valid 
in every frame in which it is (locally) valid for those characteristic valuations. For all 
Sahlqvist formulae, just one such valuation, the minimal one amongst all those satisfying 
the antecedent of the formula, suffices. Van Benthem provided an alternative character- 
isation of locally and globally €-persistent formulae, which implies that they are locally 
elementary. 

Given a FO(r#)-formula G(x) with unary predicates P,,...,P,, assuming that the 
variables x do not occur bound in @ and the variables z),...,2%,y do not occur in 
b at all, we define a universally parameterised FO(r)-substitution instance of 3 to be 
any FO(r)-formula Vz, ...V2p8[o1/P1,..-,0n/P,] obtained from 8 by selecting FO(r)- 
formulae o; = 0;(X, 21,---, Zk, Y) for i =1,...,n, uniformly substituting o;[2/y] for every 
occurrence of P;x, and then universally quantifying over z1,..., Zp. Let O(3) be the set 
of all universally parameterised FO(r)-substitution instances of 8. 


DEFINITION 119. A modal formula y = y(pı,..., Pn) is a van Benthem formula if 


O(ST(y;x%0)) H VP,...VP,ST(y; 20). We let VB denote the class of van Benthem 
formulae (defined slightly differently in [127] as the class M}.,). 
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THEOREM 120. A modal formula is locally E-persistent iff it is a van Benthem formula. 


Proof. Recall that €(§) is the minimal elementary general frame over the Kripke frame 
&. Let y(pi,..-,;pn) € VB and suppose €(F), w = ọ for some frame §. Take any univer- 
sally parametrised FO(r)-substitution instance Vz, ...Vz,ST(y)[o1/Pi,.--;0n/Pn]. Let 
W1,..., Wk E dom(¥F) and X; := {u € dom(¥) | § H oi(w, wi,..., we, u)} for i =1,...,n. 
Since X1,..., Xn are admissible in E(F), (§; X1, ..., Xn;w) H ST(y)(Pi,..-, Pn; Xo). 
Therefore, §,w H} Vz1...VzeST(y)[o1/Pi,-..-,0n/Pn]. Since y € VB, that implies 
gw Egy. 

Conversely, let y be locally E-persistent and suppose §, w = O(ST(y;x0)). Then, 
reversing the argument above, we find that €(Ẹ), w = y, and therefore ¥, w H y by local 
E-persistence of y. a 


sI 


We can now strengthen the earlier persistence-implies-elementary results. 
THEOREM 121. Every (locally) E-persistent formula is (locally) elementary. 
Proof. Clearly, for every modal formula y, VP, ...VPnST(y; 20) = O(ST(%; zo)). By 


compactness, every van Benthem formula is a logical consequence of a finite subset of 
O(ST(y; zo)), and hence is equivalent to the conjunction over that set. m) 


Consequently, not every D-persistent formula is E-persistent. Neither is every (locally) 
elementary modal formula (locally) €-persistent. An example (see [127]) is the formula 
Mk4 = (Op > lp) A (Ap — Op), which is elementary and valid in the general 
frame (N, <, W) where W is the set of all finite and co-finite subsets of N, while if fails in 
(N, <). Since W contains precisely all parametrically first-order definable sets in (N, <), 
it is E((N, <)), so Mk4 is not €-persistent. Similarly, Mk4’ = (Op — OOp) A O(Op —> 
p) \ (Ap > Op) is locally elementary,'® but not locally €-persistent. 


Sahlquist formulae and inductive formulae 


The model-theoretic results discussed above, however elegant, are usually not easy to 
apply, and are of no use to find the actual first-order formula corresponding to the modal 
formula. It is therefore natural to look for simpler and effective sufficient conditions 
for first-order definability of modal formulae. There can be no completely satisfactory 
outcome of that search, because that property is not decidable [11], and (at least) in a 
modal language with more than one modality, not even analytical [122, Thm 2.6.5]. Still, 
several increasingly general results to that aim were obtained during the 1970’s, culmi- 
nating with the celebrated Sahiquist theorem, which not only identifies a large syntactic 
class of elementary modal formulae (see a simple definition of that class below), but also 
proves their canonicity. A variety of expositions of Sahlqvist’s theorem can be found in 
several sources, e.g. [113, 115, 5, 84, 10], Chapters 6 and 7 of this handbook. Here we out- 
line a generalisation of the class of Sahlqvist formulae in monadic poly-modal languages, 
sharing the same virtues as the original class, viz. the inductive formulae introduced and 
studied for arbitrary polyadic languages in [55]. 
We fix a modal language ML(r). 

DEFINITION 122. Let # be a symbol not belonging to ML(r). Then a box-form of # 
in ML(r) is defined recursively as follows: 


16The fact that Mk4 and Mkd4’ are elementary is far from trivial, as the proof requires a form of the 
Axiom of Choice and cannot be formalised in ZF. 
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(i) # is a box-form of #; 
(ii) If B(#) is a box-form of # and [O is a box-modality in ML(7), then OB(#) is a 
box-form of #; 
(iii) If B(#) is a box-form of # and A is a positive 7-formula, then A — B(#) is a 
box-form of #. 


Thus, box-forms of # are, up to semantic equivalence, of the type O1 (A; > O2(A2 > 
..-On(An > #)...), where O,,...,0, are box-modalities and A,,...,A, are positive 
formulae in ML(r). 
DEFINITION 123. Given a propositional variable p, a box-formula of pis the result B(p) 
of substitution of p for # in any box-form B(#). The last occurrence of the variable p 
is the head of B(p) and every other occurrence of a variable in B(p) is inessential there. 
DEFINITION 124. A (monadic) regular formula is any modal formula built from posi- 
tive formulae and negations of box-formulae by applying conjunctions, disjunctions, and 
boxes. 

DEFINITION 125. The dependency digraph of a set B = {B1 (p1),..-,Bn(pn)} of box- 
formulae is the digraph G = (V, E) where V = {pi,...,pn} is the set of heads in A, and 
piEp; iff p; occurs as an inessential variable in a box-formula from B with a head p;. A 
digraph is called acyclic if it does not contain oriented cycles. 


DEFINITION 126. An inductive formula is a regular formula with an acyclic dependency 
digraph of the set of all box-formulae occurring as subformulae in it. 


We note that Sahlqvist formulae, up to semantic equivalence, are precisely those regu- 
lar formulae in which the box-formulae are just boxed atoms, i.e., propositional variables 
prefixed by possibly empty strings of boxes. Thus, all Sahlqvist formulae fall into a sim- 
ple particular case of inductive formulae, where the dependency digraph has no arcs at 
all. 

The following extension of Sahlqvist’s theorem was established in [55]. 


THEOREM 127. Each inductive formula is locally elementary and locally D-persistent. 
Moreover, its local first-order equivalent can be computed effectively. 


The inductive formulae are van Benthem formulae which, just like Sahlqvist formulae, 
have first-order definable minimal valuations, but they can only be computed inductively, 
in steps following the arcs of the dependency digraph, from sources to sinks. 

Sahlqvist formulae satisfy a certain persistence property which can be extracted from 
the syntactic shape of the first-order formulae defining their minimal valuations. In the 
basic modal language these valuations are either the empty set, or the whole domain, 
or are finite unions of sets of the type R"(y) (recall that R” is the n-fold composition 
of R with itself). Following [55], let us call a general frame ample if it contains all such 
sets as admissible, and the modal formulae locally persistent with respect to all ample 
general frames, locally A-persistent. Thus, all Sahlqvist formulae in ML(©) are locally 
A-persistent, and this property enables us to show that a given formula is not (even 
semantically equivalent to) a Sahlqvist formula. 
EXAMPLE 128. As proved in [55], the formula D = p A O(p > Oq) > Og is not 
A-persistent, and hence not equivalent to any Sahlqvist formula in ML(©). However, it is 
an inductive formula, whose dependency digraph over the set of heads {p,q} has only one 
edge, from p to q. It has a local first-order correspondent FO(D) = Jy(Rry AV2(R2yz — 
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Ju(Rxru A Rux ^A Ruz))), which is not equivalent to a Kracht formula (i.e., a first-order 
equivalent to a Sahlqvist formula, see [84]). 


The class of inductive formulae does not exhaust the potential of the method of sub- 
stitutions, (in particular, minimal valuations), since, being syntactically defined (like 
Sahlqvist formulae), it is not closed even under tautological equivalence. 

A more general and robust algorithmic approach to identifying elementary and D- 
persistent modal formulae (covering all inductive formulae) is outlined in [14]. The 
algorithm presented there is based on a modal version of Ackermann’s lemma (which 
essentially formalises the idea of minimal valuations) and, when successful, computes 
effectively a first-order equivalent of the input modal formula and at the same time 
establishes its D-persistence. 


Shallow formulae and R-persistence 


The property of R-persistence is much stronger than D-persistence. Perhaps the largest 
syntactic class of R-persistent formulae identified so far is the class of shallow formulae 
[122, Thm 2.4.7]: those in which every occurrence of a propositional variable is in the 
scope of at most one modal operator. Note that syntactically shallow formulae are not 
subsumed by the class of Sahlqvist formulae, nor even by the class of inductive formulae. 


8.3 Modal logic and first-order logic with least fixed points 


With every first-order language FO(rT) we associate its extension LFP(r) with least fixed 
point operators. For background on LFP see e.g. [25] or [2]. LFP is a rather expressive 
proper extension of FO which however still shares nice properties with with FO, e.g., the 
downward Lowenheim-Skolem theorem [30] and the 0-1 law (see [64]). 

Which modal formulae are (locally) definable in LFP(r)? Which LFP(r)-formulae are 
modally definable on frames? No explicit model-theoretic criteria seem to be known as 
yet and these questions are most likely undecidable. 

A number of well-known non-elementary modal formulae, such as the Gédel-L6b for- 
mula GL and Segerberg’s induction axiom IND have local equivalents in LFP(r) while, 
for instance, the McKinsey formula is outside that class. Indeed, take van Benthem’s 
uncountable frame from [127] in which that formula is valid. Flum’s argument from [30], 
proving the downward Lowenheim—Skolem—Tarski theorem for LFP, produces a count- 
able elementary subframe of it which must satisfy that formula, too, which is not possible, 
as shown in [127]. 

Still, a large, effectively defined class of LFP(7)-expressible modal formulae can be 
identified by noting that the idea of using minimal valuations to eliminate the universal 
second-order quantifiers in the standard translation of frame validity of modal formulae 
goes beyond first-order logic. Indeed, the same idea works perfectly for all (polyadic) 
regular formulae, defined for monadic languages in section 8.2. In cases where the de- 
pendency graph has loops and cycles, the minimal valuations are recursively defined and 
eventually expressed in LFP(r). In particular, this applies to Gödel-Löb and Segerberg 
formulae, being regular formulae. The following was shown in [55]. 


THEOREM 129. Every regular formula has a local correspondent in LFP(r), which can 
be obtained effectively. 
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We illustrate the idea of computing LFP(r)-equivalents of regular formulae with GL. 
ST(GL) = Vai(ao Ra, > (Yxzo(xıRzo > Pap) > P2x1)) > Vai(apRa1 > P21), 


which can be rewritten as Vri(ap Ra, —> (R|xı] C P) — Pzı)) — R[xo] C P (where 
Ria] := {y | eRy}). The antecedent can be expressed as 


(P) C P, where ®(P) = {x, | xoRzı A R[x] C P}. 


Note that, since ®(P) is positive in P, and hence monotone, there is a C-minimal 
valuation for P satisfying ®(P) C P, viz. Vin(p) = uX.®(X). Then, the local equivalent 
of GL in LFP(r) is obtained by substituting that minimal valuation in the consequent: 
LFP(r)(GL; xo) = Vai(ao Ra, > pX.8(X)(x1)). By unfolding, based on the Knaster- 
Tarski theorem, that equivalent is: 

Voy (ap Raz =? 
dn > 0 Yyı . . -Vyn (£1 Ryı > zo Ry A (. .. (Yn-1 Ryn > toRyn A Rlyn] = 0) --.-)), 

i.e., ‘local’ transitivity and non-existence of infinite R-chains starting at xo. 

While Theorem 129 may be regarded as an extension of the definability part of the 
Sahlqvist theorem, it cannot match the canonicity part of it. Not only are there regular 
formulae which are not D-persistent (e.g., GL and IND) but there are even ones which are 
not complete, such as O(Op + p) — Op from [6], which can be easily pre-processed into 
a semantically equivalent regular formula. It is weaker than GL but has the same class 
of frames, and is therefore incomplete. On the other hand, it is a plausible conjecture 
that every modal formula with a minimal valuation expressible in LFP(7) is semantically 
equivalent to a regular formula. 

In order to apply the method of minimal valuations, one has to identify, en route, 
those FO(r)-formulae y for which there is a minimal interpretation for each occurring 
unary predicate P. In recent work van Benthem [132] has obtained syntactic and model 
theoretic characterisations of these formulae, involving predicates of arbitrary arity (see 
Chapter 1 of this handbook). 

Finally, we note that an algorithm for computing LFP(r)-equivalents of classical modal 
formulae, based on Ackermann’s method for second-order quantifier elimination, and in 
particular covering the example above, has been developed in [103]. 


8.4 Modal logic and second-order logic 


The standard translation embeds ML(r), with respect to frame validity, into the monadic 
II}-extension of the first-order language FO(t#). We already know that the embedding 
is proper. Still, a natural question arises whether the preservation conditions of Theorem 
117 are sufficient to guarantee modal definability of monadic II}-formulae, as well. As van 
Benthem has noted in [127, p.53], this is not the case in the basic modal language, wit- 
nessed by the property ‘non-existence of infinite R-chains’ (i.e., well-foundedness of R~*), 
which satisfies all those preservation conditions and moreover is bisimulation invariant. 
Still, that property of frames is defined in the extension of the basic modal language with 
the universal modality [U], by the formula [U](Op — p) — p (see [54]). (Contrast this 
with Observation 42, that as a property of Kripke structures, it is not definable even in 
ML...) Thus, one may ask if the natural preservation conditions characterising modal 
definability of elementary properties (closure under generated subframes, bounded mor- 
phisms, and disjoint unions, and reflection of ultrafilter extensions) do not apply also to a 
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wider class (if not the whole of I+), but for a suitably extended modal language? Surely, 
some of the results characterising modal definability of properties of Kripke structures 
would still be useful and relevant here: if the first-order matrix of a II}-formula, where 
all second order quantifiers are in a prefix, meets the conditions for having a modal cor- 
respondent on Kripke structures, then the whole formula is frame-definable by the same 
modal correspondent. It is not currently known if this observation can be turned into a 
general criterion for modal definability of monadic second-order formulae. 

Modal logic penetrates quite deep into monadic second-order logic MSO(R) (with full 
quantification over unary predicate variables, over the vocabulary with the single binary 
relation R). As proved by Thomason [124], logical consequence in terms of frame validity 
of the latter can be reduced to the former in the following sense. There exists an effective 
translation t of MSO(R) into ML, and a special modal formula 6 such that for every set © 
of MSO(R)-sentences and any MSO(R)-sentence y: © H2 y iff {6} Ut[S] Err t(y). Here 
=ə denotes second-order semantic consequence which, as a consequence from Tarski’s 
non-definability theorem, is not arithmetically definable, and IT Ffr w means that the 
modal formula ~ is valid in every frame where all modal formulae from I are valid. 
Consequently, Ffr is not recursively axiomatisable, unlike validity in modal logic. 

Furthermore, as noted in [127, p.23], full second-order logic, and even the theory of 
finite types, can be reduced to MSO(R), too. 

For more on the relations between modal logic and second-order logic, see [127], [24], 
and Chapter 10 of this handbook. Also, [122, 121, Chapter 12] considers the extension 
of modal logic with propositional quantifiers, which goes much farther into second-order 
logic. 


9 FINITE MODEL THEORY OF MODAL LOGICS 


9.1 Finite versus classical model theory 


When only finite structures are admitted, the model theoretic basis changes dramati- 
cally. For instance, unless the logic under consideration has the finite model property, 
satisfiability does not imply finite satisfiability, and hence a semantic consequence y = Y% 
may be true in the sense of finite models without being classically valid. Crucial tools 
of classical model theory, most notably the completeness and compactness theorems for 
FO, fail in restriction to just finite models. From a modelling point of view, on the other 
hand, the restriction to just finite models is often natural. In applications, in which the 
intended models ought to be finite, reasoning on the basis also of infinite models may be 
inadequate and give misleading results. Applications in computer science like specifica- 
tion and verification, or also database theory, for instance, often call for the restriction 
to finite models, and have had a significant impact on the development of finite model 
theory. 

The methodological shift encountered is highlighted by the failure of classical theorems 
and tools, most notably of the compactness theorem but also most other key theorems 
from classical model theory in its wake, see [25]. Certainly results from classical model 
theory cannot be expected to go through automatically; often they fail, and some still 
obtain, albeit with new proofs. Modal model theory, in particular, has a number of exam- 
ples of the latter kind, and sometimes the new proofs shed new light also on the classical 
version. For some concrete examples, close to (classical) modal model theory, which 
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illustrate the interesting relationship with finite model theory, consider the following. 

Interpolation for ML goes through via the finite model property (FMP), treated in 
section 3.3. If = y — w is valid in finite structures, it must also be valid generally, as a 
counterexample M, w H p A = would also yield a counterexample in the sense of finite 
model theory, by FMP. Clearly a classical interpolant x with E (py —> x) A (x > 4%), is 
an interpolant also in the sense of finite model theory. 

The modal characterisation theorem. Note how both sides of the equivalence expressed 
in Theorem 55 change their meaning when interpreted in the sense of finite model theory: 
both bisimulation invariance and logical equivalence only refer to finite structures. In par- 
ticular, bisimulation invariance in finite structures does not imply bisimulation invariance 
over all structures. Trivial examples are provided by formulae without finite models that 
happen not to be bisimulation invariant for infinite models. Also, while Ehrenfeucht— 
Fraissé techniques remain valid, compactness does not and the classical proof with its 
necessary detour through infinite models is no longer available. As discussed in sec- 
tion 4.2, however, the theorem itself persists in the form of Theorem 61 as a theorem 
of finite model theory due to Rosen [112]. Interestingly the new proofs in [112, 105] are 
valid classically as well as in finite model theory and have lead to additional insights into 
the classical result. In contrast, the failure of the corresponding characterisation theorem 
for FO? in finite model theory shows that the finite model property does not guaran- 
tee a smooth passage to finite model theory. While an FO sentence that is (classically) 
invariant under 2-pebble game equivalence is logically equivalent to a sentence in FO?, 
this characterisation breaks down for finite model theory. The FO sentence saying that 
a binary relation is a linear ordering, which is 2-pebble invariant only in restriction to 
finite structures, is not expressible in FO? even over finite structures. 

Similarly, Rosen [112] has a proof of the finite model theory version of the modal 
existential preservation theorem: y € ML is preserved under extensions (holds inside the 
whole Kripke structure if it holds in a substructure) iff it is equivalent to an existential 
modal formula (built from positive and negated atoms by means of only A, V and © 
— disallowing O or nesting of = and ©). The corresponding preservation theorem for 
first-order logic is known to become invalid in restriction to just finite structures. 


Modal logic stands out in comparison with first-order logic or the FO* in having a 
comparatively smooth finite model theory that preserves a number of classical theorems, 
as is the case for the above examples. 

The variations of basic modal logic mentioned in section 5.1 have partly also been 
investigated with respect to their finite model theory, with several results that suggest 
a similarly smooth behaviour. Their characterisations as fragments of FO, in terms 
of invariance under correspondingly refined notions of bisimulation, have been studied 
in finite model theory in [106] with further ramifications w.r.t. other restricted classes 
of finite frames in [17]. Just as is the case with van Benthem—Rosen characterisation, 
Theorems 55 and 61 surprisingly many of these characterisations go through in restriction 
to finite Kripke structures just as classically, albeit with rather specific new proofs. The 
following may serve as a typical representative for several related results from [106, 17]. 
Also compare Proposition 68; this should be contrasted with the failure of, for instance, 
the corresponding characterisation of FO? in finite model theory. 


THEOREM 130. For any (x) € FO, the following are equivalent: 


(i) y is invariant under global bisimulation over finite Kripke structures. 
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(ii) y is equivalent to a formula of MLN] over finite Kripke structures. 
Similarly are equivalent: 
(i) y is bisimulation invariant over finite, rooted Kripke structures. 


(ii) y is equivalent to a formula of MLV] over finite, rooted Kripke structures. 


Related open problems concern the status in finite model theory of Theorem 65, for the 
guarded fragment GF in arbitrary relational similarity types, and particularly strikingly 
of Theorem 76, for the modal p-calculus. 


But finite model theory also deals with new questions, which only arise in the context 
of finite structures. We devote the rest of this section to two sketches dealing with two 
very specific issues of this kind: one from descriptive complexity (section 9.2), the other 
one 0-1 laws (section 9.3). Descriptive complexity deals with the relationship between the 
algorithmic complexity and the logical definability of properties of finite structures; here 
finite structures feature as input to algorithmic problems and logic becomes a measure of 
complexity. In 0-1 laws, and more generally asymptotic probability, one deals with the 
statistics of logically defined properties over the collection of all size n structures in the 
limit as n goes to infinity; here finite structures form the sample space for probabilistic 
analysis. Compare [25, 93] for general background on these topics in finite model theory. 


9.2 Capturing bisimulation invariant Ptime 


Descriptive complexity aims for the description and analysis of computational complexity 
by means of logics. A key example is the long open problem of a logic for Ptime. One 
seeks a logic (with effective syntax) whose formulae define precisely those classes of finite 
relational structures, for which membership can be decided in polynomial time.!” By 
a well-known result of Immerman [76] and Vardi [134], the least fixed point extension 
of first-order logic, LFP, is the solution for classes of finite, linearly ordered relational 
structures. The problem remains open to date for not necessarily ordered structures. 
Interestingly, the corresponding problem for bisimulation closed classes of finite Kripke 
structures does admit a natural solution [104] (cf. [94] for another, related capturing 
result). 

Consider the framework of basic modal logic with a single modality associated with the 
binary relation R and with finitely many atomic propositions p;. Let Q be a class of finite 
pointed Kripke structures (i.e., a property of finite pointed Kripke structures) of that 
type. Q corresponds to a bisimulation invariant property if it is closed under bisimulation 
in the sense that for any two (Mt, u) = (W, u’): (M, u) € Q iff (M’,u’) € Q. Recall 
the bisimulation quotients M|u]/p” of pointed Kripke structures (Mt, u) as discussed in 
section 3.6. Bisimulation closure of Q implies that 


Q = {(M,u) | (Mlul/p™, [u] pm) € Q}. 


Membership in Q can therefore be determined via passage to canonical quotient repre- 
sentations, and in terms of the intersection of Q with the class C of all canonical quotient 
representations. Note that C consists of all finite rooted Kripke structures of the appro- 
priate type in which each bisimulation type is realised exactly once (in other words, with 


17One also has to require an effective link from syntax to Ptime algorithms for its evaluation, in order 
to avoid pathological solutions. 
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identity as the largest bisimulation). As largest bisimulations and bisimulation quotients 
are polynomial time computable, it follows that Q is in Ptime if, and only if, ONC is. 
The following special property of C opens up a reduction to the case of linearly ordered 
structures, which then leads to the desired capturing result. By a canonical linear order- 
ing of a structure we mean an ordering that is determined by the isomorphism type of 
that structure. 


LEMMA 131. There is a polynomial time algorithm which for every (M, u) € C computes 
a canonical linear ordering of the domain. 


In fact, a linear ordering w.r.t. bisimulation type can be generated in an inductive 
refinement procedure which, in its n-th stage, produces a linear ordering of the =n- 
classes within any given finite Kripke structure. This is based on a lexicographic lift 
of the ordering on —,,-classes to an ordering of the —,,41-classes, similar to the colour 
refinement technique in graph theory. Over any finite Kripke structure the common 
refinement of this process is a linear ordering of —-classes; for structures in C one obtains 
an actual linear ordering, as each -class is inhabited by a single state. 

Moreover, a representation of this linearly ordered version of the quotient structure 
Mu] /e™ is uniformly LFP-definable over the given structures (Mt, u) themselves. This 
means that in LFP over the (M, u) one can also uniformly define any LFP definable 
property of their linearly ordered quotients M[u]/p™. By the Immerman-Vardi result 
this includes all Ptime properties of these quotient structures, since they are linearly 
ordered. Together these observations yield an abstract capturing result: an effective syn- 
tactic normal form for the definition of precisely those bisimulation invariant properties 
that are in Ptime. As shown in [104] one can further isolate a natural extension of the 
modal p-calculus, a multi-dimensional -calculus Li, with the property that a class Q of 
finite pointed Kripke structures is bisimulation closed and in Ptime if, and only if, Q is 
the class of finite models of a formula y € Lọ. The logic Lọ is the natural bisimulation- 
safe least fixed-point extension of basic modal logic over the n-th cartesian power of a 
Kripke structure (intuitively: n-dimensional ML), for arbitrary n € N. 


PROPOSITION 132. Let Q be a class of finite pointed Kripke structures of fixed finite 
type. Then the following are equivalent: 


(i) Q is bisimulation closed and in Ptime. 
(ii) Q is definable by a formula of the multi-dimensional p-calculus Lie 


9.9 0-1 laws in modal logic 


Another of the major specific topics in finite model theory is the asymptotic behaviour of 
the probability for a given property P to be true in a randomly chosen structure of size n 
(taken up to isomorphism), in a suitably defined probabilistic space. If that probability 
has a limit as n increases without bound, that limit is called the (unlabelled) asymptotic 
probability of P. 

A fundamental result in this area is the 0-1 law for first-order logic, stating that the 
asymptotic probability for every first-order definable property of relational structures 
exists and equals either 0 or 1, i.e., every such property is either almost surely true or 
almost surely false. This result was first proved in [40] (using ‘almost sure’ quantifier 
elimination), later established independently by Fagin [27] who moreover obtained a 
purely logical characterisation of the set of first-order sentences that are almost surely 
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true, as the first-order theory of the so-called countable random structure. Prior to 
Fagin’s discovery, Gaifman had studied in [37] infinite random structures as probabilistic 
models for arbitrary relational first-order languages and had proved that the first-order 
theory of such structures is axiomatised by an infinite set of extension axioms: sentences 
that require every n-tuple to be extendible to an (n + 1)-tuple in every possible (i.e., 
consistent) way. Furthermore, he showed that the first-order theory of all extension 
axioms is complete and w-categorical.!8 Thus, Fagin established the following transfer 
theorem, which immediately implies the 0-1 law: a first-order property of relational 
structures is almost surely true iff it is true in the (unique, up to isomorphism) countable 
random structure. Grandjean [63] proved that the complexity of checking if a given 
first-order formula is almost surely true is decidable in Pspace, in sharp contrast to 
Trachtenbrot’s theorem that validity of first-order formulae on all finite structures is not 
even recursively axiomatisable. 

The transfer theorem was subsequently extended and the 0-1 law proved for several 
extensions of first-order logic: for first-order logic with fixed point operators by Blass, 
Gurevich and Kozen, later subsumed by the 0-1 law for infinitary logic with finitely 
many variables L% „, proved by Kolaitis and Vardi; for some prefix-defined fragments of 
monadic second-order logic, again by Kolaitis and Vardi, who also established curious 
parallel between decidability and 0-1 laws for such fragments. On the other hand, the 
0-1 law fails in monadic second-order logic, even in its =}-fragment. For references and 
further details on these results, see, e.g., [64, 25, 93, 53]. 

In the framework of modal logic, there are two natural notions of (asymptotic) prob- 
ability ‘in the finite’: with respect to Kripke structures and with respect to frames. The 
0-1 law with respect to Kripke structures follows directly from Fagin’s theorem. More- 
over, Halpern and Kapron [66] showed that the modal formulae almost surely valid in 
finite Kripke structures are precisely the theorems of the non-normal Carnap’s logic [8]. 
As for almost sure frame validity, a complete axiomatisation of the modal logic ML” of 
the countable random frame has been obtained in [53], where it has also been proved 
that ML” has the finite model property and is decidable. It is also shown there that 
not all modal formulae that are almost surely frame-valid are in ML’, thus refuting the 
transfer theorem for frame validity in modal logic. Perhaps the simplest such formula, 
which fails in the countable random frame, is ~OH(p = =p), proven later in [90] to 
be almost surely true. Note that no such formula is frame-definable in fixed point logic 
LFP, or even in L&,,, because the transfer theorem does hold for these. 

The failure of the transfer theorem for frame validity in modal logic cast a serious 
doubt on the truth of the 0-1 law there (claimed in [66]) which was soon justified by 
le Bars [90] who proved that the formula ~p A q A^OO((pV q) > 70(pV q)) > Op has 
no asymptotic probability, by using involved combinatorial-probabilistic methods. Thus, 
basic modal logic provides the smallest currently known natural fragment of monadic It 
(resp. XŁ}), in a vocabulary with just a single binary relation, where the 0-1 law fails. 

As noted in [53] the modal formulae which are almost surely frame-valid form a nor- 
mal modal logic ML°*, which contains ML”. It is a currently open problem whether 
ML” is decidable, and its complete axiomatisation has not been established yet. How- 
ever, a conjecture raised in [53] claims that all axioms that have to be added to ML” 


18The probabilistic aspect of this result is rather curious: it means that, assuming uniform distribution, 
any randomly constructed countable relational structure is isomorphic with probability 1 to the countable 
random structure! In the case of graphs, that structure was previously known as the Radó graph. 
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in order to axiomatise ML® are of a uniform, semantic nature, namely: there is an 
infinite collection F of special finite frames, and each § € F determines an axiom yz 
valid in ‘almost every’ finite frame!® iff that frame cannot be mapped by a bounded 
morphism onto §. For instance, the formula -O0O(p > =p) corresponds to the frame 


({a, b}, {(@, b) , (b,a) , (b, b) })- 


CONCLUDING REMARKS 


In summary, the semantics of modal logic has (at least) two emblematic features which 
have a crucial impact on its model theory and which we have attempted to reflect in the 
composition of this chapter. 


Modal logic is local. Truth of a formula is evaluated at a current state (possible 
world); this localisation is preserved (and carried) along the edges of the accessibility 
relations by the restricted, relativised quantification corresponding to the modal opera- 
tors. This feature is reflected by the notion of bisimulation between states and between 
Kripke structures, respectively. The notion of bisimulation invariance plays a key role 
in characterising what is modally definable, as captured in the van Benthem—Rosen 
theorem (Theorems 55 and 61 here). Moreover, bisimulation (and its game character- 
isation) plays a role in modal model theory analogous to that of partial isomorphism 
(and its Ehrenfeucht-Fraïssé characterisation) in classical model theory. From yet an- 
other perspective, the characteristic power of preservation under bisimulations in modal 
logic can be compared to the characteristic power of preservation under ultraproducts 
in first-order logic. Quite naturally, therefore, bisimulation emerges as the central and 
unifying truth-preserving model-theoretic construction in modal logic, and all other ba- 
sic constructions on which the classical model theory of modal logic builds (generated 
substructures, bounded morphisms, disjoint unions) are definable in terms of it or at 
least closely related to it. By systematically developing the bisimulation-based approach 
to modal model theory in this chapter, we hope to have given a modern treatment on 
this classical theme. Furthermore, the central role of bisimulations and bisimulation in- 
variance properties is so robustly preserved, mutatis mutandis, in the rich and diverse 
variety of extensions of basic modal logic, that it can be adopted as a benchmark of what 
constitutes a modal language. 


Modal logic is multi-layered. On Kripke structures the modal language is a bounded 
variable, guarded fragment of first-order logic, while on Kripke frames, due to universal 
quantification over valuations, it becomes a fragment of universal monadic second-order 
logic. Each of these semantic layers leads to its own model-theoretic agenda and devel- 
opment, but the two interact closely through various model-theoretic constructions and 
preservation results presented here, and blend together in the notion of general frames, 
dually re-incarnated as modal algebras. General frames emerge as a third, intermediate 
semantic layer of modal logic, casting a bridge between the other two. In particular, by 
means of a hierarchy of persistency properties, general frames provide a yardstick to mea- 
sure the ‘expressive complexity’ of modal formulae, and determine their model-theoretic 


19More precisely, in every finite frame in which each state is reachable from any other state by a path 
of length < 2. 
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behaviour. This chapter presents the basics of the modal model theory in each of these 
three layers and illustrates the use of the main tools and results arising in each one of 
them. 


While trying to give a comprehensive account of the main issues and results of both 
classical and modern model theory of modal logic, we have not covered a number of 
important and relevant topics and research developments, either for lack of space or 
because they are adequately treated in other chapters of this handbook. A certainly 
incomplete list of the more conspicuous omissions (in no particular order) includes: 


e model theory of extended modal languages: see [18] and [122] for a recent treatise; 
e model theory of combined modal logics: see Chapter 15 of this handbook and [35]; 
e Lindstr6m-type theorems for modal logic: see [19, 133]; 


e reductions of polyadic to monadic modal languages and their model theoretic im- 
plications, including transfer of properties: see [85, 41], and Chapter 8 of this 
handbook; 


e Kracht’s internal definability theory [84]; 


e Zakharyaschev’s canonical formulae, providing a uniform characterisation of normal 
modal logics extending K4: see [10, 9], and Chapter 7 of this handbook; 


e model-building techniques such as mosaics and networks used for more advanced 
completeness and decidability proofs: see, e.g., [99] and [5, Ch. 6.4 and 7.4]. 


e model completions in modal logic [39]; 


e bisimulation quantifiers and their use for proving uniform interpolation of various 
modal logics by Visser [139], Ghilardi and Zawadowski [39] (where bisimulation 
quantifiers are related to model completions), and of the modal mu-calculus by 
D’Agostino and Hollenberg [16]. 


It is natural to conclude a handbook chapter by attempting to identify main general 
trends of the current and future development of the topic under consideration. 

To begin with, let us recall and revisit van Benthem’s three ‘pillars of wisdom’ support- 
ing the classical edifice of modal logic: the Definability (Correspondence), Completeness, 
and Duality theories [128]. Each of these has played a crucial role in the development 
of modal model theory, and will continue to play such a role, with an accordingly mod- 
ernised and updated agenda. 

In particular, analysing the expressive power of modal languages with respect to each 
of its semantic layers remains one of the main directions of research in modal logic, of 
growing importance and complexity, due to the active expansion and diversification of 
modal logic. Accordingly, the classical correspondence theory between modal and first- 
order logic, much of which has been reflected in the chapter, is gradually ramifying into a 
hierarchy of correspondence theories, aiming at mapping the variety of modal logics into 
the hierarchy of classical logical languages centered around first-order logic. An example 
is the currently emerging correspondence theory between modal logic and LFP. 
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Establishing completeness results of modal deductive systems designed to capture an 
intended semantics also remains one of the core areas of modal logic (as of logic in general) 
which requires increasingly sophisticated and powerful techniques to match the more and 
more complex modal languages and their semantics. The involved completeness proofs 
for the modal mu-calculus (see Chapter 12 of this handbook) and CTL” (see [111]), and 
the still open completeness problem for Parikh’s (full) Game Logic (see Chapter 20 of 
this handbook) are cases in point. 

Likewise for decidability and complexity, where model-theoretic tools and techniques, 
such as the model-building techniques mentioned above as well as game-theoretic meth- 
ods, are gaining increasing recognition and variety of applications. 

New directions and problem areas in modal model theory itself, or using model- 
theoretic methods, are emerging, too. Many of them, such as finite model theory and 
descriptive complexity, finite and infinite state model checking, arise from actual or po- 
tential applications of modal logic to computer science and related fields and follow recent 
trends in classical model theory. Let us note, however, that while the present day model 
theory of modal logic is still using mainly results and techniques from the classical era of 
first-order model theory, the enormous development and sophistication of that field over 
the past decades is yet to make its full impact on modal model theory. 


In closing, being aware that we cannot possibly offer a definitive treatment of such a 
rich and dynamic subject as the model theory of modal logic, we hope to have whetted 
readers’ appetites and their desire to explore it further and to add to it new discoveries 
of their own. 
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1 INTRODUCTION 


Modal logic is not an isolated field. When studied from a mathematical perspective, 
it has evident connections with many other areas in logic, mathematics and theoretical 
computer science. Other chapters of this handbook point out some of the links between 
modal logic and areas like (finite) model theory or automata theory. Here we will outline 
the algebraic and coalgebraic environments of the theory of modal logic. 


First we approach modal logic with the methodology of algebraic logic, a discipline 
which aims at studying all kinds of logics using tools and techniques from universal 
algebra — in fact, much of the theory of universal algebra was developed in tandem 
with that of algebraic logic. The idea is to associate, with any logic L, a class Alg(L) 
of algebras, in such a way that (natural) logical properties of L correspond to (natural) 
algebraic properties of Alg(Z). Carrying out this program for modal logic, we find that 
normal modal logics have algebraic counterparts in varieties of Boolean algebras with 
operators (BAOs). In the simplest case of monomodal logics, the algebras that we are 
dealing with are simply modal algebras, that is, expansions of Boolean algebras with a 
single, unary operation that preserves finite joins (disjunctions). One advantage of the 
algebraic semantics over the relational one is that it allows a general completeness result, 
but the algebraic approach may also serve to prove many significant results concerning 
properties of modal logics such as completeness, canonicity, and interpolation. As we 
will see, a crucial observation in the algebraic theory of modal logic is that standard 
algebraic constructions correspond to well-known operations on Kripke frames. These 
correspondences can be made precise in the form of categorical dualities, which may 
serve to explain much of the interaction between modal logic and universal algebra. Our 
discussion of the algebraic approach towards modal logics takes up the sections 3 to 8. 


The coalgebraic perspective on modal logic is much more recent (see section 9 for 
references). Coalgebras are simple but fundamental mathematical structures that capture 
the essence of dynamic or evolving systems. The theory of universal coalgebra seeks 
to provide a general framework for the study of notions related to (possibly infinite) 
behavior such as invariance, and observational indistinguishability. When it comes to 
modal logic, an important difference with the algebraic perspective is that coalgebras 
generalize rather than dualize the model theory of modal logic. Many familiar notions 
and constructions, such as bisimulations and bounded morphisms, have analogues in 
other fields, and find their natural place at the level of coalgebra. Perhaps even more 
important is the realization that one may generalize the concept of modal logic from 
Kripke frames to arbitrary coalgebras. In fact, the link between (these generalizations 
of) modal logic and coalgebra is so tight, that one may even claim that modal logic is the 
natural logic for coalgebras — just like equational logic is that for algebra. The second 
and last part of this chapter, starting from section 9, is devoted to coalgebra. 

What is the point of taking such an abstract perspective on modal logic, be it algebraic 
or coalgebraic? Obviously, making the above kind of mathematical generalizations, one 
should not aim at solving all concrete problems for specific modal logics. Rather, the 
approach may serve to isolate those aspects of a problem that are easy in the sense of 
being solvable by general means; it thus enables us to focus on the remaining aspects 
that are specific to the problem at hand. To give an example, it is certainly not the case 
that all modal formulas are canonical, but Sahlqvist’s theorem considerably simplifies 
completeness proofs by taking care of the canonical part of the axiomatization. A second 
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benefit of embedding modal logic in its mathematical context is that it may lead to a 
better understanding of notions from modal logic. Taking an example from coalgebra, 
the notion of a bounded morphism between Kripke models (or frames), becomes much 
more natural once we understand that it coincides with the natural coalgebraic notion 
of a homomorphism. 


Our main aim with this chapter is to give the reader an impression of both the algebraic 
and the coalgebraic perspective on modal logic. Our focus will be on concepts and ideas, 
but we will also mention important techniques and landmark results; proofs, or rather 
proof sketches, are given as much as possible. Despite its over-average length, a text of 
this size cannot come close to being comprehensive; our main selection criterion has been 
to focus on generality of methods and results. Unfortunately, even some important topics 
have fallen prey to this, most particularly, the algebras of relations, even though they 
played and continue to play a crucial role in the history of algebraic logic. Fortunately, 
these kinds of BAOs are well documented elsewhere, see for instance HENKIN, MONK & 
TARSKI [57] for cylindric algebras, or HIRSCH & HODKINSON [58] for relation algebras. 
A second topic receiving only fragmented attention is historical context. While we do at- 
tribute results as much as possible, readers with an interest in the (fascinating!) history 
of modal logic, will not find much to suit their taste here. Rather, they should consult 
GOLDBLATT [44], or perhaps the historical notes of BLACKBURN, DE RIJKE & VEN- 
EMA [13]. Finally, a warning: in this chapter we assume familiarity with basic notions 
from category theory (such as functors, duality), universal algebra (such as congruences, 
free algebras), and more specifically, Boolean algebras. Readers encountering unfamiliar 
concepts in this chapter are advised to consult some text book in universal algebra or 
category theory. For convenience, in an appendix we have summed up all the material 
that we consider to be background knowledge. 


2 BASICS OF MODAL LOGIC 


In this section we briefly review the basic definitions of modal logic. Starting with syntax, 
we take a fairly general approach towards modal languages and allow modal connectives 
of arbitrary finite rank. A modal similarity type is a set T of modal connectives, together 
with an arity function ar : T —> w assigning to each symbol V € 7 a rank or arity ar(V). 
Given a modal similarity type 7 and a set X of variables we inductively define the set 
Fma,(X) of modal t-formulas in X by the following rule: 


gu=xEX|Tl|Ll|-~|eAy|evy| V(¢1,---,%n) 


with V € 7 and n = ar(V). We will use standard abbreviations such as > and #; 
we also define the dual operator A of V € 7 as A(y1,...,¢n) := 7V(791,---,7¥n)- 
Unary modalities are usually called diamonds, and their duals, boxes; to denote these 
modalities we reserve (possibly indexed) symbols of the shape © and O, respectively. 

Throughout this chapter we will work with an arbitrary but fixed modal similarity 
type T. Often, we will provide proofs only for the basic modal similarity type which 
consists of a single diamond that will always simply be denoted as © (its dual as O). 
Unless explicitly stated otherwise, we are always dealing with a fixed, countably infinite 
set X of variables; in order not to clutter up notation we will suppress explicit references 
to X as much as possible. 
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It will be convenient to have names and notation for some special formulas that behave 
just like ordinary diamond formulas of the form Ov. Fix a special dummy variable v. 
In the basic modal language, we may define a compound diamond as any disjunction of 
formulas of the form O”v (here O° := y and O"tly := OO"y). In a language with 
diamonds only, the compound diamonds may be defined as follows: 


$ ::= v| O10] OV Oe. 


An example is 01 O9(Oiv Vv) VO1O1v. We will write 4 for the formula in which every 
occurrence of v is substituted by y (note that v is the unique variable occurring in a 
compound diamond). Induced and compound boxes are defined in the obvious, dual, 
way. 

The general case, which readers may safely choose to skip, is a bit more involved. 
For any modality V of arity n > 1, and any 1 < i < n, the formula Ọ(y iv := 
V(T,...,T,v,T,..., T) (ie, all arguments are T except for the i-th one which is v) 
is called the i-th induced diamond of V. The collection CD(T) of compound diamonds 
of T is defined via: 


@:= 0/0 Oi) | 1 V @o. 


Modal logic can be approached from a semantic or from a purely syntactic/axiomatic 
angle. In this chapter we follow both approaches, starting with the semantic one. 


DEFINITION 1. A 7+-frame is a structure S = (S, R) where S is a non-empty set of 
objects called states, points, or worlds, and R is an interpretation assigning an n + 1- 
ary relation Ry on S to every n-ary modal connective V. A valuation on S is a map 
V : X — P(S) assigning a subset of S to each variable x. A 7-model is a structure 
M = (S, R, V} such that (S, R} is a r-frame, on which V is a valuation; the frame (S, R} 
is called the underlying frame of M. 

The notion of truth is defined by formula induction. The set of points where y is true 
will always be denoted as [y]. 


DEFINITION 2. Given a 7-model M, we define by induction when a formula ¢ is true 
at a state s of M, notation: M, s IF y: 


M,sltx if s€V(a), 


M, s IF always, 


M,s lk L never, 
M,sl- 7y if M,slk y, 
M,slkyAw if M,slkyandM,slF uv, 
M,slkyVw if M,slkyorM,slFu, 
M, s IF V(yi,---,¢n) if Ryss,...8, for some $1,..., 8 such that M, s; IF p; for 


alli<n. 


We write M IF yọ if ¢ is true throughout M, that is, true at every state of M. 


DEFINITION 3. Given a7-frame S, we say that a modal formula ọ is valid in S, notation: 
SI- y if ọ is true throughout any model based on S. Similarly standard definitions apply 
to sets of formulas and classes of frames. 
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Using the notation Q[s] := {t | Qst} for any binary relation Q, we define the relation 
Rs such that Rs[s] consists of those points that can be reached from s in one step using 
any of the accessibility relations, and R” as the reflexive and transitive closure of Rs. 

We may extend the interpretation R of a 7-frame S = (S, R} to the compound dia- 
monds by putting 


Ry := Id (={(s,8)|s€ S}) 

Rowe = {(s, si) | Rvss1--++ Sp for some 51,...,$j-1, $i41,---,5n E S}o Rẹ, 
Rog := RooRg, 

Reve: i= Re, U Rez- 


It is then straightforward to verify, in any frame S, that RY =U eecp(r) Re, and that 
for any valuation V it holds that 


S, V, s lk $y iff S, V,t I- p for some t with Rast. 


That is, compound diamonds indeed behave like diamonds. 

Frames and models do not exist in isolation. Given two 7-frames S and S’, a map 
0 : S — S' is called a bounded morphism from S to S’, notation: 0 : S — S’, if 0 satisfies 
the following conditions for all V € 7: 


(forth) Ryssı... Sn only if Rg0(s)0(s1)...0(sn), and 


(back) RQ@(s)s...s/, only if there are s),...,5, such that Ryss,...s, and 6(s;) = sj 
for each t. 


We let Fr, denote the category with 7-frames as objects and bounded morphisms as 
arrows. 

If such a bounded morphism @ is surjective, we call S’ a bounded morphic image of 

S, notation: S —> S’; if 6 is injective we write S — S’ and call the subframe of S’ based 
on the image [S] a generated subframe of S’. We leave it for the reader to verify that 
the structure (T, RIT} (where R/T maps each V € 7 to the restriction of Ry to T) isa 
generated subframe of S if and only if T is a hereditary subset of S, that is, if t € T then 
Rytt, .. . tn implies that all the t; belong to T. Given a point r in S, we denote with S, the 
least generated subframe containing r; the domain of this subframe is thus the set R” [r]. 
If S = S, we call r a root of S, and say that S is rooted. Finally, given a family {S; | i € I} 
of r-frames, we define its disjoint union }/,-, S; as the structure (X e; Si, {Rv | V € TH), 
where the domain }?,-, Si = U,e;ti} x Si is the disjoint union of the domains S;, and 
the relation Ry is given by Ry(t,s)(i1, 51)... (in, Sn): i = i =... = in and 
(Ri)v881...S8n.- 
REMARK 4. More general than Kripke frames are the neighborhood frames, which we 
now review very briefly, and for the basic modal similarity type only. The reader can find 
more details on these structures in Chapter 1 of this volume. A neighborhood frame is a 
structure S = (S,o) with o : S — PP(S); such a structure is called monotone if o(s) is 
upwards closed for all s € S, that is, X € o(s) and X CY imply Y € o(s). Elements of 
o(s) are called neighborhoods of s, and the semantics of the modality V (we will not use 
© and O in this context) in a neighborhood model M = (S,o,V) with V : X > P(S) a 
valuation is given by 


M, sl- Vo if [y] € o(s), (1) 
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that is, Vy holds at s iff s has a neighborhood of y-points. Both the box and the 
diamond interpretation in Kripke models follow the pattern of (1): take oo(s) = {A C 
S | AN R[s] 4 Ø}, and op(s) = {AC S | Ris] C A}, respectively. 


A map f: S — S” is a neighborhood morphism between two neighborhood frames 
(S,o) and ($’, 0”) if for all s € S and all X’ C S$” it holds that X’ € o'(fs) iff f~'[X’] € 


a(s). 


Now we turn to the more syntactic approach towards modal logic. We identify logics 
with sets of theorems — the more general approach based on consequence relations will 
be discussed in Chapter 8 of this book. A modal r-logic is then a set L C Fma, which 
(i) contains all classical propositional tautologies, and (ii) is closed under the derivation 
rules (MP) of Modus Ponens (if both y and y — y belong to L then so does Y), and (US) 
of uniform substitution (if p belongs to L then so do all of its substitution instances). If 
a formula ọ belongs to a modal logic L then we say that y is a theorem of L, notation: 
Fp p. 


A modal logic is called classical if it is closed under the following rule: Fr y; © Yi 
=> Fr V(y1,---;Pn) > V(vi,.-.,Un); monotone if it is closed under Fy pi > Yi 
=> Fr V(y1,.--, Pn) > V(Y1,..., Yn); and normal if it contains in addition, for each 
V €7, the axioms =V’L and V(p, qV g, T) = V(p,q,7)V V(P,q',T) where p and F denote 
arbitrary sequences of propositional variables of combined length ar(V) — 1. We leave 
it as an exercise for the reader to verify that this definition coincides with the standard 
one in the case of basic modal logic. 


The minimal classical, monotone and normal modal logics for a similarity type 7 are 
denoted as C,, M, and K,,, respectively. Here we use the convention that C, M and 
K denote the minimal logics for the basic modal similarity type. It is easy to see that 
the collection of normal modal logics is closed under taking arbitrary intersections and 
therefore forms a complete lattice under the inclusion ordering. Hence, with any set T of 
7-formulas we may associate the least normal modal r-logic extending K and containing 
all formulas in T; this logic is denoted as K,.I. We say that this logic is axiomatized 
by T, since any theorem in K,.I can be obtained as the result of a derivation from the 
axioms of the logic (including formulas in I) using its derivation rules. Similar definitions 
and notation apply to extensions of C, and M,. 


The validity relation I- between frames and formulas induces a Galois connection 
consisting of two maps, Log and Fr, defined as follows. Given a class C of frames, Log(C), 
the logic of C, is the set of modal formulas that are valid in C. Conversely, given a set 
T of formulas, let Fr(T) denote the class of frames on which I is valid. (We call this a 
Galois connection because we always have C C Fr(T) iff T C Log(C).) The stable sets 
of formulas of this connection, that is, the sets T such that [ = Log(Fr(I)) are called 
(Kripke) complete logics — we leave it for the reader to verify that such sets are indeed 
normal modal logics. On the other side, the stable frame classes, that is, the ones that 
are closed under the composition Fr o Log, are called (modally) definable. Not all modal 
logics are Kripke complete (see Chapter 7 of this volume) and not all frame classes are 
modally definable (see Chapter 1 of this volume). 
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3 MODAL LOGIC IN ALGEBRAIC FORM 


As indicated in the introduction, it is the aim of algebraic logic to study logic by alge- 
braic means. Nowadays, most people will associate modal logic primarily with relational 
structures, but, as with other branches of logic, the 19th century infancy of modern sym- 
bolic modal logic was completely algebraic, see MacColl [82]). Somehow during the 20th 
century however, the traditions of algebraic logic and of modal logic got separated, and 
for decades proceeded without any interaction whatsoever. In particular, while Jonsson 
& Tarski [70] introduced not only Boolean algebras with operators and their representa- 
tion over relational structures, but also the rudiments of canonicity and correspondence 
theory, this seminal work did not mention modal logic, and it was completely overlooked 
by modal logicians for many years. This is not to say that algebras were to remain absent 
from the modal logic tradition — they were introduced by Lemmon [80]. But only in the 
1970s, probably with the discovery of the fundamental incompleteness of the relational 
semantics by Thomason [102], did universal algebraic (and topological) methods regain 
importance — as examples we mention Blok [14], Esakia [23], Goldblatt [37, 38], and 
Rautenberg [91]. And it would even have to wait until the 1990s before the algebraic and 
modal traditions would be completely rejoined, with collaborations between modal and 
algebraic logicians (leading to, for instance, the introduction of the guarded fragment 
in Andréka, van Benthem & Németi [7]), with modal logicians investigating algebras of 
relations from a modal perspective (Marx & Venema [84]), or with algebraic logicians 
responding to the modal tradition (Jénsson [69]). It is from this perspective that the 
algebraic part of this chapter has been written. 


Before we explain how to algebraize modal logic using the key structures of Boolean 
algebras with operators (BAOs), let us first briefly introduce the algebraic perspective on 
(propositional) logic itself. Think of proposition letters as atomic objects referring to 
entities called propositions, and of connectives as function symbols to be interpreted as 
operations on propositions. Then notice the complete analogy between the definitions of 
formulas and terms, respectively, and already we have worked our way towards one of the 
key ideas underlying the algebraic approach towards (propositional) logic: propositional 
formulas can be seen as algebraic terms denoting propositions. 


DEFINITION 5. Given a modal similarity type 7, we define its corresponding algebraic 
similarity type Bool, simply as the union of 7 with the Boolean similarity type Bool = 
{T,1,7,A,V}. 

We will use ~ as the equality symbol of this algebraic language; as abbreviations we 
use % and < in their standard meaning. Since the standard Boolean symbols are function 
symbols in this algebraic language, we will not use them to denote Boolean combination 
of equations. For that purpose we let the symbols & and = denote conjunction and 
implication, respectively. 


The set Fma,(X) of formulas over a set of variables X can then be identified with 
the set Ter gool, (X) of algebraic Bool,-terms over X. More importantly, we may impose 
algebraic structure on formulas. 


DEFINITION 6. The 7-formula algebra is the structure Fma, := (Fma,,{O™™" | Q € 
Bool,}), where for each (Boolean or modal) connective Q, its interpretation 


OFmar spi, ---, Pn) > O(G1,--+) Pn) 
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defines a map of arity n = ar(Y) on F'ma,. 


As a first advantage of this algebraic point of view, recall that substitutions are com- 
pletely determined by their values on the variables. Putting this algebraically, for any 
function ø assigning formulas to variables, the substitution induced by ø is the unique 
extension © of o to an endomorphism on the formula algebra. More generally, it is easy 
to see that given an arbitrary algebra A of type Bool,, any assignment mapping variables 
to elements of the carrier of A has a unique extension @ which is a homomorphism from 
Fma, to A. That is, we have the following result. 


PROPOSITION 7. Fma, is the w-generated absolutely free algebra of the similarity type 
Bool,. 


Logical languages may now be interpreted in many different kinds of algebras; but of 

course, we are only interested in structures that can plausibly be viewed as algebras of 
propositions. 
EXAMPLE 8. Consider the truth value algebra 2 of the Boolean similarity type. Its 
carrier is given as the set 2 = {0,1} where 0 (‘false’) and 1 (‘true’) are the classical truth 
values, while its interpretation of the Boolean connectives/function symbols is given by 
the standard truth tables. Given a valuation V : X_— 2 of truth values to propositional 
variables, we can simply compute the truth value V(y) of any propositional formula g, 
using the unique homomorphism v: Fma, — 2 extending the assignment V. That is, 
we see another manifestation of the absolute freeness of the formula algebra. 


The algebras arising from the relational semantics of modal languages are the so-called 
complex algebras. (This terminology dates back to the times when subsets of groups were 
referred to as complexes of the group.) 


DEFINITION 9. Given an n + l-ary relation R on a set S, define the n-ary map (R) on 
the power set of S by 


(R)(a1,.--,€n):= {s € S| Rss1 ... Sn for some 51,...,5 with s; € a; for all i}. 


The complex algebra S* of a 7-frame S is obtained by expanding the power set algebra 
P(S) with operations (Ry) for each modal connective V; that. is, 


St := (P(S), S,Ø,~s,N, U, { (Ry) | V € 7}). (2) 


Given a frame class C, we let Cm(C) denote the class of complex algebras of frames in C; 
conversely, for a class K of algebras, Str(K) denotes the class of frames whose complex 
algebras belong to K. 


REMARK 10. More generally, given a neighborhood frame S = (S,c), define the map 
at : P(S) —> P(S) by oT (A) := {s € S | A € o(s)}, and define St as the expansion of 
P(S) with the operation oF. 


From the perspective of complex algebras, a valuation is nothing but an assignment 
of variables to elements of the complex algebra of St. Furthermore, and much more 
importantly, given a valuation V on a frame S, a straightforward induction proves that 


S, V, sI- y iff s € V(y), (3) 
where V : Fma, —> St is the unique homomorphism extending V. With the meaning 


function |- JSV defined as the function that maps a formula ¢ to its extension [yp] := {s € 
S | S, V,s IF p}, what (3) reveals is that, in a slogan, meaning is a homomorphism: 
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PROPOSITION 11. Let V be some valuation on a T-frame S. Then the meaning function 
[JSV is the unique homomorphism V : Fma, — St that extends V. 


As a corollary of this, let y* denote the equation y = T, then we find that for any 
T-frame S, and any 7-formulas y, wv: 


Sik pif StH y~ and SIF y e yif StH y7 y, (4) 


that is, the validity of a formula in the frame S corresponds to that of an equation! in the 
complex algebra of S, and vice versa. We have arrived at one of the most fundamental 
notion of algebraic logic, namely, that of a class of algebras algebraizing a logic. 


DEFINITION 12. Let L be a modal r-logic, and K a class of Bool,--algebras. We say 
that K algebraizes L, if we have 


Fry iff KE’, (5) 
KFery iff Frey, (6) 


for all formulas/terms y and 4%. 


The point of this definition is to alert the reader that algebraizations constitute 
stronger links between logics and classes of algebras than the mere existence of a com- 
pleteness result, as would be expressed by (5) on its own. If the class K algebraizes 
the modal logic L, then it is not just the case that K contains all the information of L 
through the translation (-)*, but also, L encodes the full equational theory of K through 
the translation mapping an equation y + w to the formula y > y. Furthermore, the 
second translation is an inverse to the first one in the sense that if we translate the 
formula y back and forth, the result p > T is L-equivalent to y. Given the Boolean 
backbone of modal logics, this property holds vacuously, so there is no need to formulate 
this as an additional clause of the definition. 

Also, observe that it immediately follows from the definition that if K algebraizes L, 
then so does the variety generated by K. 


REMARK 13. The above definition is a specific instantiation of a much wider notion, 
which is due to Blok & Pigozzi [16]. The basic idea of a class of algebras algebraizing a 
logic always involves uniform translations from formulas to equations, and from equations 
to formulas, that are, modulo equivalence, inverse to each other. But the general case is 
of course not limited to modal logics, or to logics extending classical propositional logic; 
also, the translations may be from formulas to sets of equations, and from equations to 
sets of formulas. 

The most important point is however that the natural habitat of the concept is that of 
consequence relations rather than of logics (in our sense of the word, that is, of logics as 
sets of sentences). In this more general setting, the requirement that the translations are 
each other’s inverse, is expressed on the logical side by means of the consequence relation, 
and can equivalently be described on the algebraic side using (infinitary versions of) quasi- 
equations. For more details on modal consequence relations and the way to algebraize 
them, the reader is referred to Chapter 8 of this volume. For the general theory of 
algebraizing logics, see Czelakowski [21] or Font & Jansana [26]. 


lIn the sequel, we will be sloppy about the distinction between a formula and its equational transla- 
tion, writing for instance A — » if we mean A = ọ™. 
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In any case, it will be clear that we can already state our first algebraization result, the 
proof of which is immediate from (4): 


THEOREM 14. Let C be a class of r-frames. Then Cm(C) algebraizes Log(C). 


Turning to the algebraization of arbitrary modal logics, we now introduce the key 
players: Boolean algebras with operators, together with some related concepts. 


DEFINITION 15. Given two Boolean algebras B and B’, it is often convenient to call a 
function f : B — B’ a map from B to B’. Such a map is called monotone if a < b in 
implies f(a) <’ f(b) in B’, normal if f(L) = L’, and additive if? f(a Vv b) = f(a) V’ f(b), 
and multiplicative if f(a A b) = f(a) \’ f(b). We will call an operation f : B” — B an 
operator if it is normal and additive in each of its coordinates. 

BAE, denotes the class of r-expanded Boolean algebra, (shortly, 7-BAEs), that is, of 
algebras 


A=(A,T,1,-,A,V,{V* | V ET} 


with a Boolean reduct (A, T, L,—,^, V} that is indeed a Boolean algebra. A is called a 
monotone T-expanded Boolean algebra, or a T-BAM, if each V“ is a monotone operation, 
and a Boolean algebra with T-operators, or T-BAO, if each V^ is an operator. The classes 
of these algebras are denoted as, respectively, BAM, and BAO,. In the case of the basic 
modal similarity type, we speak of modal algebras rather than of r-BAOs; MA denotes the 
class of these algebras. Given a set [ of modal 7-formulas, and a class K of 7T-expanded 
Boolean algebras, we define K(T) as the class of algebras in K that validate the set of 
equations I~ := {y= T| y Er}. 

Given two T-BAFs A and A’, we call a map 7: A — A’ a Boolean homomorphism if it is 
a homomorphism from the Boolean reduct of A to that of A’, and a modal homomorphism 
it if is a homomorphism with respect to the modal operations. Thus a homomorphism 
between two 7-BAEs is a map that is both a Boolean and a modal homomorphism. We 
let BAE,, BAM,, etc. also denote the category with the T-BAEs, ..., as objects and the 
homomorphisms as arrows. 


EXAMPLE 16. Algebras of the form S+, with S some 7-frame, are the prime specimens 
of Boolean algebras with operators. These algebras are sometimes referred to as concrete 
BAOs. 

More generally, the complex algebra of a neighborhood frame (see Remark 10) is an 
example of a BAE for the basic modal similarity type; it is easy to see that such an St 
belongs to BAM iff S is a monotone neighborhood frame. 


Our terminological convention will be that properties of and notions pertaining to 
Boolean algebras (such as atomicity, completeness, filters, ...) apply to an expanded 
Boolean algebra as they apply to its underlying Boolean algebras. 

All of the properties defined in Definition 15 can be given in equational form, so all of 
the classes defined there are in fact varieties. In the next section we discuss the algebraic 
properties of these varieties; let us first see why they are so important from a logical 
perspective. This can be formulated very concisely. 


THEOREM 17. Let T be a set of modal r-formulas. Then BAE, (T) algebraizes C,.T, 
BAM, (T) algebraizes M, T, and BAO,(T) algebraizes K-T. In particular, MA(T) alge- 
braizes KT. 


2Observe that we write V and V’ rather than Vê and vn respectively; this convention will always 
apply to the interpretations of the Boolean symbols, and sometimes to the modal connectives as well. 
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Note that this theorem implies a general, algebraic, completeness result: for instance, 
concerning modal logics in the basic modal similarity type, it states that 


That is to say, y is a theorem of the logic aziomatized by IT if and only if ọ is valid in 
the class of algebras defined by P. 

The key tool in the proof of Theorem 17 is played by the so-called Lindenbaum- Tarski 
algebra of a logic. The introduction of this fundamental tool is based on the observation 


that for all classical modal logics, the notion of logical equivalence is a congruence on the 
formula algebra. 


DEFINITION 18. Let L be a modal r-logic. The relation =; between formulas is defined 
by putting y =z wv if y e vy is an L-theorem. 


PROPOSITION 19. For any classical modal T-logic L, the relation =p is a congruence 
on the formula algebra Fma,. 


DEFINITION 20. Given a modal 7-logic L, we denote the congruence class of the formula 
x under the relation =; by [x]z; for a set of formulas ©, we let [®]; denote the set 
{[y]z | p € ®}. The quotient algebra Fma,/=rz is called the Lindenbaum-Tarski algebra 
of L, notation: Fz. 


Note that the elements of the Lindenbaum-Tarski algebra Fz are the equivalence 
classes of the relation =; of the set Fma,. The algebraic operations are defined as 
follows: TF = [T]z, L¥* = [L]z, lp] A™ [w]z = [PA Y]z, etc. We briefly remind 
the reader that all of these definitions could be parameterized by making the set X of 
variables explicit. 

It is hard to overestimate the importance of Lindenbaum-Tarski algebras. For a start, 
the algebra Fz contains all the information of its logic L, in the following sense. 


THEOREM 21. Let L be a modal logic for some similarity type T. Then for any two 
T-formulas p and p, we have 


Fr Foxy iff p=. w. 


Proof. For the direction from left to right, consider the natural assignment v : x + [a]. 
It follows from the validity of y ~ w in Fz that (y) = v(w). But an easy formula 
induction shows that X(x) = [x]z, for all formulas y. Hence we obtain that [y]; = [v]z, 
that is, yp =z v. 

For the reverse direction, let œ be some assignment on the Lindenbaum-Tarski algebra. 
Choose for each variable x a representative a(x) of the equivalence class a(x); that is, 
for each variable x we have that a(x) = [o(x)]z. Note that this map ø is nothing but a 
substitution; recall that © is the extension of o to all formulas. It is not hard to prove that 
all formulas y satisfy &(x) = [o(x)|z. But it follows from y =z w that o(p) =z F(p), 
since L is closed under uniform substitution. Hence we find that a(y) = a(w). And 
since œ was arbitrary, this shows that Fz — y % wy, as required. 


On the other hand, Lindenbaum-Tarski algebras play an important algebraic role as 
well, as is concisely formulated in the following Theorem. 


THEOREM 22. For any classical modal T-logic L, Fy is the w-generated free algebra for 
the variety BAE,(L). 
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Proof. Let A be an algebra in BAE,(Z), and consider an arbitrary map a: [|X], > A 
(recall that X denotes the set of variables, and that [X]z = {[z]z | £ € X}). We will 
prove that œ can be extended to a homomorphism from Fz to A. 

To this aim, consider the composition aov : X — A of a with the natural map 
v : x> [a]r. It follows from the universal mapping property of Fma, over X that this 
map can be extended to a homomorphism @ ov : Fma, > A. 

We claim that ker(v) C ker(@ov). To see this, consider formulas y and w such that 
(y,w) E€ ker(v); then [y]z = [#]z, and so y =r w. It follows from A being in BAE, (L) 
that A E y ~ yY, so y ~ ¥ certainly holds in A under the assignment ao v. But that is 
just another way of saying that (y, Y) € ker(@ ov). 

But then from this claim it follows that the map & : Fma,/=,— A, given by 


—— 


allele) = aov(y) 


is well-defined. It is not hard to show that & is in fact a homomorphism from Fz to A, 
and since it clearly extends a, we have established the universal mapping property of Fz 
for BAE- (L) over [X]r. QO 


Finally, in order to prove the Algebraization Theorem 17 from these two theorems, 
we need one additional result concerning varieties of the form BAE,(Z) if L is a modal 
logic axiomatized by a set I of formulas. We leave the rather tedious but straightforward 
proof of this proposition as an exercise for the reader. 


PROPOSITION 23. Let T be a set of r-formulas. Then BAE,(C,.[) = BAE,(T), 
BAE, (M-T) = BAM, (T), and BAE- (K-T) = BAO, (T). 


This finishes our introduction to the algebraization of modal logics. In section 6 we 
will have a lot more to say about the link between normal modal logics and varieties of 
BAOS. 


4 VARIETIES OF EXPANDED BOOLEAN ALGEBRAS 


In this section we discuss what the theory of universal algebra has to say about Boolean 
algebras with operators and their siblings. 


Lattices of congruences 


A very important theme in universal algebra has been to relate the properties of a variety 
to the shape of the congruence lattices of its algebras. In the case of Boolean algebras 
and their expansions, this has turned out to be particularly fruitful. 


DEFINITION 24. An algebra A has permuting congruences if 0; o ©2 = O% 0 O; for 
all congruences ©1,©2 over A ; A is congruence distributive if Cg(A), its lattice of 
congruences, is distributive. 

These properties hold of a variety if they hold of each of its members; and a variety is 
called arithmetical if it is both congruence permutable and congruence distributive. 


It is a rather strong property for an algebra to have permuting congruences, or to 
be congruence distributive, and both notions have important applications. Concerning 
the second notion, we will see an important property of congruence distributive varieties 
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in Theorem 35. In order to motivate the first concept here we just mention that it 
allows a considerable simplification in the computation of joins in congruence lattices: 
whereas in general the join 0, V O2 of two congruences ©; and Oz is given as O1 V O2 = 
0, U (©1002) U (0, 002001) U ---, in the case of permuting congruence this 
rearranges itself as 0, V O2 = O; 0 Op. 


THEOREM 25. Varieties of expanded Boolean algebras are arithmetical. 


Proof. This proof can be seen as a consequence of a result by A. Pixley, who proved 
that a variety is arithmetical if and only if it admits the definition of so-called Mal’cev 
and 2-majority terms. For some detail, let V be a variety of expanded Boolean algebras. 
First consider the ternary (Boolean) term p(x, y, z) given by 


plx, y, z) := (x A z) V (£x Ary Anz) V (ma Any A z). 
We leave it for the reader to verify that this is a Mal’cev term, that is, 


VE p(z, x,z) ~ z and VE p(a,z,z) X x. (8) 


From this it follows that V is congruence permutable: let A be some algebra in the variety 
and let a,b € A be elements such that (a,b) € 01 o Og for some congruences O; and O2. 
Then there is some c € A with (a,c) € ©; and (c,b) € O. From this it follows that 
(a,b) € Og o O1, because 


a= p*(a, b, b)O2p"(a, C, b)Oip*(c, C, b) =b. 


This proves that ©ı o0 ©2 C Og o ©; which means that A has permuting congruences. 
Congruence distributivity can be proven in a similar way: consider the term M given by 


M(x,y,z) := (1V y) A ly Vz) A(z Vz). 
The reader will have little trouble in showing that 
VE M(x, x,y) ~ M(x,y, £) ~ M(y, 2,2) © @, (9) 


ie, Misa 2 -majority term. In a similar way as above we can then use (9) to show V is 
congruence distributive. m) 


Congruences and filters 


One of the nicest features of BAOs is that their congruences can be characterized by 
certain subsets of the algebra. 


DEFINITION 26. Let B be a Boolean algebra. A subset F C B is called a (Boolean) 
filter of B if it (i) contains the top element of B, (ii) is closed under taking meets (that is, 
if a,b € F then a ^b € F), and (iii) is an up-set (that is, a € F and a < b imply b € F). 
A filter F is proper if it does not contain the bottom element of B, or equivalently, if 
F # B. We let Fi(B) denote the collection of filters of 


EXAMPLE 27. It is not difficult to see that the set Fi(B) is closed under taking inter- 
sections; hence, we may speak of the smallest filter Fp containing a given set D C B; 
this filter can also be defined as the following set 


Fp ={T}U{be B| there are d1,...,dn € D such that dj A+- Adn < b}, 
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which explains why we also refer to this set as the filter generated by D. In case that D 
is a singleton {a}, we write af for F{a}; this set is called the principal filter generated by 
a. Clearly we have af := {b € B | a < b}. 

The filter Fp is proper iff D has the so-called finite meet property (that is, A Do > L 
for all finite subsets Do C D). 


DEFINITION 28. Let A be a BAO; a subset F C A is a modal or open filter of A if F is 
a filter of (the underlying BA of) A which is closed under the application of boxes; that 
is, a € F implies O;a € F for all boxes O;. (If the language has modalities of arity higher 
> 1, we need to strengthen this to requiring that F is closed under the application of 
induced boxes.) The collection of modal filters of A is denoted as MFi(A). 

In any BAO A, the sets {T^} and A are modal filters; the singleton {TÄ} is called the 
trivial (modal) filter of A, and any filter different from A is called proper. 


The following theorem will prove to be extremely useful. 
THEOREM 29. Let A be a Boolean algebra with operators. Then 


1. the collection MFi(A) is closed under taking arbitrary intersections and hence forms 
a complete lattice with respect to the subset ordering; 


2. this lattice is isomorphic to the congruence lattice of A through the isomorphism 
Il: MFi(A) — Cg(A) given by 


Im := {(a,b) € Ax Alacobe M}, 
and its inverse N : Cqg(A) > MFi(A) by 


No := {a € A| (a, T) € O}. 


It follows from the completeness of the lattice of modal filters of a BAO A, that with 
each set D C A we may associate the smallest modal filter Mp including D. The 
following proposition explains why we also refer to Mp as the modal filter generated by 
D: 

PROPOSITION 30. Let A be a Boolean algebra with T-operators, and D a subset of A. 
Then 


Mp = {a € A | Midi A... AM, d,n <a for some W,..., m, € CD(T), d1,...,dn € D}. 
In particular, when D is a singleton, say, D = {d}, we find 


Ma = {a € A | Wd < a for some Me CD(T), dE D}. 


Subdirect irreducibility 


We now turn to the algebraic notion of subdirect irreducibility, which plays an important 
role in the analysis of varieties. The motivation for introducing this concept is the search 
for the universal algebraic analogon of the prime numbers, as it were. That is, we want 
to isolate a class of algebraic building blocks that are basic in the sense that (i) every 
algebra may be decomposed into basic ones, while (ii) the basic ones themselves only 
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allow trivial decompositions. Now there are various interpretations of the words ‘basic’ 
and ‘decomposition’. 

DEFINITION 31. An algebra A is simple if its only homomorphic images are A it- 
self and the trivial algebra of its similarity type, and directly indecomposable if in any 
decomposition A = J] A;, A is isomorphic to one of the Aj. 


Both of these notions are important and interesting, but neither one is exactly what 
we want. The notion of simplicity is too restrictive since not every variety is generated by 
its simple members. And, whereas every finite algebra is isomorphic to a direct product 
of directly indecomposable algebras, this does not hold for all infinite algebras. For 
instance, it is not hard to see that the algebra 2 of Example 8 is the only nontrivial 
directly indecomposable Boolean algebra, while a straightforward cardinality argument 
shows that no countably infinite algebra can be isomorphic to a direct power of 2. 

Hence, in order to meet our criteria, we arrive at a notion which at first sight may 
seem somewhat involved. In words, an algebra is subdirectly irreducible iff it does not 
allow a proper subdirect decomposition. 


DEFINITION 32. Let A be an algebra, and {A; | i € I} a family of algebras of the same 
type. An embedding n of A into Į [iez A; is called subdirect if m; on is surjective for each 
projection function 7;. If A is a subalgebra of [],-; Ai, then we say that A is a subdirect 
product of the family {A; | i € I}, or that the family forms a subdirect decomposition 
of A, if the inclusion map is a subdirect embedding. 

A is called subdirectly irreducible, or, briefly, s.i., if for every subdirect embedding 
n: An Ties Ai there is an i € I such that m; 07: A — A, is an isomorphism. 


In practice, one always uses a nice characterization of subdirect irreducibility in terms 
of the congruence lattice of the algebra, and similarly for simple and directly indecom- 
posable algebras. For the proof of this proposition we refer to any standard textbook on 
universal algebra. For a proper understanding of its formulation, recall that any algebra 
A always has at least two congruences: the diagonal relation A4 = {(a,a) | a € A}, and 
the global relation Y4 = A x A. 


PROPOSITION 33. Let A be an algebra. Then 
1. A is simple iff Cg(A) = {A, T}; 


2. A is directly indecomposable iff there are no two congruences O; and O2 such that 
0, A0,=A and 0, 0 0, = T; 


3. A is subdirectly irreducible iff it has a monolith, that is, a smallest non-diagonal 
congruence. 


The following theorem can be read as stating that, indeed, subdirect irreducibility is 
the proper concept when it comes to finding the basic building blocks of varieties. 


THEOREM 34 (Birkhoff). Every algebra can be subdirectly decomposed into subdirectly 
irreducible algebras. As a corollary, every variety is generated by its subdirectly irreducible 
members. 

As a corollary of this theorem, we see that the study of the lattice of subvarieties of a 


given variety can be conducted by way of inspecting the s.i. members of the variety. In 
the case of expanded Boolean algebras, the logical meaning of this is that it gives us a 
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tool for the study of extensions of a given modal logic. For, as we will see in section 6 that 
the subvarieties of the variety determined by a modal logic, correspond to the extensions 
of that logic. Also, because expanded Boolean algebras are congruence distributive, we 
may apply Joénsson’s Lemma. This result involves the class operations H, S and Pu, 
which are defined in the appendix. 


THEOREM 35 (Jónsson). Let K be a class of algebras such that Var(K) is congruence 
distributive. Then all subdirectly irreducible members of Var(K) belong to HSPu(K). 


The use of this theorem lies in the fact that if K generates a congruence distributive 
variety V, then the s.i. members of V still resemble the algebras in K in many ways. For 
instance, if K is a finite set of finite members, then Pu(K) = K; hence we obtain the 
following result for finitely generated varieties of expanded Boolean algebras. 


COROLLARY 36. Let K be a finite set of finite t-expanded Boolean algebras. Then 
Var(K) only has finitely many subvarieties, each of which is determined by a subset of 
HS(K). 

Finally, restricting our attention to Boolean algebras with operators, we encounter 

yet another nice property, namely that we can characterize subdirect irreducibility of an 
algebra by the existence of one single element — one with rather special properties, that 
is. 
DEFINITION 37. An element e of a BAO A is called essential or an opremum if e < T, 
while for all b < T there is a compound modality @ such that Wb < e. Dually, we say 
that an element p is radical in A, or a radix of A, if p > L, while for all a > L there is 
a compound modality ¢ such that p < &a. 


Clearly, an element e of a BAO is essential iff its complement —e is radical. In the 
sequel this fact will be used implicitly, context deciding which formulation is the most 
convenient. 


EXAMPLE 38. Let S be a rooted frame with root r. It is easy to see that the singleton 
{r} is radical in St: let a C S' be a nonempty element of St. Take an element s from a; 
since r is a root of S, there must be some compound modality @ such that Rgrs; from 
this it is immediate that {r} C (Rg)a. 

The following theorem (or at least, the more important statement concerning subdirect 
irreducibility) is due to Rautenberg, see for instance [91]. 


THEOREM 39. Let A be a nontrivial Boolean algebra with t-operators. Then A is 
simple iff every non-top element of A is essential, and subdirectly irreducible iff it has an 
essential element. 


Proof. It follows immediately from Theorem 29 that A is s.i. iff it has a smallest 
non-trivial modal filter, and it is not hard to see that any such filter is of the form Me 
for some element e of A. The proof of the statement on subdirect irreducibility is thus 
complete if we can show that for an arbitrary element e € A: 


Me is a smallest nontrivial modal filter iff e is essential. (10) 


First suppose that Me is a smallest nontrivial modal filter. Since Me is nontrivial, 
it follows immediately that e # T. In order to show that e is essential, consider an 
arbitrary element a < T € A, and consider the filter Ma generated by a. It follows from 
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our assumption on Me that Me C Ma, so that e € Ma. Hence we may deduce from 
Proposition 30 that there is some compound modality @ such that Wa < e. This suffices 
to prove that e is essential. 

For the converse direction, suppose that e is essential, and let M be an arbitrary 
nontrivial modal filter on A. That is, M 4 {T}, so M contains an element a Æ T. but 
then it follows from the essentiality of e that there is some compound modality @ such 
that Wa < e; this shows that e € M, whence Me C M. In other words, Me is the smallest 
modal filter on A. 

The proof concerning simplicity is completely similar and therefore left as an exercise. 

Q 


5 FRAMES AND ALGEBRAS 


5.1 Introduction 


The algebraic study of modal logic was started in section 3. Its main result, Theorem 17, 
links normal modal logics to varieties of Boolean algebras with operators by stating a 
general algebraization result. But no matter how well-behaved these algebras are, most 
modal logicians will still prefer the relational semantics, either because they find it more 
intuitive, or because frames simply happen to be the structures in which they take an 
(application driven) interest. Hence there is an obvious need to understand the precise 
relation between the worlds of frames and algebras, respectively. As we will discuss in this 
section, much of this relation can be understood within the framework of two dualities, 
both of which relate algebras to (topological) frames, and one forgetful functor. In order 
to explain why two dualities are needed, it is best to consider finite structures first. For 
the sake of a smooth presentation we confine ourselves to the basic modal language. 

Let FinFram and FinMA denote the respective categories of finite frames with bounded 
morphisms, and of finite modal algebras with homomorphisms. Recall that in Definition 9 
we coded up a frame S = (S, R) by means of its complex algebra St. Conversely, if 
A = (A, L, T,—,A^, V, ©) is a finite modal algebra, then we can base a frame on the set 
At(A) of atoms (see Definition 40) of A by putting 


Ropq :<= p< Oq. 


It is then easy to see that 
S = (St), and A & (A4) 


for an arbitrary finite frame S and an arbitrary finite modal algebra A. And, with 
the appropriate extension of the constructions (-)* and (-)+ to functors, we can in fact 
establish that 


(-)* and (-)+ form a dual equivalence between FinFram and FinMA. (11) 


Unfortunately, there is no way to remove the restriction to finite structures in (11) and 
obtain a dual equivalence between the categories Fr and MA. In fact, since the category 
MA has an initial object (the free modal algebra over zero generators), while Fr does not 
have a final object (cf. section 10 for details), no duality whatsoever can be established 
between these two categories. However, there is a natural way to associate a frame with 
an arbitrary modal algebra A, if we let ultrafilters generalize the notion of an atom. That 
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is, we can simply base the ultrafilter frame A, of A on the collection of ultrafilters of (the 
Boolean reduct of) A by putting 


Rouv :=—> Cacuforalla€c v. 


Again, this construction can be extended to a functor (-), from MA to Fr. 

We will see that there is interesting interaction between the functors (-)+ and (-)e. 
The most important result is the Jénsson-Tarski representation theorem stating that 
every modal algebra A can be embedded in its ‘double dual’ A? := (A,)*. As we will 
see in the next section, this result lies at the root of the application of algebra in modal 
completeness results. 

While there is no duality between the categories Fr and MA, with some modifications, 
both functors (-)* and (-). do provide interesting dualities. Here there are two basic 
observations. First, the complex duality functor (-)+ is injective on objects; that is, 
any frame may be recovered (modulo isomorphism) from its complex algebra. Second, 
although the functor (-), does not have this property (sse Example 53), there is a simple 
remedy for this problem, namely, to add the missing information, topologically encoded, 
to the frame A, of an algebra A. Thus we see that two fairly nice dualities can be found 
if we remove the finiteness constraint on either side of the duality (11): 


e a ‘complex’ or ‘discrete’ duality obtains (see Theorem 47) if we consider the entire 
category on the frame side, and a subcategory of perfect algebras with complete 
homomorphisms on the other side; 


e a ‘topological’ duality obtains (see Theorem 67) if, conversely, we keep the category 
on the algebra side intact, but add topological structure on the frame side. 


Both dualities restrict to (11) in the finite case, and the topological and the complex 
duality are linked by the functor that forgets the topological structure on the frame side. 
Furthermore, similar results can be proved connecting (monotone) neighborhood frames 
and (monotone) expanded Boolean algebras. In fact, the picture sketched above applies 
to far wider contexts [68]. 

For a brief overview of this section, below we first introduce the above mentioned 
functors and dualities, in some detail. We then see how the algebraic notions of subdirect 
irreducibility and simplicity turn up on the other side of this duality. We finish the section 
with a brief discussion of the interaction of the functors (-)* and (-). with more ‘intrinsic’ 
constructions on algebras and frames such as products and disjoint unions. 


5.2 Complex duality 


We have already seen how to transform frames into algebras; we now consider these 
complex algebras from a more abstract perspective. In order to characterize them among 
the class of all Boolean algebras with operators, we need some terminology. 


DEFINITION 40. A Boolean algebra B is called complete if it is complete as a lattice, 
that is, if every subset X of B has both a meet (or greatest lower bound) A X and a 
join (or least upper bound) V X. B is called atomic if below every non-bottom element 
of B there is an atom, (i.e., an element p satisfying L < p while there is no a such that 
L<a<p). 
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Now let B and B’ be two Boolean algebras; a map f : B — B’ is called completely 
additive if it preserves all non-empty joins, that is, if for all non-empty subsets X of B 
for which V X exists, it holds that 


IV X) =V FIX 


An n-ary operation f on a Boolean algebra B is called a complete operator if it preserves 
all joins in each coordinate (or, equivalently, if it is normal and completely additive in 
each of its coordinates). Finally, a Boolean algebra with operators is called perfect if it 
is complete and atomic, and all its operators are complete. 


The reader can easily verify that all complex algebras are perfect. It is equally easy 
to see that every finite BAO is perfect, since such an algebra has no infinite joins, and 
a straightforward induction proves that operators preserve finite joins in each of their 
arguments. For an example of an operator that is not complete, let S be an infinite 
set, and define f : P(S) > P(S) by putting f(X) = X if X is finite while f(X) = S 
otherwise. 

In the very same way as we defined above for finite structures, given a perfect BAO 
we can define a frame based on the set of atoms of A. In fact, for the definition to make 
sense, we only need the BAO to be atomic. 


DEFINITION 41. Let B be an atomic Boolean algebra, and f an n-ary operator on 
Define the n + 1-ary relation Qf on At(B) by 


F 


QsPoP1---Pn :4= Po < f(Pi,---,Pn)- 
Given an atomic T-BAO A, define its atom structure A, as the 7-frame A, = (AtA, {Qya | 
V ETH). 


Now that we have ways to turn frames into atomic algebras and vice versa, the natural 
question is how these constructions interact. The following proposition seems to be 
folklore. 


PROPOSITION 42. Let, for a modal similarity type T, S be a T-frame, and A an atomic 
T-BAO. Then 


152 (S+)4; 
2. A S (A4)™ iff A is perfect. 
Proof. Concerning the first part, it is straightforward to verify that the map ı : a+ {a} 


is the required isomorphism. For the second item, let the map « : A — P(At(A)) be 
given by e(a) := {p € AtA | p < a}. The crucial observation in the proof is that 


e embeds A into (A;)* iff all operations of A are complete. (12) 
This map is then an isomorphism iff A is perfect. QO 


As we will see now, the link between frames and algebras is not restricted to objects. 
With the natural definition for morphisms between perfect BAOs, we will see how to turn 
bounded morphisms between frames into these complete BAO homomorphisms, and vice 
versa. 
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DEFINITION 43. Let A and A’ be two perfect 7-BAOs. A complete homomorphism 
from A to A’ is a homomorphism 7: A — A’ which preserves all meets and joins. That 
is, for every subset X C A we have that n(V X) = V’ 7X] and n(A X) = A’ n[X]. We 
let BAO? denote the category of perfect Boolean algebras with r-operators as objects, 
and complete homomorphisms as arrows. 


DEFINITION 44. Let S and S’ two r-frames. Given a bounded morphism 0 : S — S’, 
define the map 6* : P(S”) => P(S) by 


6+ (X"') := {s € S| 0(s) € Xt. 


Conversely, given perfect 7-BAOs A and A’ and a complete homomorphism 7 : A > A’, 
define the map n+ : At(A’) — A, which can be shown to map atoms to atoms, by 


n+(p') = Na € Alp! < n(a)}. 


It is our aim to prove that (-)* and (-)+} form a duality between the categories Fr; and 
BAO*. We first show functoriality: 


PROPOSITION 45. (-)+ is a contravariant functor from Fr, to BAOF. 


Proof. The important issue here is that for any bounded morphism 0 : S — S’, the 
map 6+ is a complete homomorphism from S’* to St. It is easy to see that 6+ is a 
complete Boolean homomorphism between the respective power set algebras; in order to 
prove that it is also a modal homomorphism, it suffices to show that for an n + 1-ary 
relation R we have 


(R)(OT(X1),-..,07(Xn)) = OF (R(X, -3 Xn) (13) 


in case @ is a bounded morphism with respect to R and R’. Here it is interesting to 
note that in fact the inclusion C is equivalent to the forth property, and the converse 
inclusion D, to the back property of 6. In a way, (13) can be seen as a piece of evidence 
that bounded morphisms provide in fact the right kind of morphism between frames. O 


PROPOSITION 46. (-), is a contravariant functor from BAOF to Fr. 


Proof. Here the first point is to prove that if 7 : A — A’ is a complete Boolean 
homomorphism between the perfect 7-BAOs A and A’, then 74 maps atoms of A’ to 
atoms of A. To see this, let p’ be an atom of A’; it suffices to show that 7+(p’) is join 
prime in A. That is, we assume that 7,(p’) < V X for some X C A, and have to show 
that n+(p') < x for some x € X. From the assumption we may derive that 


p <' m) <' (Vy X) = VV nl XI. 


Here the first inequality directly follows from the definition of 7,(p’). But since p’ is an 
atom of A’, the fact that p’ <’ \/'n[X] implies that p’ <’ n(x) for some x € X. The 
definition of n+}(p') then immediately gives that n+(p’) <’ x. 

Unfortunately, we do not have the space here to prove that if 7 is in addition a modal 
homomorphism, then 7. is a bounded morphism, or that the operation (-), commutes 
with function composition, i.e., that (90 n)+ = n+ 064 ifn: A —> A’ and @: A’ = A” 
are complete homomorphisms. m) 
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The following result, that we will refer to as the complex duality for BAOs, is due to 
Thomason [103] (for the basic modal logic case). 


THEOREM 47. The functors (-)+ and (-)+ constitute a dual equivalence between the 
categories Fr, and BAOF. 


Proof. Given the results already established, it suffices to prove that the isomorphisms 
is: S — (St)4 and eg : A — (Aj), defined in the proof of Proposition 42, are natural. 
For instance, concerning €, we have to prove that eax on = (n1)* o ex for an arbitrary 
complete homomorphism 7 : A — A’. The reader can easily verify this by a direct 
calculation. Q 


5.39 Ultrafilter frames 


Now let us see how to remove the restriction to finite structures on the algebra side of 
(11); our first goal is to represent arbitrary (that is, not necessarily finite or even atomic) 
algebras by frames. But, given a BAO A, what to take as the points of a frame representing 
A? This problem of course already appears on the Boolean level, and its solution is 
provided by Stone’s representation theorem. This celebrated piece of mathematics states 
that every Boolean algebra can be embedded in the set algebra over its ultrafilters; let 
us briefly review the basic facts concerning ultrafilters. 


DEFINITION 48. Let B be a Boolean algebra. An ultrafilter of B is a proper filter u 
such that either a or —a belongs to u, for all a € B. The collection of ultrafilters of 
is denoted as Uf (B). Given a set S, we sometimes refer to ultrafilters of the power set 
algebra of S as ultrafilters over S. 


EXAMPLE 49. Given a set S, and an element s € S, define the principal ultrafilter Ts 
as the set {X C S | s € X}. It is straightforward to verify that this set is indeed an 
ultrafilter over S. More generally, if p is an atom of the BA B, then the principal filter 
pî = {a € B | p < a} is in fact an ultrafilter; it is in this sense that ultrafilters form a 
generalization of atoms. 

For an example of a non-principal ultrafilter, consider the Boolean algebra of finite 
and cofinite sets of some infinite set T; the collection of cofinite subsets of T forms an 
ultrafilter of this algebra. 

As a last example, ultrafilters can be seen to generalize the notion of a maximal 
consistent set. Consider the Lindenbaum-Tarski algebra Fz of a modal logic L; it is 
easy to verify that ® is a maximal L-consistent set of formulas if and only if the set 
{[ylz | Y € ©} is an ultrafilter of Fr. 


Ultrafilters can be characterized as the proper filters that are maximal with respect 
to the inclusion ordering; this identification provides the key tool for establishing the 
existence of ultrafilters, as the proof sketch of the following Theorem reveals. 


THEOREM 50 (Ultrafilter Theorem). Any proper filter of a Boolean algebra B can be 
extended to an ultrafilter of 


Proof. Given a proper filter F, apply Zorn’s Lemma to the collection C of proper filters 
that extend F, and obtain a proper filter u that is maximal in C. It is not hard to prove 
that u is in fact a maximal proper filter, and from this it is easily follows that u is an 
ultrafilter. QO 
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Stone’s representation theorem suggests to take the collection Uf (A) of a BAO A as the 
domain of a frame that will represent A; for the accessibility relation on this ultrafilter 
frame we will (in the case of the basic modal similarity type) make the ultrafilter v visible 
from u if there is no explicit information preventing this; that is, if there is no a € v with 
a ¢u. For an arbitrary similarity type we have the following definition. 


DEFINITION 51. Given an n-ary operator f on the Boolean algebra B, define its dual 
relation Ry as the n+ 1-ary relation on Uf(B) given by: 


Apu -un :4= Ff (Gites iy) E u for all ay E€ u1,...,an E Un. 


Now let A be a Boolean algebra with T-operators; then we define the ultrafilter frame or 
canonical structure of A as the structure 


A, := (Uf(A), {Rvs | V € TH). 


Given a class K of algebras, we let Cst(K) denote the class of ultrafilter frames of algebras 
in K. 
EXAMPLE 52. Recall from Chapter 2 of this volume that the canonical frame of a 
normal modal logic L is the structure Cz = (C, R} where C is the set of maximally L- 
consistent set of formulas, and (we confine ourselves to the basic modal similarity type) 
R is the canonical accessibility relation given by Ruv :<= > Oy € u for all ọ in v. 
Using the identification that we made in Example 49 of maximal L-consistent sets with 
ultrafilters of the Lindenbaum-Tarski algebra Fz, it is fairly obvious that the canonical 
frame for L is isomorphic to the ultrafilter frame of Fz. 

As a second example of the ultrafilter frame construction we mention that the ultrafilter 
extension ueS of a frame S (as defined in Chapter 5 of this volume) is nothing but the 
‘double dual’ (St), of S. Verifying this is simply a matter of unraveling the definitions. 


Unlike the complex algebra functor, the ultrafilter frame construction is not injective. 


EXAMPLE 53. Let A be the collection of finite and cofinite subsets of N, and let B 
contain in addition those sets of natural numbers that differ in at most finitely many 
elements from either the set Æ of evens or the set O of odds. Both A and B are closed 
under the Boolean operations, and it is easy to see that A has exactly one non-principal 
ultrafilter, and B, exactly two: one containing the set E, and one the set O. Now suppose 
that we create algebras A and B by endowing A and B with some dummy operator, 
say, the identity map. Then we find that the respective ultrafilter frames A, and B, 
are isomorphic: both have countably many points, and in both cases, the accessibility 
relation is simply the diagonal. But the algebras A and B are clearly not isomorphic. 


As we will see further on, the following theorem from Jénsson & Tarski [70] is not 
only vital when it comes to applications of the algebraic approach in modal completeness 
theory. It is also a manifestation of a fundamental mathematical concept, namely that 
of a representation theorem stating that every abstract structure in an axiomatically 
defined class is in fact isomorphic to a concrete, ‘intended’ structure of the kind that the 
axioms try to capture. 


THEOREM 54 (Jénsson-Tarski Representation Theorem). Let A be a Boolean algebra 
with T-operators. Then the Stone representation map ~: A — PUf(A) given by 


G:= {ue Uf (A) |a € u} (14) 
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is an embedding of A into (A.)t. 


Proof. We omit details concerning the Boolean part of this theorem, which is of course 
nothing but Stone’s representation theorem for Boolean algebras. 

Concerning the additional operations, we restrict ourselves to the basic modal simi- 
larity type. So we consider a modal algebra A = (A, T, L,—, ^, V, ©) and show that 


Sa = (RoJa. (15) 


First we consider an ultrafilter u € (Ro)a. It follows by the definition of (Ro) (see 9) 
that there is an ultrafilter v such that Rouv and v € q, that is, a € v. Then by definition 
of Ro it follows that Oa € u, and, hence, that u € Oa. This proves that Oa C (Roya. 

For the converse direction, take an arbitrary ultrafilter u € Oa; that is, Oa € u. We 
have to come up with an ultrafilter v such that (i) Rouv and (ii) v € G, or, equivalently, 
a € v. We first reformulate the first condition: 


Rouv iff a € v for all a with —O-a € u. (16) 


Hence, by the Ultrafilter Theorem 50 it suffices to show that the set {x € A | —O-a € 
u}U {a} has the finite meet property, see Example 27. In order to prove this, first observe 
that the set {x € A | —O—«a € u} is closed under taking meets — this easily follows from 
the additivity of © and the fact that u is a filter. 

But then it is left to show that x Aa > L for any x € A with —O—ax € u. Suppose 
for contradiction that x Aa = L. We obtain a < —x so Oa < ©—x by monotonicity of 
©, and so we find O—z in u because Oa € u. This gives the desired contradiction since 
we already had —O~—z in u. Q 


DEFINITION 55. Given a Boolean algebra with Tr-operators A, the ‘double dual’ algebra 
(A.)* is known as the canonical embedding algebra of A, the canonical extension of A 
and the perfect extension of A; we will mainly use the second term, and usually denote 
the structure as A’. 


The Jénsson-Tarski theorem thus states that the constructions (-)+ and (-), interact 
well if we start with algebras: A — (A,)* for every BAO A. Unfortunately, if we start 
with frames, then the return is less safe: for a r-frame S, the map s +> Ts (assigning to 
points of S their associated principal ultrafilters) is an embedding of S into (St), only 
if S is image finite. (In fact, the condition of image-finiteness is also sufficient.) And if 
S contains a point from which paths of arbitrary finite length emanate, but no infinite 
path, then there is no bounded morphism from S to (St). whatsoever. From this it 
follows that there is no way to extend the ultrafilter frame construction to a functor that 
is adjoint to that of taking complex algebras. This is a notable divergence of the case 
of Boolean algebras per se (that is, without operators) — the formation of the canonical 
extension B7 of a Boolean algebra B is a free construction, see [68] for more information 
on these matters. 

Nevertheless, the operation of taking ultrafilter frames can be extended to a functor, 
as follows. 


DEFINITION 56. Let A and A’ be two Boolean algebras with t-operators. Given a 
homomorphism 7 : A — A’, we define the map 7. : Uf A’ — P(A), which can be shown 
to map ultrafilters to ultrafilters, by putting 


Nelu’) := {a € A | nla) € u}. (17) 
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PROPOSITION 57. (-)e is a contravariant functor from BAO, to Fr,. 


Proof. If 7: A — A’ is a Boolean homomorphism, then it follows almost immediately 
that ne maps ultrafilters to ultrafilters, while it is not too hard either to prove that, for 
any modality V of rank, say, n: 


ne has the forth property for Ry if V'(nai,...,an) <(V(a1,.--,@n)), 
ne has the back property for Ry if V'(naı,..., nan) > n(V(a1,---;@n))- 


This shows that 7. is a bounded morphism from Aj to A, if 7: A — A’ is a homomor- 
phism. It is then left to show that (-), is functorial, and in particular, that (700). = 0.07. 
for homomorphisms 0 : A > A’ and 7: A’ — A”. This can be checked by a straightfor- 
ward calculation which we leave for the reader. m) 


5.4 Topological duality 


In the previous subsection we encountered a problem of the functor (-).: in general, 
algebras cannot be retrieved from their ultrafilter frames. A very simple remedy is then 
to add this information to the frame by melting algebra and frame into one structure. 
Since this issue already pertains at the level of Boolean algebras (without additional 
operations), that is where we start the discussion. 


DEFINITION 58. A field of sets is a pair (S, A) with A C P(S) being closed under all 
Boolean set-theoretic operations, or equivalently, with A such that (A, S, Ø, ~s, N, U} is 
a subalgebra of PS. The elements of A are called the admissible subsets of S. 

Given a Boolean algebra A = (A,T,1,—,A,V), put A:= {a C Uf(A) | a € A}, 
with ^as in (15), and define A, := (UfA, A) as the associated field of sets of A. Con- 
versely, the associated Boolean algebra of a field of sets S = (S,A) is the structure 
S* := (A, S, Ø, ~s, N, U). 

It will be clear that the Boolean algebras A and (A,)* will always be isomorphic; 
however, we will only have that S S (S*),. if S has some special properties. 


DEFINITION 59. A field of sets S = (S, A) is discrete if A contains all singletons of S, 
differentiated if for any two distinct points s # t of S there is a set a € A such that 
s € a and t ¢ a, and full if A = P(S). S is compact if every subset of A with the 
finite intersection property has a non-empty intersection, and descriptive if it is both 
differentiated and compact. 


In a descriptive field of sets, the points and the admissible sets are in balance: there 
are sufficiently many admissible sets to separate distinct points, while there are enough 
points to witness all the ultrafilters of the algebra. More precisely, one can prove that 
for any field of sets S = (S, A), the map 


s= {ac Aj|sEa} (18) 


provides an bijection between S and the collection of ultrafilters of S* iff S is descriptive. 


REMARK 60. Our terminology strongly suggests a topological connection. In order to 
make this explicit, note that the collection of admissible sets of a field of sets S = (S, A) 
forms a basis for a topology o4; and that, conversely, we may take the set Clp(X) of 
clopen (that is, closed and open) elements of a topology X = (X,7T) as a collection of 
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admissible sets. In accordance with this, we define a subset X C S to be open if it is a 
union of admissible sets, and closed if it is an intersection of admissible sets. Thus the 
study of fields of sets takes us into a rather specific branch of set-theoretic topology in 
which all spaces are zero-dimensional, that is, have a basis of clopens. 

One may prove for any field of sets S = (S, A) that S is descriptive iff (S,a,) is a 
Stone space, that is, 74 is a compact, Hausdorff and zero-dimensional topology. Basically 
then, descriptive fields of sets and Stone spaces are two ways of formulating the same 
mathematical objects; the difference is no more than a matter of focus, be it on the 
topology itself, or rather on its sets of clopens. 


The topological nature also comes out clearly when we discuss morphisms. 


DEFINITION 61. Given two fields of sets S = (S, A) and Y = (S’, A’), we call a map 
6: S — S continuous if the set 


6*(a') :={s E€ S | O(s) Ea} (19) 


belongs to A for all a’ € A’. 
We define the dual n, : UfA’ — UfA of a morphism 7: A — A’ between two Boolean 
algebras as the map 7,(u’) := {a € A | nla) € u'}. 


Without further proof we mention (our reformulation of) the following seminal result 
from Stone [101] (see Johnstone [68] for an extensive discussion of its impact). 


THEOREM 62 (Stone duality). The functors (-)* and (-)« form a dual equivalence be- 
tween the category of Boolean algebras with homomorphism, and that of descriptive fields 
of sets with continuous maps. 


The duality for BAOs can now be developed by incorporating the ultrafilter functor (-). 
into the Stone duality: the dual object representing a Boolean algebra with operators 
will combine the BAO and its dual Kripke frame in one structure. 


DEFINITION 63. A general 7-frame is a structure G = (G, R, A), where R = {Ry | 
V € T} is a family of relations on G, such that (i) (G, R} is a 7-frame and (ii) (G, A) 
is a field of sets such that (iii) A is closed under the operation (Ry) for each operation 
symbol V € r. The structure (G, R) is called the underlying Kripke frame of G. 

Given a general frame G = (G, R, A), define G* as the subalgebra of (G,R)* with 
carrier A. Conversely, given a T-BAO A, define its dual general frame A, as the structure 
(Uf(A), {Rvs | V € 7}, A). 


As in the case of the duals of Boolean algebras, general frames of the form A, are rather 
special, also with respect to the interaction between their relational and the topological 
side. We let notions like differentiatedness apply to a general frame (G, R, A) as it applies 
to the underlying field of sets (G, A). 


DEFINITION 64. A general frame G = (G, R, A) is tight if every tuple (s, 51,..., Sn) 

which is not in the relation Ry (with V an arbitrary relation symbol of arity n) is wit- 

nessed by admissible sets a1,...,@, such that s; € a; for each i, while s ¢ (Rv) (a1,...,@n). 
G is refined if it is both differentiated and tight, and descriptive if it is both refined and 

compact. 


REMARK 65. An easy proof shows that we may reformulate the property of tightness 
equivalently by requiring that (restricting to the basic modal language here) R[s] = 
(\{a € A | s € [R]a} for each point s in G = (G, R, A). In other words, the relation R 
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is point-closed, since each point of G has a closed successor set — closed in the induced 
topology oy, that is. Thus from a topological perspective, descriptive general frames can 
be identified with point-closed relational Stone spaces. 


In order to turn the constructions (-)* and (-), into functors we have to introduce 
morphisms between (descriptive) general frames as well. Again, we combine modal and 
topological aspects in the natural way. 


DEFINITION 66. Given two general frames G = (G, R, A) and G’ = (G’, R’, A’), a map 
0 : G — G is called a continuous bounded morphism if it is both a bounded morphism 
from (G, R) to (G’, R’) and a continuous map from (G, A) to (G’, A’). The category of 
descriptive general 7-frames with continuous bounded morphisms is denoted as DGF,. 


Now let us see how (-)* and (-), operate on morphisms. For the definition of 6* for 0 
a continuous bounded morphism we refer to (19); conversely, given a homomorphism 
n: A — A’ between two T-BAOs, define ną as in Definition 61, that is: .(u’) := {a € 
A | (a) € u}. We have now arrived at the main result of this subsection, Theorem 67 
below, which is due to Goldblatt [37, 39]. Independently, Esakia [23] came up with such 
a duality for a more specific variety of algebras. 


THEOREM 67. The functors (-)* and (-)x constitute a dual equivalence between the 
categories BAO, and DGF,. 


Proof. It is rather straightforward to verify that (-)* and (-), are functors which form 
a dual adjunction between the categories DGF, and BAO,. It is then left to show that 
G S (G*),. for any descriptive general frame G, and that A S (A,)* for any Boolean 
algebra with 7-operators A. But both of these claims are easy to establish: for the first 
isomorphism, take the map of (18); and for the second isomorphism, simply take the 
Stone embedding ~ of (14). The proof details are left to the reader. Q) 


It is straightforward to derive from this duality that for any class C of general frames, 
the class of dual algebras algebraizes C (once we have properly defined all notions in- 
volved), but we leave the details for the reader. 


5.5 Simplicity and Subdirect irreducibility 


As an application of these dualities, let us look at the frame counterparts of the notions 
of simplicity and subdirect irreducibility. In the complex duality of section 5.2, this 
question has a satisfactory answer, at least for subdirect irreducibility: 


THEOREM 68. Let S be a T-frame. Then 


1. S* is simple only if each point is a root of S; 


2. S* is subdirectly irreducible iff S is rooted. 


Proof. Concerning subdirect irreducibility, the direction from right to left, first men- 
tioned in Goldblatt [39], was already treated in Example 38. The proof of the converse 
implication appeared first in Sambin [99]. For its details, suppose that p is a radix of 
the algebra St, and consider an arbitrary point s € S. Then by definition of radicality 
we find that p C (Rẹ){s} for some compound modality ¢. It is easy to see that this 
implies Rers for each r € p, so that each element of p is in fact a root of S. Hence, 
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if St is simple, then every point is a root of S, since every non-empty subset of S is a 
radix of St by Theorem 39. If St is s.i., then by the same theorem it has at least one 
radix; rootedness of S thus follows from the fact that radical elements are non-empty by 
definition. m) 


Perhaps contrary to the reader’s expectation, the converse of Theorem 68(1) is not 
true. 


EXAMPLE 69. Consider the frame Z = (Z, R) for the basic modal similarity type, with 
Z as the set of integers and Ray iff |x — y| = 1. Then clearly every integer is a root of 
Z, while on the other hand, Z* is not simple. An easy way to see this is by proving that 
the only radical elements of Zt are the finite subsets of Z. 


In the topological duality of section 5.4, the correspondence between subdirect irre- 
ducibility and rootedness is not so nice either. In general, subdirect irreducibility of A 
neither implies rootedness of A,, nor is it implied by it, as the following examples from 
Sambin [99] witness. 


EXAMPLE 70. For an example of the first kind, take the subalgebra A > (N,>)T 
based on the collection of finite and cofinite subsets of the set N of natural numbers. As 
we will see later on, A is not subdirectly irreducible. However, the frame A, is rooted, 
since it adds one reflexive point w (corresponding to the ultrafilter of the cofinite sets) 
to (N,>), in such a way that w sees all other points. 

Conversely, consider the frame Z of the previous example, and take its subalgebra B 
based on the finite and cofinite sets. It is easy to see that B is s.i.: simply note that every 
singleton is radical. However, the one reflexive point oo that B, adds to Z is not related 
to any other point in B,. Hence, B, provides an example of an s.i. algebra of which the 
dual general frame has no roots at all. 


These examples indicate that if we are looking for a characterization of the notion of 
subdirect irreducibility, it does not suffice to look at the dual Kripke frame alone: we 
have to take the topology into account. Our characterization will be in terms of so-called 
topological roots or, briefly, topo-roots. Recall that a root of a 7-frame S = (S, R} is 
a point r of S such that R”[|r] = S, where the relation R” is given as the union of the 
accessibility relations of the compound diamonds. It is straightforward to verify that in 
a frame of the form A, this boils down to 


R” uv iff there is a compound diamond @ with $a € u for all a € v. (20) 
Our definition of the topo-reachability relation is obtained by swapping the universal and 
the existential quantifier in (20). 
DEFINITION 71. Given a Boolean algebra with operators A, define the topo-reachability 
relation R* C UfA x UfA as follows: 

R*uv iff for all a € v there is a compound diamond @ with @a € u. (21) 
We let T denote the set of topo-roots of A,; that is, the collection of those ultrafilters u 
such that R*[u] = UfA. 


The topological terminology will be clarified by the following alternative characteriza- 
tion of R*. 
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PROPOSITION 72. Let A be some Boolean algebra with T-operators, and u some ultra- 
filter of A. Then R*[u] = R” [|u]; that is, R*[u] is the topological closure of R” [u] in the 
Stone topology of Ax. 


As the following theorem from Venema [108] witnesses, topo-roots provide the right 
tool for the characterization of the notions of simplicity and subdirect irreducibility. 


THEOREM 73. Let A be a Boolean algebra with T-operators. Then 
1. A is simple iff Ta = UfA; 


2. A is subdirectly irreducible iff Ta is open and non-empty. 


Unfortunately, we do not have the space for a proof or even a proof sketch. We confine 
ourselves to noting that the proof makes use of the correspondence between modal filters 
of A and closed, hereditary subsets of Ax. 


EXAMPLE 74. It is now obvious why the algebra A of Example 70 is not s.i.: its dual 
frame does have a (single) root w but the set {w} of roots is not open in the topology of 
A,. The algebra B of the same example on the other hand is s.i. Whereas its dual frame 
Be has no roots at all, almost every point of B, is a topo-root. 


As corollaries of the last theorem we obtain some (well-)known results showing that 
in many cases, nicer characterizations are indeed possible. We call a Boolean algebra 
with operators w-transitive if it has a master modality, that is, a compound diamond Q 
such that ¢a < Qa for all compound diamonds ¢ and all a in A. (With some authors, 
this property goes under the name of weak transitivity). The following result is due to 
Sambin [99] (whereas in the closely related field of intuitionistic logic, similar charac- 
terizations of s.i. Heyting algebras in terms of their dual structures had been known for 
some time, cf. Esakia [24]). 


COROLLARY 75. Let A be an w-transitive Boolean algebra with operators. Then A is 
subdirectly irreducible iff the collection of roots of Ax is non-empty and open. 


Proof. This follows from Theorem 73 by the observation that if A is w-transitive, then 
R* = RY” = Ro (where Ọ is the master modality of A), whence the notions of root and 
topo-root coincide. a 


Results concerning the duals of finite BAOs are already covered by Theorem 68, since 
for finite BAOs the complex and the topological dualities coincide. 


5.6 Class operations 


While the functors (-)* and (-), do not form a duality, they do provide an interesting 
link between the categories Fr; and BAO,. We already discussed the role of the ‘dou- 
ble duals’, that is, the canonical embedding algebra A7 = (A,)* of a BAO A, and the 
ultrafilter extension (St), of a frame S. But there is also a wealth of results concerning 
the direct interaction of the mentioned functors with the more ‘intrinsic’ constructions 
on algebras and frames. We confine ourselves here to the algebraic operations of taking 
homomorphic images, subalgebras and products, and their frame counterparts of taking 
generated subframes, bounded morphic images, and disjoint unions. The results listed in 
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Theorem 76 are more or less direct consequences of the dualities established earlier on; 
therefore, we leave the proofs to the reader. 


THEOREM 76. Let S, S and all S; with i € I be r-frames, and let A, A’ and all A, 
with j € J be Boolean algebras with T-operators. Then 


1. 0:S= Y only if 0+ : Yt —> St; 


D 


: S —> S only if 0t : ST > St; 

n: A= A’ only if ne: AL > Ae; 

n: A —> A’ only if ne : ALA; 
tw 

- (Mier Si)” S Mier SF: 

6. (Tes As). = jer (Ay)e 


a a © r 


In general it is not true that the ultrafilter frame ([[,_;Aj)« is isomorphic to the 
disjoint union >> jeg (Ay )e! the problem is that for infinite J, not every ultrafilter of the 
product can be linked to an ultrafilter of one of the factors. Fortunately, we do have 
the following ‘second best’ connection, essentially due to Gehrke [27], which states that 
the ultrafilter frame of the product is isomorphic to the disjoint union of the ultrafilter 


frames of all ultraproducts of the original algebras over the index set. 
THEOREM 77. Let {A; |i € I} be a family of Boolean algebras with r-operators. Then 


(Is) = > (LA), 


i€l DE Uf (1) 


Proof. Given an element a of A := [[, Aj, let d(a) := {i € I | a(i) 4 L} be the support 
set of a. Then it is not hard to prove that d[u] := {d(a) | a € u} is an ultrafilter over I 
for every u € Uf(A). 

Now given an ultrafilter D over I, the natural homomorphism v? : a +> a/D is a 
surjective homomorphism from A onto Ap := [] Ai. So by Theorem 76(4), its dual 
v? : (Ap), — Ae is a frame embedding. We now claim that 


Range (v?) = {u € UfA | d[u] = D}. (22) 


For the inclusion C, take an arbitrary ultrafilter z of Ap. For any a € v?(z), it holds 
by definition that v?(a) = a/D belongs to z; but then a/D must be distinct from the 
bottom element of Ap. Hence d(a) € D by definition of d. Since this applies to arbitrary 
a € vP(z) it follows that d[vP(z)] C D. But then we must have equality because both 
divP(z)] and D are ultrafilters over J. For the converse inclusion, if u € UfA satisfies 
d|u] = D, then the set up := {a/D | a € u} is easily seen to be an ultrafilter of Ap which 
satisfies v? (up) = u. This proves (22). 

Clearly for each ultrafilter D over I, Range (v?) is (the domain of) a generated sub- 
frame of A,; it now follows from the fact that d[u] € Uf (T) and (22) that these subframes 
are mutually disjoint, but jointly cover the full domain UfA of A,. From this the theorem 
is immediate. Q 
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On the basis of the Theorems 76 and 77 we may develop a ‘calculus of class oper- 
ations’. For instance, letting Sẹ denote the operation of taking generated subframes, 
Theorem 76(1) can be read as stating ‘CmS-¢ < HCm’, meaning that CmS»(C) C HCm(C) 
for every frame class C. There are many constructions of either frames or algebras that 
have been investigated, and many results, similar to the Theorems 76 and 77, have been 
obtained. The interested reader is referred to work by Goldblatt, for instance [40, 41]. 

Unfortunately, we have only space here for one further example (which will be used in 
the next section). 


PROPOSITION 78. For any class C of frames, PuCm(C) C SCmPu(C). 


Proof. Let {S; | i € I} be a family of r-frames, and let D be an ultrafilter over I. 
Define the map 7: [[; P(S:)/D > P([[,S:/D) by putting, for s/D in [],S;/D: 


s/D € nla/D) :<= {ie T| s(t) €a(t)} ED. 


We leave it for the reader to verify that this is a well-defined embedding of [],S}/D 
into ([[,S;/D)t. Q) 


We will give one application of the Theorems 76 and 77 here, more use of these results 
will be made in the next sections. Theorem 79 below, due to Goldblatt & Thomason [47], 
can be read as a modal dual of Birkhoff’s theorem identifying varieties with equational 
classes. For a definition of Birkhoff’s theorem from a coalgebraic perspective, the reader 
is referred to section 14. 


THEOREM 79 (Goldblatt-Thomason Theorem). Let C be a class of t-frames. Then 


1. if C is modally definable then it reflects ultrafilter extensions, and is closed under 
taking bounded morphic images, generated subframes and disjoint unions; 


2. the converse of (1) holds if C is closed under taking ultrapowers, (for instance, if 
C is elementary). 


Proof. First assume that C is modally definable; that is, C = Fr(T) for some set T 
of modal r-formulas (in fact, we may take I to the logic of C, but this is not relevant 
now). Now suppose that the frame S’ is the bounded morphic image of some S in C. 
From S in C it follows that S I+ T whence St H r7; but at the same time we see that 
by Theorem 76(2), S’* is a subalgebra of St. Hence also S+ j r7, so S’ E T which 
immediately implies that S’ belongs to C. This shows that C is closed under taking 
bounded morphic images; the case of generated subframes and disjoint unions is proved 
similarly. 

Now suppose that the ultrafilter extension ueS = (S+). belongs to C. Then ((St),)* H 
T“, and so St Ik T™ since St is a subalgebra of ((St),)* by the Jénsson-Tarski Theo- 
rem 54. But from St H IT” it follows that S I- whence S belongs to C. This shows 
that C reflects ultrafilter extensions, and thus proves part (1). 

For the second part, assume that C enjoys all of the listed closure properties. In order 
to prove that C = Fr(Zog(C)), take an arbitrary frame S such that S I- Log(C). It suffices 
to show that S actually belongs to C. 

It follows from S I- Log(C) that St validates the equational theory of the class Cm(C), 
and so by Birkhoff’s variety theorem St belongs to the variety VarCm(C) generated by 
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the class of complex algebras over C. Then by Tarski’s HSP-theorem, S+ belongs to 
HSPCm(C). That is, for some family {F; | i € I} of frames in C, and some algebra A we 
have that 
+ + 
St eA [[ F}. 


Note that [[, F} = ($2; F:)" by Theorem 76(5), and that F := $`; F; belongs to C. 
Then using Theorem 76(3) and (4) we find that 


(S+), = Ae = (F°), 


Now it follows by Theorem 90 in Chapter 5 of this volume that (F+). is a bounded mor- 
phic image of some ultrapower F7 /D of F. Then by the various listed closure properties 
of C, we show that subsequently, each of the frames F//D, (F*),, As and (St), belong 
to C. Finally then, also S belongs to C since its ultrafilter extension (St), does so. O 


6 LOGICS AND VARIETIES 


This section, which forms the heart of the algebra part of this chapter, discusses the 
connection between normal modal logics (NMLs) and varieties of BAOs. The main part 
of the section consists in showing how standard properties of a logic turn up on the 
algebraic side of the picture, but we start with showing how the lattice of normal modal 
logics is dually isomorphic to that of the varieties of BAOs. 


DEFINITION 80. Given a normal modal logic L, we say that a normal modal logic L’ 
is a normal extension of L simply if L C L’. The lattice of normal extensions of L is 
denoted as NExt(Z). 

We have already seen that with every normal modal 7T-logic we may associate a variety 
BAO,(L) of r-BAOs. Conversely, every class of these algebras gives rise to a normal modal 
logic. 

DEFINITION 81. Given a class K of Boolean algebras with 7-operators, we define 
Log(K) := {y € Fma, | KE y™}. 

The following theorem then describes the intimate connection between normal modal 
logics and varieties of BAOs. Similar results can be proved about arbitrary modal logics 
and varieties of BAEs, and about monotone modal logics and varieties of BAMs. 


THEOREM 82. 


1. The maps BAO,(-) and Log(-) form a Galois connection, in the sense that for 
every set I of t-formulas, and every class K of Boolean algebras with T-operators, 
T C Log(K) iff K C BAO, (T). 


2. The stable formula sets of this connection are precisely the normal modal T-logics, 
while the stable classes of algebras are precisely the varieties of Boolean algebras 
with T-operators. 


8. Hence, Log is a dual isomorphism between the lattice of subvarieties of BAO, and 
the lattice NExt(K-,) of normal modal T-logics 
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Proof. It is not hard to see the Galois connection, since we have IT C Log(K) iff A H y 
for all A in K and all y ET iff K C BAO, (T). 

Now let I be a stable set of formulas of this connection, that is, suppose that T = 
Log(BAO-,(T)); one easily infers that such a I must be a normal modal logic. Conversely, 
if L is anormal modal logic, then L = Log(BAO,(L)) by the Algebraization Theorem 17. 

At the other side of the connection, it is immediate from the definition that every 
class BAO, (T) is a variety. Conversely, assume that V is a variety of 7-BAOs. Then 
clearly V C BAO,(Log(V)) since this holds for any class; for the opposite inclusion, by 
Birkhoff’s variety theorem it suffices to show that BAO,(Log(V)) validates every equation 
of V. So suppose that V H y ~ w; then V E (y @ Ww) ~ T since V has a Boolean basis; 
from this it follows that y + w € Log(V), whence BAO,(Log(V)) validates the equation 
(y = w) & T, by definition. But BAO,(Log(V)) also has a Boolean basis, so we find 
that BAO,(Log(V)) = Y © ¥, as required. 

The last part of the theorem is then immediate by the general theory of Galois con- 
nections. Q 


The dual isomorphism given by Theorem 82, linking the lattice of normal modal logics 
to that of varieties of BAOs, has yielded a wealth of information on modal logics. For 
instance, universal algebraic theory on splitting algebras led algebraically minded modal 
logicians to strong results on the degree of Kripke incompleteness of a modal logic, see 
for instance Blok [15]. We will not discuss the lattice of modal logics any further in this 
chapter, referring the reader to the Chapters 7 and 8 of this volume. 

Instead we turn to the question, how standard logical phenomena fit in the algebraic 
framework presented so far. The answer to this question depends on the issue at stake, 
so let us consider a number of examples: 


completeness is a property not so much of a single logic but rather of a pair of logics. For 
instance, Kripke completeness of a logic L means that L coincides with the logic 
of its frame class C. Algebraically, this corresponds to the fact that the variety 
BAO, (L) is generated by the class of complex algebras Cm(C). More details will 
be provided in subsection 6.1. 


canonicity of a modal logic L has, as we will see in subsection 6.2, an algebraic coun- 
terpart in the property of a class of algebras being closed under taking canonical 
extensions. 


correspondence is more about formulas, or equations, than about logics, or varieties 
of algebras. Nevertheless, it has a clear algebraic meaning: We can say that an 
equation s % t corresponds, over a frame class C to a first-order formula œ in the 
language of frames, if, for all frames S in C, we have that St Ks et iff S Ea. 


interpolation is a property of a normal modal logic. In subsection 6.3 we will see that it 
corresponds to an amalgamation property on the algebraic side. 


Let us now move to a more detailed discussion of some of these issues. 


6.1 Completeness 


As we mentioned already, Theorem 17 can be read as a general algebraic completeness 
result. So in this respect the algebraic semantics behaves much better than the relational 
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one: Classes of Kripke frames are generally not adequate for revealing all distinctions 
between normal modal logics, see Chapter 7 of this volume for the details. It clearly 
means something for a modal logic to be Kripke complete, so what about the associated 
algebraic variety? For an answer, recall the notion of a perfect BAO from Definition 40. 


THEOREM 83. A normal modal r-logic L is (Kripke) complete iff BAO,(L) is generated 
by its perfect members. 


Proof. Straightforward by the observation that any variety V of BAOs is generated by 
its perfect members iff its equational theory coincides with that of the class CmStr(V). 
Q) 


This inspires the following definition. 


DEFINITION 84. A variety V of Boolean algebras with r-operators is called (Kripke) 
complete if V is generated by its perfect members. 


The phenomenon of Kripke incompleteness of normal modal logics is thus algebraically 
reflected by the fact that many different varieties of BAOs may share the same class of 
perfect members. 

The formulation of Theorem 83 strongly suggests that Kripke completeness is only 
one of a family of properties pertaining to normal modal logics. In fact, one may wonder 
whether varieties of Boolean algebras with operators are generated by those of their 
members that meet any given constraint. For instance, we might consider varieties that 
are generated by their finite members. Since every finite BAO is perfect this gives a 
strong version of Kripke completeness that is known on the logical side as the finite 
model property of the logic. 

In this respect it is also interesting to see what happens if we consider weakenings or 
variations of the notion of perfection. For instance, recall that perfection of a BAO is the 
conjunction of three properties: atomicity and completeness of the underlying Boolean 
algebra, and complete additivity of the operators. Hence, we may naturally ask which 
varieties of BAOs are generated by their atomic members, their complete and completely 
additive members, etc. Recent investigations have provided answers to some of these 
questions. First however, we mention a result of Buszkowski [18] which has been around 
for almost twenty years already, but which seems to have received little attention. Call 
a first-order formula or equation in the language of Boolean algebras with operators 
modally guarded if every variable occurs within the scope of a modality. 


THEOREM 85. Let V be a variety of expanded Boolean algebras which is axiomatized by 
modally guarded equations. Then V is generated by its atomic members. 


Proof. Given two BAEs A and A’, call an embedding 7 : A > A’ guarded if for all 
guarded formulas y(x1,...,2,%), and all a1,...,a, E€ A, it holds that A = ylai,..., ax] 
iff A’ E y[naz,..., ax]. Then 


every BAE A has a guarded embedding into an atomic BAE. (23) 


It is straightforward to prove the theorem from (23): Any algebra A in V can be embed- 
ded into an atomic BAE B that satisfies the same guarded sentences as A, and thus in 
particular, also belongs to V. 
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For a proof of (23), let A be some t-expanded Boolean algebra. By the Stone repre- 
sentation theorem, we may assume that for some set X, A is of the form 


(A, X, Ø, ~x,U,N, {VÂ | ve Th). 


In fact, we may assume that every non-empty a € A is an infinite subset of X. (Oth- 
erwise, replace X with the set X x w and, using the natural embedding P — P x w of 
the power set algebra of X into that of X x w, continue with the image of A under this 
map.) Now let B be the collection of those subsets b of X that differ in at most finitely 
many elements from some element of A; that is, 


B := {b C X | (aN~xb) U (b N ~xa) is finite, for some a € A}. 


It is not hard to see that for every b € B there is in fact a unique element a € A such 
that the symmetric difference (aN ~ xb) U (bN ~ xa) is finite; this element will be denoted 
as b*. 

One then easily proves that the structure (B, X,2,~x,U,M) is an atomic Boolean 
algebra, so if we define, for V € T: 


VP (bis... pbn) = VÄH 8), 


we obtain a 7-expanded Boolean algebra B. Finally, a straightforward induction on the 
complexity of guarded formulas shows that the identity map is the required guarded 
embedding of A into B. This proves (23). Q) 


However, the restriction to guarded axioms in Theorem 85 is essential, as the following 
result of Venema [106] implies that there are varieties of BAOs that have no atomic 
members. 


THEOREM 86. There are nontrivial varieties of Boolean algebras with operators of 
which all members are atomless. 


Proof. The basic idea underlying this proof is straightforward: construct a particular, 
nontrivial, BAO A, and a unary term m(x) such that the formula a = Va(l < x > L x 
m(x) < x) holds in A. This shows not only that A is atomless, but that this atomlessness 
is witnessed by a term function. 

Lacking the space for further details concerning the construction of A, we briefly sketch 
how to prove the theorem from here. Let K be the class of BAOs satisfying a. Without 
loss of generality, assume that K has a global modality (see section 8.2). It then follows 
that the class SP(K) is a variety, and thus, that the formula a, being a universal Horn 
sentence, holds in every member of this variety. But then every such algebra is atomless, 
so the theorem follows if we can prove that K is nontrivial. But this is an immediate 
consequence of the existence of the algebra A. QO 


Regarding the order/lattice theoretic property of completeness, a similar result ob- 
tains, due to Litak [81]. 


THEOREM 87. There are nontrivial varieties of Boolean algebras with operators without 
complete members. 
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Proof. Consider the similarity type of tense logic, as in section 8.1. Let S = (N, <) be 
the bidirectional frame of the natural numbers with the standard ordering. That is, we 
interpret the diamonds pf and © p via the relations < and >, respectively. Furthermore, 
let A be the subalgebra of St based on the collection of finite and cofinite subsets of N. 
We claim that Var(A), the variety generated by A, has no complete members. Suppose 
for contradiction that C is a complete member of Var(A). 

Each natural number n is, inside S, the unique point satisfying the variable free formula 
Yn := OPT A OBL. Observe that the inequalities Yn A Ym < L (for m Æ n), and 
Yn X rPn+1 hold in A, hence in Var(A), and therefore, in C. Define a, := YẸ, and 
b= Care It is then immediate that an < Opbn, bn < O Fan+1, and an^bm = L, for all 
m,n (we write Op rather than OF). But C is complete, so it contains elements a = V„ an 
and b = \/,, bn, for which we easily derive that a < Orb, b < Opa, andaAb= L. Hence, 
from the fact that C = OpOprxr < Opr it follows that a < Ora A Or—a, whence 


aA (OpraV Op—a) = L. Thus C refutes the inequality Opx < Or(x# A Ope V Opat), 
while a straightforward proof shows this inequality to hold in A, and hence, in Var(A). 
This provides the required contradiction. m) 


For more information on such notions of incompleteness that are weaker than Kripke 
incompleteness, the reader is referred to Litak [81]. To mention one open problem: it is 
not known whether an analogue of the previous two results can be proved for the notion 
of completely additivity. 


6.2 Canonicity 


In Chapter 2 of this volume, a normal modal logic L is defined to be canonical if Cz IF L, 
where Cz is the canonical frame for the logic L. In order to put this in an algebraic 
perspective, first note that Cz IF L is equivalent to the requirement that Ci = L*. Also, 
recall from Example 52 that the canonical frame for L is isomorphic to the ultrafilter 
frame of the Lindenbaum-Tarski algebra Fz. Hence, we see that the issue is whether 
(Fr)? = ((Fz)e)* H L~, whereas we know that Fz H L*, cf. Theorem 21. This inspires 
the following definition. 


DEFINITION 88. A class of Boolean algebras with 7-operators is canonical if it is closed 
under taking canonical embedding algebras. Accordingly, an equation 77 is called canon- 
ical if the variety BAO,(7) is canonical, that is, if A = 7 only if A? } ņ, for all BAOs 
A. 


From the definition it is obvious that any normal modal logic is canonical if the variety 
BAO, (L) is canonical, but what about the converse implication? Here we need to be a bit 
more precise about the definition of the canonical frame; in particular, about the size of 
the set of variables. For, observe that the notion of mazimality of an L-consistent set of 
formulas depends on the surrounding set of formulas, and hence, on the set X of variables. 
Thus the shape of the canonical frame Cz depends on the size of the set X of variables; 
in order to make this dependence explicit, we will write Cz (X) for the canonical frame in 
which the points are maximal L-consistent subsets of Fma(X). A similarly convention 
applies to Lindenbaum-Tarski algebras. Taking this cardinal subtlety into account, we 
arrive at a sharpened definition of the logical concept of canonicity. 


DEFINITION 89. A normal modal logic L is canonical if Cz (X) lk L for all sets X. A 
formula y is called canonical if C;(X) IF y for all normal modal logics L containing y. 
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Fortunately, we can prove that the logical and the algebraic notion of canonicity co- 
incide. 


THEOREM 90. For any normal modal r-logic L, L is canonical iff BAO, (L) is a canon- 
ical variety. 


Proof. Let A be an arbitrary algebra in BAO,(L), and let X be a set containing a 
separate variable x, for each a € A. Then A is a homomorphic image of Fz,(X) by the 
fact that Fz (X) is the free algebra for BAO, (L) over the set [X]z, see Theorem 22 for the 
case of countable X. Now two applications of Theorem 76 show that (Fr(X))? — A’. 
But (F,(X))? belongs to BAO,(L) by canonicity of L, and so A? is in BAO, (L) because 
varieties are closed under taking homomorphic images. Q 


It is not known whether, for the variety BAO- (L) to be canonical, it suffices that the 
canonical frames for countable variable sets validate L. Leaving this question as an open 
problem, we turn to the logical motivation of the concept of canonicity. This lies in 
its applications in modal completeness theory, see Chapter 2 of this volume for details. 
Algebraically, these applications are connected to the following result. 


THEOREM 91. LetV be a variety of Boolean algebras with T-operators. IfV is canonical, 
then V is complete. 


Proof. If V is canonical then V C SCmCst(V) so clearly V is generated by its perfect 
members. m) 


So where do we find canonical varieties? In general there seem to be two roads here, 
a syntactic and a model-theoretic one. The syntactic approach is the most important 
one for applications. Basically, the idea is to find out whether a logic is canonical on the 
basis of the syntactic shape of the axioms. Now in general it is undecidable whether a 
given formula ọ is canonical (see Kracht [72] for a proof). Fortunately, however, there 
are fairly large classes of canonical formulas that occur frequently in practice, and are 
easily recognized. We confine our attention here to Sahlqvist formulas — these are also 
discussed in the Chapters 1, 5 and 7 of this volume. 

In the sequel it will be convenient to assume that the primitive symbols of our language 
are, besides the Boolean connectives T, L, =, A and V, and the modalities {V | V € T}, 
also the implication symbol —, and the dual modalities {A | V € T}. Also, recall that 
boxes are the duals of diamonds, that is, of unary modal operators. 


DEFINITION 92. Given a modal similarity type T, we define the following classes of 
terms/formulas. A boxed atom is a variable, possibly preceded by a string of boxes. A 
formula ~ is positive (negative) if all of its variables are in the scope of an even (odd, 
respectively) number of negation symbols. A Sahlqvist formula is a formula of the form 
p — uv, where y is built up from negative formulas, boxed atoms, and constants, using 
only modalities, A and V, while ~ is a positive formula. 


The following results are some of the most celebrated general results in modal logic. 
Theorem 93 below, from Sahlqvist [98], put the crown on the work of many contemporary 
modal logicians. 


THEOREM 93 (Sahlqvist Canonicity). Every Sahlquist formula is canonical. 
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For the proof, the reader is referred to section 7. As a corollary of this theorem and the 
correspondence result for Sahlqvist formulas (see Chapter 1 of this volume), we obtain 
the following. 


COROLLARY 94. Let L=K,.% be a normal modal logic axiomatized by a collection X 
of Sahlqvist axioms. Then L is sound and complete with respect to the class of frames 
defined by the first-order correspondents of the formulas of X. 


REMARK 95. Although the Sahlqvist canonicity theorem takes care of most of the 
canonical formulas that one encounters in practice, it certainly does not cover the con- 
cept completely. For instance, Goranko & Vakarelov [49] widen the class to that of so- 
called inductive formulas, see Chapter 5 of this volume for some discussion. Jénsson [69] 
generalizes an example of Fine [25] to the result that for every positive formula y(x), 
the equation y(x V y) © y(x) V p(y) is canonical. And of course, there are individual 
examples of canonical formulas, such as the conjunction of the transitivity axiom 4 and 
the McKinsey axiom O0x < OU, cf. [69] for an algebraic proof. 


As we mentioned, a second way to arrive at canonical varieties of BAOs proceeds via 
a model-theoretic road. The basic idea here is that varieties are canonical if they can be 
generated in a certain way. A first and seminal result in this direction was the following. 


THEOREM 96 (Fine). If K is an elementary class of frames, then Log(K) is a canonical 
normal modal logic. 


Algebraically, Theorem 96 reads that elementary frame classes generate canonical 
varieties. This result points at an intriguing connection between elementary frame classes 
and canonical varieties. In particular, it has been an open problem for a long time whether 
the converse of Fine’s theorem would hold as well, that is, whether every canonical variety 
would be generated by some elementary frame class. Recently however, this issue has 
been settled negatively in Goldblatt, Hodkinson & Venema [46]. 


THEOREM 97. There is a canonical variety that is not generated by any elementary 
frame class. 


Proof. The example that we give here is based on a famous graph-theoretic result due 
to Erdés. Here a graph is a pair G = (G, E) with E an irreflexive, symmetric relation on 
G. A k-coloring of G is a partition of G into k independent sets, i.e., sets containing no 
pair of neighboring vertices. The chromatic number x(G) of G is the smallest number k 
for which it has a k-coloring, and oo if it has no finite coloring. A cycle in G is a path 
xı EzE ... E£nExı such that n > 3 and z1, ..., £n are all distinct vertices; the length 
of this cycle is n. 

Now intuitively, a lack of short cycles, indicating a certain ‘looseness’ of the graph, 
should make it easy to color a graph with few colors, but Erdős [22] reveals the existence 
of a sequence of finite graphs whose n-th member G,, has chromaticity bigger than n 
while Gn has no cycles of length < n. Fix such a sequence {Gn | n > 2}, under the 
additional assumption that |G,| > |Gm] if n > m. (Here |G| denotes the number of 
vertices in G.) 

The modal similarity type € of our variety EG will have two diamonds, © and E. Ona 
graph G, the first of these will be interpreted through the edge relation, and the second, 
through the global relation Ta = G x G. That is, E is a global modality, cf. section 8.2. 
In the sequel we will blur the distinction between the structures (G, E, Tc) and (G, E), 
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for instance calling (G, E, Ya)™ the complex algebra of G, and denoting it, accordingly, 
as Gt. 

For the definition of EG we extend the notion of chromaticity to arbitrary algebras. 
An element a of an €-BAO A is called independent if a ^ Oa = L; write (A) for the 
chromatic number of A, that is, for the least k such that there are independent a1,...,ax 
with a, V--- Vax = T anda; Aa; = L for i 4 j, putting x(A) = œ if there is no finite 
such k. Note that this definition generalizes the one given earlier, in the sense that for 
any graph G, x(G) = x(G*). 

Now let Yn,m be the first order formula in this algebraic language stating that if A 
has at least 2” elements, then x(A) > m, and define 


Y := {dr2}U {Ye,)n |n 2 2}, 
T c= {a ~ Ex, EEx = Ex, EnEn-2 = 2, Ox X Ex}. 


Note that T is the set of equations defining E to be a global modality, cf. Definition 135 
for the logical incarnation of I. Let C denote the class of algebras satisfying the formulas 
Y UT, and let EG denote the variety generated by C. It follows from Theorem 139 that 
EG = SP(C). 

We first show that EG is canonical. Note that since C is an elementary class, it suffices 
by Theorem 98 below to prove that C itself is canonical. Take an arbitrary algebra A in 
C. If A is finite, then A7 & A is in C by assumption. If A is infinite, then |A| > 2l€»l 
for all n > 2, so by A E Wig,,),n we obtain that (A) > n for all n > 2. Clearly then 
x(A) = œ; from this we may derive that the ultrafilter frame A, has a reflexive point, 
which implies that (A,)*, being the complex algebra of A,, has infinite chromaticity as 
well. But then we see that A7 = Ym,n for all m,n, so we certainly have A7 — Y. It is 
easily seen that the formulas T are canonical, so that we have proved that A7 belongs to 
C. 

It is left to prove that EG is not elementarily generated. Theorem 4.12 of Goldblatt [40] 
states that any variety V of BAOs which is elementarily generated, is generated by an 
elementary frame class K such that Cst(V) C K C Str(V). Hence, for our purpose it 
suffices to come up with a family of frames in Cst(EG) that provide an ultraproduct 
outside Str(EG), and the obvious candidates for this are the Erdős frames {Gn | n > 2}. 
It is easy to check that G} | W for each n > 2, so each G} belongs to C. But then all 
Erdős frames belong to Cst(C), because each Gn, being finite, is isomorphic to (G$ )e. 
Now take a non-principal ultrafilter D over the set w \ {0,1}. Observe that for each k, 
only finitely many of the G,, have any cycles of length k; hence, by Los’ theorem, the 
ultraproduct Į] [p Gn has no cycles at all, and hence, it is 2-colorable. 

This shows that [[ Gn does not belong to C, since it follows from C = 71,2 that every 
nontrivial algebra in C has chromaticity at least three. But fairly direct proofs show that 
X(T], Ai) > x(A;) for all i, and that x(A) > x(A’) if A — A’. This implies that x(A) > 2 
for all A in SP(C), so by the fact that SP(C) = EG it follows that (Į [p Gn)" does not 
belong to EG. Q 


Nevertheless, the converse of Fine’s theorem may fail be true in general, in many 
interesting cases it does hold — we refer to Goldblatt, Hodkinson & Venema [46] for 
a state of the art survey. Note that it is still an open problem whether every finitely 
axiomatizable canonical variety is elementarily generated. 
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Finally, recent work has put Fine’s result in a wider algebraic context. We formulate 
the following theorem for Boolean algebras with operators, but in fact, it holds in a much 
wider setting, see for instance Gehrke & Harding [28]. 


THEOREM 98. Let K be a class of Boolean algebras with tT-operators which is closed 
under taking ultraproducts and canonical extensions. Then the variety generated by K is 
canonical. 


Proof. Let A be in the variety generated by K; we will show A? to belong to Var(K) 
as well. By Tarski’s ‘HSP’-theorem, there is a family {B; | ¿ € I} C K, and an algebra 
B such that A « B > [[,B;. Then it follows from two times two applications of 
Theorem 76 that A? « B” — ([],B;)’, so it suffices to show that ([[,B;)° belongs to 
Var(K). However, we may infer from Theorem 77 and Theorem 76(5) that 


(IL, ) S II (I) - (24) 


DEUJ(I) 


But by the assumptions on K, each algebra (Į [pA;)7 belongs to K, and so the product 
(24) is in P(K) C Var(K), as dequined: Q) 


From the above result we can derive Fine’s Theorem as follows. Suppose that C is a 
frame class, closed under taking ultraproducts; for instance, let C be elementary. Then 
consider the class SCm(C) of sub-complex algebras over C. This class can be shown to 
be closed under taking ultraproducts as a corollary of Proposition 78, and closed under 
taking canonical extensions as a corollary of Theorem 76 and Theorem 90 in Chapter 5 
of this volume. Application of Theorem 98 then yields the desired result. 


6.3 Interpolation 


In the last part of this section we discuss another fundamental property of logics: inter- 
polation. Interpolation is important for applications because it allows reasoning systems 
to be set up in a modular way. Since we have confined our attention to logics in the 
form of sets of theorems, the version of interpolation that we will consider here is the 
following. 


DEFINITION 99. A modal logic L has the local or Craig interpolation property if for 
every two formulas y and w such that Fz p — w there is an interpolant, that is, a 
formula x with Fz y —> x and Fz x — w and such that each variable of x occurs both 
in ọ and in wp. 

The algebraic counterpart of interpolation involves the notion of amalgamation. 
DEFINITION 100. Let K be a class of algebras. 


A V-formation in K is a quintuple, presented as Bı E Bo Nan Bo, 
and consisting of three algebras By, Bı and Bz in K, linked by f Biz f 
two embeddings eg and e;. An amalgam of this V-formation is Tako ae 

J f i a 
a formation Bı > By. << Bo such that fı o e} = fz 0 e2. Such By Bo 
a amalgam is a superamalgam if for all distinct i and j, and all N we 


bi € Bi and bj € Bj: fi(bi) <12 f;(b;) only if there is some bo € Bo 
with bi SS e;(bo) and €; (bo) Sj bj. 
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K is said to have the (super)amalgamation property if every V-formation in K has a 
(super)amalgam in K. 


In words, an amalgam is a superamalgam if whenever a B;-element is smaller (in B12) 
than a B;-element, then this is witnessed by a Bo-element. The basic result connecting 
interpolation and amalgamation is from Maksimova [83]. 


THEOREM 101. Let L be a normal modal t-logic. Then L has the local interpolation 
property if and only if BAO,(L) has superamalgamation. 


Proof. Fix L. In the proof of this theorem we will frequently consider Lindenbaum- 
Tarski algebras for L over various distinct sets of variables. Our notational convention 
will be that these sets of variables will always be called Xo, X1, X2 and Xj2, with 
Xo = Xı N Xə and Xyg = Xı U Xə; that F; denotes the Lindenbaum-Tarski algebra 
over X;; that [p]; denotes the equivalence class of the formula y under the L-equivalence 
relation =; within the set Fma(X;); and, finally, if X; C X}, that t; j denotes the map 
given by [p]: => [y];. We leave it for the reader to verify that 1;,; is an embedding of F; 
into F;. 

It is not hard to prove phat L has local interpolation iff for all sets Xı and Xa o 


L 
variables, the formation F S Fı2 Z Fə is a superamalgam of the V-formation Fé ok 


o n Fə. This observation already takes care of the direction from right to left of the 
theorem. 

For the other direction we have to work harder. Consider a V-formation Bı z: 0 = 
Bo in BAO, (L). Without loss of generality we may assume that Bo = Bı N B2. Wanting 
to use local interpolation of L to find a superamalgam of this V-formation, we translate 


the V-formation into syntax. 
With X; := {xp | b € Bi} for each i € {0,1,2}, let 


bi : F; — B; be the unique homomorphism deter- pone > Fio/T 
mined by the map [xe] + b, cf. the picture. Clearly OF p 
each Ø; is surjective, whence by universal algebra, F 41,12 F 

each B; is isomorphic to the algebra F;/ker((;). Let l e ne 


M; be the modal filter of F; associated with the 
congruence ker(@;) (as in Theorem 29), and let M 


be the modal filter of Fı2 generated by the union  '0-4 42,12 
of Mı and Mz, or, to be more precise, by the set 0 e2 2 
t12|M1] U t112[Mi]. We claim that the algebra Pi i 

A . > . 4 0 2 
Fı2/Im is the required superamalgam, with Hy the Fo ; > 
congruence associated with M, again, as in Theo- 9:2 
rem 29. 


Proving this, the crucial observation is that [y]i2 belongs to M iff there are formulas 
yı E€ Fma(Xı) and yə E Fma(X2) such that Fz (y1 A ye) > y, and [yi]; € Mi 
for i = 1,2. From this, using local interpolation, it may be derived that for formulas 
pı E€ Fma(Xı) and %2 E€ Fma( X2), we have [1 > Y2]ı2 E€ M iff there is a x € Fma(Xo) 
such that [yı > x]1 € Mı and [x > Y2]2 E€ M2. And from this the desired properties of 
Fı2/lm follow almost immediately. OQ 


This theorem can be applied to obtain a fairly general interpolation result for canonical 
modal logics that define nice frame classes. We need the following definition. 
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DEFINITION 102. Let Sı and Sg be two 7-frames. The direct product Sı x S2 of these 
frames is the frame based on the Cartesian product S1 x S2, with the relations defined 
coordinate-wise (for instance, in the case of a binary relation R, we put R(s1, 82) (t1, t2) if 
Rısıtı and Rzsət2). A subframe Z of Sı x Sg is called a zigzag product of Sı and Sg if Z 
is a hereditary subset of the product frame on which the projection maps are surjective. 


Clearly then zigzag products are substructures of direct products. A different perspec- 
tive is that zigzag products of Sı and Sə are given by those bisimulations Z between Sı 
and Sə that are full, i.e., have domain Sı and range So. 

As an example of a zigzag product, consider two surjective bounded morphisms 61, 02 
with 6; : S; —> So. Then the frame E(61, 02) based on the set {(s1, s2) E€ S1 X S2 | 61(s1) = 
02(s2)} is a zigzag product of Sı and S2. We call this the zigzag product induced by 6; 
and 65. 

The following theorem, which is a generalization from Marx [84] of a result by 
Németi [87], is useful for proving that a canonical logic has interpolation. 


THEOREM 103. Let K be a class of Boolean algebras with t-frames, and C a class of 
T-frames such that Cst(K) C C, Cm(C) C K, and C is closed under taking zigzag products. 
Then K has the superamalgamation property. 


Proof. Suppose that K and C have the listed properties, and consider a V-formation 


= Ar BY. (25) 
It follows from Theorem 76(3) that B. “3 As 2 l. Now let E be the zigzag product of 
/ 


e and Bi induced by the bounded morphisms a, and a$. Note that E belongs to C by 
the listed closure properties. Letting m and 7’ be the (surjective!) bounded morphisms 


from E onto B. and B}, respectively, we see that Be LES B.. It then follows from 


Theorem 76(2) and Theorem 54 that 


= at gir ~ 


B >> B7 >> Et Bl (26) 


We claim that in fact, (26) is a superamalgam of (25), but leave further proof details for 
the reader. Q 


As a corollary of this theorem, suppose that T is a set of canonical formulas defining 
an elementary frame class that is closed under taking direct products and substructures 
— for instance, [ corresponds to a set of universal Horn sentences. Then K,.I has Craig 
interpolation. 

Chapter 8 of this volume contains more information on interpolation. Related proper- 
ties, such as Beth definability, also have algebraic characterizations; for details we refer 
to HOOGLAND [59]. 


7 CASE STUDY: CANONICAL EQUATIONS 


7.1 Introduction 


In this section we address the question, which equations are canonical, that is, remain 
valid when we move from a BAO A to its canonical embedding algebra A’. In other 
words, we are interested in properties that move to certain superalgebras. 
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Earlier on we defined A7 via a concrete construction, namely, as the ‘double dual’ 
(Ae): the complex algebra of the ultrafilter frame of A. In this section we will take a 
rather more abstract approach in which we first consider the canonical extension B7 of 
the Boolean reduct B of A; this B7 is not constructed but axiomatically characterized 
as the (modulo isomorphism) unique completion of B in which B is dense and compact. 
Then the property of density suggests a canonical way to extend the interpretation of 
the operators on B to operations on B’, thus providing the canonical extension A® of A. 

This algebraic method originates with the original BAO paper Jónsson and Tarski [70], 
but it differs from the duality-based approach of for instance Sambin & Vaccaro [100 
that modal logicians usually take. In order to compare the two approaches, consider the 
following picture, introducing the four main characters of this story: 


A | A, 


ae (27) 


In the duality-based approach, one compares the frame (frame-based) structures on the 
right hand side of the picture, cf. the discussion on the notion of persistence in Chapter 5 
of this volume, while the algebraic method stays purely on the left hand side, basically by 
encoding the relevant topological concepts into the algebraic framework. An advantage 
of the duality-based method is that it allows a treatment of canonicity in tandem with 
correspondence; on the other hand, the more abstract and ‘duality-free’ nature of the 
other approach enables its transportation to a much wider setting than that of canonical 
extensions of Boolean algebras with operators. In recent years, the algebraic approach 
has proven its use for lattices expanded with arbitrary operations, and has been applied 
to other kinds of completions than the perfect extension of Jónsson and Tarski. 

Our exposition of this algebraic approach in the sections 7.2 to 7.5 is based on work 
by Jónsson [69], Gehrke & Jónsson [30, 31, 32] and Gehrke & Harding [28], while the 
very similar approach by Ghilardi & Meloni [34] should also be mentioned here. In our 
presentation we try to be as general as possible while keeping the section self-contained, 
and staying within the framework of Boolean algebras. Almost all our formulations apply 
to lattice-ordered algebras as well, however; we will come back to this issue towards the 
end of the section when we discuss further generalizations of the theory presented here. 

For an outline, recall that the validity of equations can be formulated using term 
functions: 


AF satiff sa. (28) 
Hence, for the canonical extension of A, we find that 


A7 Esa tiff sh! =t”. (29) 


Now suppose that we have developed a canonical way to extend an n-ary map f : A” — A 
to an n-ary map f7 : (A7)” — A7; it then immediately follows from (28) that 


A E st only if (s4)? = (t4)°. (30) 


Hence, in case s and t are stable on A, that is, if (sê)? = s“” and (t^)? = t4”, then we 
may infer from A = s ~ t that A7” = s = t. This motivates a careful analysis of the 
relation between the functions s*” (the term function of s in A7) and (s“)? (the extension 
to A7 of the term function s“). This analysis crucially involves the question, which f 
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and g satisfy (f og)? = f7 og’. We will see that such cases of (-)% distributing over 
function composition admit a satisfactory explanation in terms of ‘matching continuity 
properties’ of the maps f7 and g7. For this purpose we will endow canonical extensions 
of Boolean algebras with topological structure. 


7.2 Canonical extensions of Boolean algebras 


In this section we define the canonical extension of a Boolean algebra B as the unique 
completion of B in which B is dense and compact. We introduce these notions one by 
one. 

A Boolean algebra C is a completion of a Boolean algebra B if C is complete and B is 
a subalgebra of C. If C agrees with B on all meets and joins, then we call C a regular 
completion of B, but in general we do not require completions to be regular. Thus the 
notation V for finite joins is unambiguous, but not so for infinite joins. Our convention 
will be that V X always denotes V X, that is, the join taken in the completion. 

For an example of a completion, eonsider a field of sets S = (S, A) and note that the 
power set algebra PS is a completion of S*. 

Before we define the concept of density, we introduce some preliminary notions. Given 
a completion C of the Boolean algebra B, we call an element c € C closed (open) if c is 
the meet (join, respectively) in C of elements in B. We let Kc(B) and Oc(B) denote 
the collections of closed and open elements, respectively. Objects (such as the elements 
of B) that are both closed and open are called clopen. This terminology is in accordance 
with the topological perspective on fields of sets as in Remark 60. In the sequel, we may 
write Kc, K(B), or even K, instead of Kc(B), if the suppressed details are clear from 
context; and similarly for the set Oc(B). 

We say that B is meet-dense in C if Kc(B) = C, join-dense if Oc(B) = C, and dense 
if Kc(Oc(B)) = Oc(Kc(B)) = C. In words, A is dense in C if every element of C is 
both a meet of open elements, and a join of closed elements. As a simple example of 
join-density, note that a Boolean algebra is atomic iff the collection of atoms forms a 
join-dense set. Building on this, we leave it as an exercise for the reader to verify that a 
field of sets S = (S, A) is differentiated iff S* is dense in PS. 

Now we turn to the notion of compactness. Given a completion C of the Boolean 
algebra B, we say that B is compact in C if for all sets X and Y of closed and open 
elements, respectively, A X < VY implies the existence of finite subsets Xo C X, Yo CY 
such that A Xo < V Yo. An alternative (but equivalent) characterization of compactness 
is that, for any closed p and open u, 


p <u only if p < b < u for some b € B, 


as can easily be verified. Also note that, again, our definition of compactness coincides 
with standard topological terminology; this easily follows from the observation that for 
any pair C, U of collections of subsets of a set S, we have ) C C UU iff S C UUuUU{~sc | 
ce Ch. 

We are now ready to define canonical extensions. 


DEFINITION 104. A completion C of the Boolean algebra B is called a canonical ex- 
tension of B if B is both compact and dense in C. 


It is in fact a rather strong property for one Boolean algebra to be the canonical exten- 
sion of another. To start with, every Boolean algebra has a unique canonical extension. 
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THEOREM 105. Let B be some Boolean algebra. Then 


1. (existence) B has a canonical extension; 


2. (unicity) Any two canonical extensions of B are isomorphic via a unique isomor- 
phism that restricts to the identity on B. 


Proof. Recall from the topological duality that B, = (Uf , B) is a differentiated and 
compact field of sets. By the comments made above it should be clear that P(UfB) is a 
canonical extension of B. 

For unicity, suppose that C is a canonical extension of B. We leave it as an exercise 
for the reader to verify that, by compactness, the map F +> A F forms a dual (that is, 
order-reversing) isomorphism between the lattice (Fi(B), C} and the induced ordering on 
the set K(B) of closed elements. Its inverse is given by the map p > {a E B | a > p}. 
Similarly, there is a dual isomorphism between the lattice of ideals of B, and the induced 
ordering of the open elements. Also, we have for p closed and u open, that p < u iff there 
is ana € B with p <a < u, and that u < p iff a < b for alla and bin A witha < u 
and p < b. In other words, by compactness the induced poset on the set K UO of closed 
or open elements is completely determined by the ordering of B. This suffices to prove 
the theorem, since by density, the elements of C can be identified with the pairs (L, U) 
of subsets of C such that L is the collection of closed lower bounds of U, and U is the 
collection of open upper bounds of L. Summarizing, we see that together, compactness 
and density completely fix the order relation of the canonical extension. m) 


The above theorem justifies our speaking of ‘the’ canonical extension of a Boolean 
algebra B; this algebra will be denoted as B7. Furthermore, we need the following facts. 


PROPOSITION 106. Let C be a canonical extension of the Boolean algebra B. Then 


1. B= K(B)NO(B); that is, B coincides with the set of clopen elements of C; 
2. the set K(B) forms a sublattice of C which is closed under taking infinitary meets; 


3. C is atomic and AtC C K(B); that is, all atoms are closed. 


We leave the proof of this proposition to the reader; note that by Theorem 105, it 
suffices to restrict attention to the double dual P(UfB) of B. For instance, part (3) 
follows almost immediately from the identification of atoms of P(UfB) with ultrafilters 
of 


As a last introductory remark, we note that canonical extensions interact well with 
finite products and order duals. Concerning the latter notion, recall that the order dual 
of a Boolean algebra B = (B, T, L,—,A,V) is the structure B? = (B, L, T,—, V, ^). The 
fact, that B? is a Boolean algebra as well, enables us to shorten quite a lot of definitions 
and proofs by referring to the principle of order duality: Every fact concerning Boolean 
algebras remains valid after swapping T with L, A with V, etc. 


PROPOSITION 107. Let By, ..., Bn be Boolean algebras. Then 


1. (Bi x- x Bn) = BY x --- x BY; 


D, (B?) ~x (B?)°; 
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Proof. Both statements can be proved on the basis of Theorem 76. As intermediate 
steps, one can prove facts like K(B,)x---xB,) = K(B1)x---x K(B,) and K(B?) = O(B). 
a 


7.3 Extending maps to the canonical extension 


In the introduction to this section we saw that in order to investigate the canonicity of 
an equation s ~ t, it is useful to define extensions of the term functions on a BAO to 
maps on the canonical extension of the BAO. But in fact, there are canonical ways to 
extend an arbitrary map between two Boolean algebras A and B, to a map between A7 
and B7. This general definition will be discussed at the end of this section — for the 
time being we will confine ourselves to extensions of monotone maps. 

The easiest way to understand these definitions is to break them down in two steps. 
For a start, the definition of closed and open elements suggests the following extension 
of f : A — B toa map f defined on K(A) U O(A): 


(@) := Atf(@)|p<ae A} forpekK(A), (31) 
(u) := Vi{f(a)|u>ae A} for ue O(A). 


Note that this is a correct definition because K N O = A by Proposition 106(1), that 
f(a) = f(a) for a € A by monotonicity of f, and that f itself is also order preserving. 
Now for the second step of the construction. The fact that every element is both the 
join of the closed elements below it, and the meet of the opens above it, suggests two 
ways to proceed: 
f(t) := V{F(p) |z 2 pe KA), (32) 
f(a) := Mfu) |z < ue oM). 
The maps f7 and f7 are called the lower and upper extension of f, respectively. 


Let us first gather some basic facts concerning these definitions. The following propo- 
sition says that the names ‘lower’, ‘upper’, and ‘extension’ are well chosen. 


PROPOSITION 108. Let f : A — B be a monotone map between Boolean algebras. Then 


1. both f° and f" extend f; 


2. f° < f", with equality holding on the closed and on the open elements. 


Proof. The first statement is immediate by the definitions and the monotonicity of f. 
For the second statement, take, for x € A’, a closed p < x and an open u > x. By 
compactness there is an a € [p,u] N A. This element satisfies f(p) < f(a) < f(u) by 
definition of f; hence f’(x) < f(x) by definition of f7 and f7. Finally, for closed p 
we may derive from the first part of the proposition that f"(p) < f(p), and from the 
monotonicity of f that f(p) = f° (p). Thus we obtain the desired equality f? = f7 on 
K. The result for opens follows by order duality. a 


Maps for which the lower and upper extension coincide are obviously of interest. 


DEFINITION 109. A monotone map f between Boolean algebras is called smooth if 
p=r. 
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EXAMPLE 110. Asa first example of a smooth operation, consider the global modality g 
on a Boolean algebra B, given by g(L) = L while g(b) = T for b > L, see Definition 131. 
It is easy to see that g satisfies these conditions as well, whence it is equally easy to 
infer that both g7 and g” coincide with the global modality of B7; smoothness is then 
immediate. Similarly, one can prove that the meet and join operations of B are smooth, 
and that their extensions coincide with the meet and the join of B’, respectively. 

For an operation that is not smooth, consider the composition of the global modality 
with the meet operation, i.e., the map f : B? — B given by f(a,b) = L ifaAb= L, 
while f(a,b) = T otherwise. Now if B is infinite, then B7 must contain some element c 
which is closed but not open; a straightforward verification shows that for such a c, we 
have that f’(c,—c) = L, while f7(c,—c) = T. This shows that not even operators are 
smooth. 


While it may not be the case that the lower and the upper extension agree in all cases, 
both kinds of extensions generally display good behavior; often they even improve on 
the original map. For the definitions of the notions mentioned in the theorem below, see 
Definition 15 and 40. 


PROPOSITION 111. Let f : A — B be a map between Boolean algebras. Then 


1. if f is monotone then so is f7; 
2. if f is an operator then f° is a complete operator; 


3. if f is additive or multiplicative then f is smooth. 


Proof. The proof of the first statement is easy and hence omitted, while we postpone 
the proof of the last statement (it is in fact a rather straightforward consequence of 
the Propositions 116 and 117). For the remaining part, we need to show that if f is 
normal and additive in each coordinate, then f7 is normal and completely additive in 
each coordinate. Leaving the easy proof for normality as an exercise for the reader, 
concerning additivity, we will prove that if f : Ao x Ai — B is additive in its first 
coordinate and monotone in its second, then f7 preserves all non-empty joins in its first 
coordinate. 

Fix elements zo € Aj and zı € Af. By atomicity of 
suffices to prove, for an arbitrary atom p of B7: 


o 


, and monotonicity of f7, it 


p < f° (xo, x1) only if there is a q € Ato with p < f° (q, £1), (33) 


where Ato denotes the set of atoms in Aj below xo. Note that since f°(x£o, xı) = 
Vif? (co, c1) | xi > ci € K(A;)} we may safely assume that both zo and xı are closed. 

Now suppose for contradiction that (33) fails. Then for some atom p of B7 we have 
p < f° (xo, £1) while for each q € Ato there are, by definition of f7, elements ag € Ao 
above q and aq,ı € Ai above zı, such that p Z f7(aq,0,4q,1). It follows that zo = 
V Ato < V{aq,0 | q € Ato}, whence by compactness xo < V{aq,0 | q € F} for some finite 
set F C Ato. 

Now observe that the join agp = V{aq4,0 | q € F} is in Ao, and the meet a; = A{aq,1 | 
q € F} is in Aj. Clearly p £ f?(aq,0,a1) for each q € F; since p is an atom this means 
p £ Vif? (a¢0,01) |q E F} = f(ao, a1), where in the last identity we use the additivity 
of f in its first coordinate. 
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On the other hand, from zo < ao and zı < a, it follows that f°(zxo, zı) < f(ao, a1) 
which gives the desired contradiction. Q 


In the proof above we already used the fact that complete additivity of f7” means that 
it is completely determined by its values on the atoms of B’. Now recall that (in the 
concrete representation of) B7, the atoms are nothing but the ultrafilters of B. From this 
the following proposition is immediate. 


PROPOSITION 112. Let A be some Boolean algebra with T-operators with underlying 
Boolean algebra B. Then A? := (A.)* is isomorphic to the algebra B” expanded with the 
family {(V*4)? | V € T} of complete operators. 


This proposition, which can be summarized as ‘V“" = (V“)°’, will be used throughout 
the sequel, but always implicitly. 


7.4 Composite maps 


We now investigate the interaction between composing maps between Boolean algebras 
and taking their canonical extensions. That is, we will take a look at the relation between 
the maps (gf)? and g7 f7 for maps f : A > A’, and g : A’ > A”. We are obviously eager 
to find cases in which we have (gf)? = g7 f7, but also conditions under which one of the 
inequalities (< or >) apply will turn out to be of interest. As we will see shortly, many 
of these conditions can naturally be described in topological terms. 

For this purpose, we will introduce no less than six topologies on each set A7. For- 
tunately, these topologies can be neatly organized in two families, each consisting of an 
upper, a lower and a join topology. As a terminological convention, let us call a map 
between the algebras A? and B® (p, p’)-continuous, if it is a continuous function between 
the topological spaces (A7, p} and (B7, p’). 

The first family is that of the Scott topologies. Although these can already be defined 
on arbitrary partial orders, here we will only consider topologies on canonical extensions 
of BAOs. Recall that a subset D of a partial order is called up-directed, if every pair of 
elements of D has an upper bound in D. 


DEFINITION 113. Given a Boolean algebra B, call a subset U of B7 Scott open if U is 
an up-set such that U N D Æ Ø for every up-directed set D with V D € U. The Scott 
topology is defined as the collection y of Scott open sets; the topology yt is given by 
the principle of order duality, and we define y := {UNV | U € qf, V € ql} as the join 
of q? and qt in the lattice of topologies over B. 


In practice it is sometimes easier to work with the closed sets in the Scott topology; 
these are precisely the down-sets of C that are closed under taking up-directed unions. 
From this observation one easily derives the (well-known) fact that a map between partial 
orders is Scott continuous (that is, (y', y')-continuous) iff it preserves up-directed joins. 
But this implies that a map is completely additive iff it is both additive and Scott 
continuous, which may help to explain the relevance of the Scott topologies for our 
purposes. 

We now turn to the second family of topologies. Recall from Example 27 that for an 
arbitrary element b of a Boolean algebra B, the sets bf and b| are defined as bt = {a € 
B\b<a}and b] = {a € B |a < b}. 
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PROPOSITION 114. For any Boolean algebra B, the sets o° := {pt | p € K} and 
al := {ul | u € O} both form a topology on A’; and so does the set o := {pt} N u] | K > 
p< u € O}, which is in fact identical to the join a! V ot in the lattice of topologies on 
A’. 

In the sequel, we will write |p, u] for the interval between p and u, that is, [p, u] = 
pronul. 


Proof. The fact that a? is a topology follows from the fact that the set K(A) is closed 
under finitary joins and arbitrary meets of A7, see Proposition 106(2). Q 


REMARK 115. As suggested by notation, the topology ø is closely connected to the 
kind of inclusion of B in B7. Let us just mention a couple of salient facts here. First, it 
is easy to see that the set {[a,b] | a,b € B} is a basis for ø. This reveals that the set 
B is topologically dense in a, in the sense that every o-open set contains an element of 
B. But also, B constitutes the collection of isolated points of o — recall that a point x 
is isolated in a topology if the singleton {x} is open. It is the latter two properties that 
make it possible to extend arbitrary maps between Boolean algebras to their extensions; 
we will come back to this at the end of this section. 


The following proposition, which links the two topological families, will be crucial 
when it comes to finding the ‘matching continuities’ mentioned in the introduction. 


PROPOSITION 116. Let A be a Boolean algebra. Then q! Coal, yt Co! andy Co. 


Proof. Confining ourselves to the first claim, it suffices to prove that U = U{pT | p € 
U N K} for an arbitrary Scott open set U C A7. The crucial observation here is that 
every u € U is the up-directed join of the closed elements below it. Further proof details 
are left to the reader. m) 


The following proposition is a first sign that these topologies can be useful. 


PROPOSITION 117. Let f : A — B be a monotone map between the Boolean algebras 
A and B. Then 


1. f° is the largest monotone (o, Ņ')-continuous extension of f; 
f is smooth iff f° is (o, Y)-continuous; 
if f is an operator then f° is (y',y')-continuous; 


if f is additive then f? is (ol, ot)-continuous. 


~a >~ S S 


if f is multiplicative then f° is (o',a!')-continuous. 


Proof. Concerning the first part of the proposition, we already know from Proposi- 
tion 108 that f7 is an extension of f. Now for x € A® take an arbitrary Scott open set 
V C B° with f°(x) € V. That is, V{f° (p) | £ > p€ K(A)} €V. Now it is easy to see 
that the collection Q := {f° (p) | £ > p € K(A)} is up-directed, so Q N V # Ø. In other 
words, there is a closed p < x with f7 (p) € V. But then by monotonicity of f7 we have 
that f’[pt] C V. Since x € pT € o this suffices to prove that f” is (a, y')-continuous, 
while by Proposition 111 it is monotone. 
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In order to show that f is the largest such map, take a monotone (a, 7! )-continuous 
extension g : A? — B7 of f, and suppose for contradiction that g(x) £ f7 (x) for some 
x € A’. By atomicity of B7 there must be an atom p of B? which lies below g(x), but not 
below f7(x). Because g(x) € pt € y', the continuity of g provides us with a c € K such 
that c < x and g{ct| C pt. In other words, we find that p < g(c) whence by monotonicity 
it follows that p < g(a) for all a € A above c. But then by the fact that g extends f, and 
the definition of f7, we may infer that p < f?(c). From this we obtain, as the required 
contradiction, that p < f° (x). 

For part (2), it follows from part (1) by order duality that f7 is the smallest monotone 
(a, y')-continuous extension of f. Hence if f is smooth, then f7 = f” is both (a, y!)- and 
(a, y')-continuous, and hence, (c,7)-continuous. Conversely, if f7 is (a, y)-continuous, 
then it is, a fortiori, (ø, y!)-continuous. This implies, again by the order dual of part (1), 
that fT < f7; but then we have equality because of Proposition 108(2). 

Concerning part (3), if f : A” — A is an operator then by Proposition 111(2), f7 : 
(A7)” — A? is additive in each coordinate. From this it is straightforward to derive that 
f° preserves up-directed joins. 

For part (4), suppose that f : A — B is additive, and take an arbitrary o!-open subset 
ul of B7, that is, u € O(B). It follows by Proposition 111(2) that f7 preserves all 
non-empty joins. From this one may derive that the set (f7)~+[uJ] is either empty, in 
which case it certainly belongs to ø, or else it is of the form v|, where v = \V/(f7)~"[ul] 
satisfies f7(v) < u. In order to show that v| is open in øg, it suffices to prove that v is 
an open element of A’. 

Consider an arbitrary closed element p < v; then A f[pT A] = F° (p) < fw) < u. 
Hence by compactness there is a finite set F C pt N A such that A f[F] < u. Putting 
ap := N F we find that a, € A, p < ap and a, < v since f(a,) < A f[F]. Clearly then 
v = V{p | v > pE K} < V{ap |v > pE K} <v which shows that v is identical to the 
second join, and hence, open. 

Finally, part (5) follows from part (4) by order duality. Q) 


As we announced already in the introduction to this section, the following properties 
will be crucial in proving canonicity results further on. The reason for this lies in the 
observation that for some terms t, we may apply Proposition 118(2) by the fact that the 
term function t“” in the canonical extension A7 can be decomposed as t“” = g’0 f7 where 
g? is (T, y')-continuous and f7 is (o,7)-continuous, for some ‘intermediate’ topology T. 
This is the principle of matching continuities that we mentioned in the introduction. 


PROPOSITION 118. Let f : A — B and g : B — C be monotone maps between the 
Boolean algebras A, B and C. Then 


1. (gf)? < 9° f?; 


2. (gf) > 9° f? whenever g? f° is (a, y')-continuous. 


Proof. Part (2) of the proposition is an immediate consequence of Proposition 117(1) 
since g7 f7 is an extension of gf (and gf is monotone). Concerning part (1), we first 
show that (gf)? (p) < g7 f7 (p) for closed p. Note that 


(gf) = Mafla) |p < ae A}, 
9° f° (p) ANTI) | f° (p) < b € B}. 


II 
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where the latter identity holds because f’(p) is closed in A’. Now take a b € B with 
f° (p) < b. As f?(p) = A{f(a) | p < a € A} is a down-directed meet, compactness 
provides some a € A with p < a and f(a) < b. Then (gf)’(p) < gf(a) < gb; and hence, 


(gf)°(p) < 9° F° (p). 


Now we turn to arbitrary x € A’. Note that 


(gf) (x) VIUF) (p) | £ > p€ K(A)}, 
9° f° (2) \V/{97 (4) | f?(x) > q € K(B)}. 


Take an arbitrary p € K(A) with p < z; then (gf)? (p) < g° f? (p), as we just saw. Since 
f° (x) > f° (p) € K(B), this shows that every joinand (gf)? (p) of (gf)? (x) is below some 
joinand g7 (q) of g7 f° (x). This suffices to prove the desired inequality. Q 


II 


II 


7.5 Canonical equations 


Time to harvest. The key idea for proving canonicity results for an equation s ~ t will be 
to use properties of the term functions s“ and tê. Recall that for a term t(z£1,..., £n), 
the term function t^ : A” — A is inductively defined as follows: 


A 
Le = oT, 
(Ot str)J* = Oo (th... th). 
where m? : (a1,..., an) + a; is the i-th projection function, and, for maps f,,..., fn: 


X => Y, the map (fi, go -s Fn) :X — Y” is given by (fi, a -, fn) (£) T (filz), Bip sy Snlt)): 
In the context of canonical extensions the following definitions are crucial. 

DEFINITION 119. A term t is expanding on an expanded Boolean algebra A if (t4)” < 
t®”, contracting if (t^)? > t® , and stable if (t^)? = t4”. We let these properties apply 
to classes of algebras in case they apply to all members of the class. 

PROPOSITION 120. Let s and t be two T-terms, and K a class of T-expanded Boolean 
algebras. If s is contracting and t is expanding on K, then the inequality s < t is canonical 
on K. 


Proof. Consider an algebra A in K such that A = s < t. In other words, we have 
s < t^, so that (s$)? < (t*)?. But then by the assumptions on s and t it follows that 
sh” < (s^)? < (t^)? < t4”, which shows that A7 } s < t. a 


So which terms are contracting, and which ones are expanding? Here the topologies 
prove their value. Before moving on to these results, we need to get one technicality out 
of the way. Basically, the following proposition states that the product map (fi,..., fn) 
behaves as well as one could hope for. 


PROPOSITION 121. Let f,,...,fn be monotone maps between the Boolean algebras A 
and B. Then 


Sireasa = asesap 
and for all p,p! € {y',7',7,0',0', o} it holds that 


(fis---, fn). is (p, p')-continuous iff each fF is (p, p’)-continuous. 
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We leave the rather tedious but not very difficult proof of this proposition to the 
reader, and move on to more interesting facts. First we associate topological properties 
with term functions. 


PROPOSITION 122. Let A be a T-expanded Boolean algebra, and t a T-term. Then 
1. If A interprets all connectives in t as operators, then t® is (y',y')-continuous. 
2. If A interprets all connectives in t as additive maps, then t® is (o!,0!)-continuous. 


3. If A interprets all connectives in t as multiplicative maps, then t® is (a',a')- 
continuous. 


Proof. All three statements can be proved by a straightforward term induction, using 
the Propositions 117 and 121 for the induction step. For the induction base, note that the 
projection maps are both join- and meet preserving, and hence, their canonical extensions 
have all the continuity properties mentioned in the statements of this proposition. QO 


Here we arrive at the core of the algebraic approach towards the canonicity of equa- 
tions. On the basis of the syntactic shape of some terms we can see whether it is 
expanding or stable. In Theorem 123 we give some sample results; observe that the key 
idea in the proof of part (3) is the principle of ‘matching continuities’ as described before 
Proposition 118. 


THEOREM 123. Let A be a t-expanded Boolean algebra, and t a tT-term. Then 
1. If A interprets all connectives in t as monotone maps, then t is expanding. 


2. If A interprets all connectives in t as operators or dual operators, then t is stable. 


3. If t is of the form s(u1,...,tUn) such that A interprets all connectives in s as 
operators, and all connectives in each of the u; as meet-preserving operations, then 
t is stable. 


Proof. Part (1) is proved by term induction. The base case is immediate from the 
definitions. For the inductive step, suppose that t = V(ti,...,tn), then 


(EA)? = (Vo (th. te)? 
< (VAN o icta) 
= VA o (tP), (E) 
< Vot, t) 
= t. 


Here the first and last step are by definition, the second step is by Proposition 118(1) 
and monotonicity, the third step is by definition of VA = (V“)? and by Proposition 121, 
and the fourth step is by the inductive hypothesis and the monotonicity of V^”. 

For part (2) and (3) it suffices to prove that t“” < (t*)?, since the opposite inequality 
holds by part (1). In the case of part (2) this follows from a straightforward induction, 
whereas for part (3) we need the principle of matching topologies. 
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Let t be as described in part (3), then 


A’ = sf 0 (ull’,..., un) = (84)? 0 (Cut)... (ua)”) 

with the second identity holding by part (2). Also, note that by Proposition 117, the 
term function s*” is (7',7!)-continuous, and each uô” is (o!,o1)-continuous. From 
this we infer by Proposition 121 that the map ((ut)?’,...,(uA)?) = (ut,..., uA)? is 
(o!,o')-continuous as well, whence by q? C a! it is (o',y!)-continuous. Thus the 


(7',71)-continuity of s“” matches with the (o!, y')-continuity of (u},...,u)7. Hence, 
we may apply Proposition 118(2), and find that t4” = (s4)% o (ut,...,uA)? < (sto 
(uf,...,u))? = (t4)?, as desired. Q) 


As a sample application, we show how Sahlqvist canonicity is an easy consequence of 
the previous theorem. 


COROLLARY 124. Sahlqvist equations are canonical over the class of all Boolean alge- 
bras with T-operators. 


Proof. First we treat inequalities of the form y(81,..., Bn) < Y, where ọ only uses A, 
V and modalities, all 3; are boxed atoms, and w is positive. But then it is immediate by 
the previous proposition that y(G1,..., Gn) is stable, while w is expanding. Hence the 
result follows from Proposition 120. 

Now consider an arbitrary Sahlqvist inequality. Without loss of generality we may 
assume that it is in fact an equation of the form 


Pei 104 Bas Onde k) S L, (34) 


where y and the ĝ’s are as before, while all p; are positive formulas. It is easy to see 
that this equation is equivalent to the quasi-equation 


( & zi < =h) = DO E ET o EE A OE CE) ek; 


l<i<n 


which in its turn is equivalent to 


(gank) => PlBr- -s Ops Z1,- Ek) S L. (35) 
Now suppose that we add a diamond E to the language, and interpret this diamond as 
the global modality on every algebra (see section 8.2). Then clearly the quasi-equation 
(35) is equivalent to the formula 


PlBr- -Ba E1 2k) X VV Elti A yi). (36) 


l<i<n 


(Note that this reduction of a quasi-equation to an equivalent equation is a specific 
example of Proposition 138.) 

The result then follows by the observation that (36) is a Sahlqvist inequality of the 
kind already treated, together with the fact that the canonical extension of the global 
modality is again the global modality (see Remark 110). Q 
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7.6 Further remarks 


The ideas described in this section allow for variations and generalizations in at least two 
directions. 

To start with, the algebraic approach has already been put to work for a far wider class 
of structures than just Boolean algebras with operators. In particular, nothing in the 
theory crucially depends on the Boolean nature of the underlying order of the algebras. 
The notion of a canonical extension, with all the results in section 7.2 pertaining to them, 
has been extended to (first distributive and then) arbitrary lattices, with work on partial 
orders under way. 

Furthermore, the restriction to monotone operations is not necessary either; arbitrary 
maps between lattices can be extended to maps between their canonical extensions. First 
suppose that we are dealing with a dense set X’ in a topology (X, p}, and let f : X’ = C 
be a map from X’ to the carrier C of a complete lattice C. Then define 


Pæ) = VIA SUN X)] |2eU Ep, (an 
fre) = AV IU X)] | EU € ph. 


In order to apply this definition for the canonical extension of a map f between two 
lattices L and M, note that (just like in the case for Boolean algebras, see Remark 115) 
the carrier L of L forms a dense subset of the o-topology over the carrier L7. Also 
observe that f7 and f" are extensions of f because all elements of L are isolated points 
of f, and that for monotone f, (37) agrees with (32). 

Finally, it is not just the definitions that translate to the more general setting of lattice 
expansions (that is, lattices with additional operations), the same holds for the theory. To 
mention just one example: one may prove that any equation s œ t is canonical provided 
that all the primitive symbols (including the join operation ^) occurring in s and t are 
interpreted as operators. Details can be found in for instance Gehrke & Harding [28]. 


The second generalization that we want to mention involves other ways of complet- 
ing lattices and lattice expansions, such as the MacNeille completion, which generalizes 
Dedekind’s construction of the reals from the rationals to arbitrary partial orders. For a 
characterization in the style of this section, one may start by proving that any lattice 
has a (modulo isomorphism) unique completion L“, its MacNeille completion, in which 
is both join- and meet dense. This way of extending lattices is obviously similar to that 
of the canonical extension, but a substantial difference is that the MacNeille completion 
agrees with the original lattices on all meets and joins, whereas the canonical extension 
only agrees on the finite ones. 

In any case, it follows from join- and meet density, that any map between two lattices 
can be extended to a map between their MacNeille completions, in two ways. In the case 
of a monotone operation f between two lattices L and M, we define the lower extension 
f and the upper extension f by 


je) = Va lrzae L} 
fe) = Mia lr<ae L} 


£ 


Clearly then, almost all questions concerning canonical extensions have an obvious coun- 
terpart for MacNeille completions. Generally speaking, MacNeille completions are less 
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well-behaved than canonical extensions; for instances, unary operators (diamonds) are 
no longer smooth, and the variety of modal algebras is not closed under taking lower 
MacNeille completions. Probably for this reason, Monk [85] introduced the notion of the 
MacNeille completion of a BAO only for Boolean algebras with complete operators. On 
the other hand, in case the primitive operations are residuated (see Proposition 129), 
the situation improves; for instance, Givant & Venema [36] show that the validity of all 
Sahlqvist equations is preserved under taking MacNeille completions of tense algebras. 
As a final remark, there are interesting connections between the MacNeille completion 
and the canonical extension of a lattice expansion: for instance, Gehrke, Harding & Ven- 
ema [29] prove that the canonical extension of lattice expansion A can be embedded in 
the MacNeille completion of some ultrapower of A. As a consequence, every variety of 
lattice expansions that is closed under taking MacNeille completions, is also canonical in 
the sense of canonical extensions. 


8 SPECIAL ALGEBRAIC TOPICS 


In this final section on algebra we discuss the algebraic perspective on two further issues 
in modal logic. 


8.1 Tense logic 


Our first example concerns tense logic; as its name already indicates, this branch of 
modal logic originates in the formal semantics of natural language, cf. Chapter 19 of this 
volume. 


DEFINITION 125. The modal similarity type J of tense logic is fixed by its two dia- 
monds, Op and ©p. 


The letters Op and ©p are mnemonic of future and past, respectively. This already 
indicates that the standard interpretation of this language is in frames representing a 
flow of time, such that ©, obtains the meaning ‘sometime in the future’, and dually Op 
means ‘sometime in the past’. Tense logic thus forms a rather simple example of temporal 
logic, cf. Chapter 11 of this volume. Here we abstract from the temporal interpretations 
of tense logics; what is then left is that in the intended frames for this language, the 
two diamonds of the language are interpreted along the two directions of a single binary 
relation. 


DEFINITION 126. A #-frame S = (S, Rp, Rp) is called bidirectional if Rr and Rp are 
each other’s converse. 

This definition explains why a V-frame is often represented simply as the pair (S, Rr). 
Turning to logic, we define the following. 
DEFINITION 127. A modal J-logic L is a tense logic if both formulas p > Or©pp and 
p — Up rp are theorems of L; the minimal tense logic is denoted as K;. Algebraically, 
a tense algebra is a Boolean algebra expanded with monotone -operations satisfying the 
corresponding equations x < OUrOpa and x < UpO ps. 


It is easy to see that St is a tense algebra if and only if S is a bidirectional frame. In 
the other direction, it is not a priori clear whether we can extract a useful frame from 
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an arbitrary tense algebra: First we must show that tense algebras are Boolean algebras 
with operators. In fact, already Jonsson & Tarski [70] show something better. 


THEOREM 128. Let A= A= (A,T,1,-,A,V,Or,Op) be a tense algebra. Then 
1. the operations Or and ©p are complete operators; 


2. the structure A, is a bidirectional frame, and the algebra A° is again a tense algebra. 


Proof. For part 1 of the Theorem, let a € A be the least upper bound of some subset 
X of A. Then by monotonicity, Ora is an upper bound of the set Or[X]. Now suppose 
that b is also an upper bound of this set, that is, Opa < b for all x € X. From this 
it follows, for each x € X, that x < UpOpra < Opb (here we use monotonicity of Op, 
which is easily proven). Thus we see that a < Opb by our assumption on a. But then 
by monotonicity of Op we obtain that Ora < OrUpb < b. This proves that Oa is in 
fact the least upper bound of the set O-[X]. 

Concerning the second part of the theorem, that A7 is a tense algebra is a special of 
the Sahlqvist Canonicity Theorem 93; the bidirectionality of A. is then immediate since 
A? = (A, )™. Q 


There is a lot more to say about the complete additivity of the diamonds in tense 
algebras. To start with, the definition of tense algebras can be reformulated using either 
of the algebraically more familiar notions of conjugation or residuation. 


PROPOSITION 129. Let A = (A,T,1,-,A,V,Or,Op) be a monotone -expanded 
Boolean algebra. Then the following are equivalent: 


1. A is a tense algebra, 
2. Op and ©p are conjugated operations, that is, they satisfy the following: 


AE Yzy (zt A Oryx LSyAOpzrze 1), (38) 


3. Op and Op form a residual pair, that is, 


A H Yzy (OFr < y & x < Opy). (39) 


This connection with residuation shows that from a general mathematical perspective, 
tense logic is not just any bimodal logic: It provides the modal logic manifestation of 
the fundamental category theoretic concept of adjoint functors. Theorem 128(1) is thus 
a rather special case of the category theoretic fact that left adjoint functors preserve all 
(existing) colimits. 

Another nice property of tense logic that should be mentioned here is that somehow, 
tense algebras are richer than ordinary Boolean algebras with operators. For instance, 
consider an atomic modal algebra A, and suppose that A satisfies some Sahlqvist equation 
n. Then it is not guaranteed that the atom structure A, (see Definition 41) satisfies the 
first-order correspondent cy of 7, not even if the diamond of A is completely additive. 
However, in case A is a tense algebra, it contains sufficient information to enforce this. 


THEOREM 130. Let A be an atomic tense algebra. Then for every Sahlqvist equation 
n: AE n if A+ Ec, iff (Ae) En. 
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Proof. Clearly, the equivalence of the last two statements follows from Sahlqvist corre- 
spondence theory. For the implication from right to left, it suffices to observe that A is 
a subalgebra of (A,)* because of the complete additivity of the operators. This follows 
from (12) in the proof of Proposition 42. 

The remaining implication is a special case of the preservation of Sahlqvist equations 
under taking (lower) MacNeille completions of tense algebras, see the end of section 7 
for some discussion, and Givant & Venema [36] for proofs. Q) 


Finally, tense algebras play a role in other part of universal algebra as well. For 
instance, any lattice can be represented as the sublattice of a tense algebra that has the 
solution set of the equation xz ~ Op pz as its carrier. This idea basically goes back to 
Birkhoff [12]; for more details, the reader is referred to Harding [56]. 

Nevertheless, despite their rather special characteristics, just like all bimodal logics, 
tense logics can be simulated by monomodal ones; for details we refer to Chapter 8 of 
this volume. 


8.2 Global modality & discriminator varieties 


Recent years have witnessed an increasing interest in formalisms that enhance the expres- 
sive power of standard modal languages, see for instance Chapter 14 of this volume. In 
such a pursuit, one naturally arrives at the global or universal modality E which has the 
global relation S x S of a frame S as its (intended) accessibility relation, see Goranko & 
Passy [48]. But also, a large number of standard logics come with an intended semantics 
in which the global relation interprets some more complex term of the language: as an 
example we mention the compound modality Of©p in the tense logic over any linear 
flow of time. 


DEFINITION 131. Algebraically, we define the global modality or unary discriminator 
over a Boolean algebra (with operators) B as the function given by 


l ifb=4, 
bo | T ifb>l. 


The term q(x) is called a global modality or unary discriminator term over an expanded 
Boolean algebra A if it is interpreted as the global modality on A. 


This notion can be seen as the BAO manifestation of the well-known algebraic concept 
of a discriminator, see Jipsen [67] for a first explicit discussion of the connections. 
DEFINITION 132. We call a ternary term d a discriminator term over an algebra A if 
it is interpreted as the discriminator function on A, that is, if d^(a, b, c) = a if a £ b, and 
d^ (a,b,c) = c if a = b. Any variety V generated by a class of algebras with a common 
discriminator term, is called a discriminator variety. 


PROPOSITION 133. Let A be a T-expanded Boolean algebra. 


1. If y is a global modality for A, then the term (y(=(x > y)) Ax) V (y(A(a e y)) Az) 
is a discriminator term for A. 


2. If d(x, y,z) is a discriminator term for A, then the term ~ad(1,x, T) is a global 
modality for A. 
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Before going into further detail of the connection with the global modality, let us, for 
future reference, list some of the many nice properties that discriminator varieties have. 


THEOREM 134. Let K be a class of algebras with a discriminator term d. Then 
1. all algebras in K are simple; 
2. Var(K) is congruence-distributive and congruence-permutable; 
3. all subdirectly irreducible algebras in Var(K) are simple, and vice versa; 


4. Var(K) is semi-simple; that is, every algebra in Var(K) is a subdirect product of 
simple algebras. 


5. d is a discriminator term for every simple algebra in Var(K). 


Proof. For the first statement of the theorem, define the term 


s(x, Y, u, v) = d(d(x, Y, u), d(x, Y, v), v). 


It is easy to see that s is a so-called switching term for K; that is, for every A in K, and 
for all a,b,c and d in A: 


A p Cc if a = b, 
4 (bed = d ifaŻb. 


Now let © 4 Ay be a congruence of A; then there are two elements a 4 b with (a,b) € ©. 
But then we find (c, d) = (s“(a, a,c, d), sê (a, b, c, d)) € © for every c and d in O. In other 
words, such a © must be the trivial congruence A x A. But this clearly means that 
A is simple. Details of the proof of the second statement, which is similar to that of 
Theorem 25, are left to the reader. 

For the third part of the theorem, it is not hard to verify that d is a discriminator 
term for SPu(K) as well, whence SPu(K) consists of simple algebras by part (1). So by 
definition of simplicity, we find that HSPu(K) = SPu(K); hence, all algebras in HSPu(K) 
are simple. However, by part 2 we may apply Jénsson’s Lemma, which states that all 
s.i. members of Var(K) belong to HSPu(K). Thus every s.i. algebra in Var(K) is simple. 

Part (4) is immediate from part (3) by Birkhoff’s subdirect indecomposability theorem, 
while the final statement follows from the fact that every simple algebra belongs to 
SPu(K), and thus shares the discriminator term of K. Q 


In particular, since the notions of simplicity and subdirect irreducibility coincide in a 
discriminator variety, its subvarieties are completely determined by its simple members. 
Let us now see how these issues are axiomatized in normal modal logics. 


DEFINITION 135. A r-formula q(x) is a global modality for a normal modal r-logic L 
if the formulas T 


e V(«1,---;%n) > y(a;) for every V € 7, and every i € {1,...,n}; 


e x — q(x), y(y(z)) > y(x) and y(>7(-2)) > 2; 
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are theorems of L. 


That is, L defines a global modality iff there is a term y(x) that satisfies the S5 
axioms, plus the inclusion axiom Vx — q(x) for every induced diamond V’. It is 
not hard to derive that such an axiomatically defined global modality y(x) also has 
y(A7(x)) = 77(x), and Fy $x — y(x) for all compound diamonds ¢. 

The terminology of Definition 135 is justified by the following Proposition, which is 
essentially taken from Jipsen [67]. 


PROPOSITION 136. Let L be a normal modal r-logic, and y(x) a t-formula. Then y(x) 
is a global modality for L if and only if BAO,(L) = Var(K) for some class K of algebras 
sharing y as a global modality. 


Proof. The direction from right to left is immediate by the fact that any unary dis- 
criminator term satisfies all the formulas listed in Definition 135. 

For the other direction, by Theorem 34 it suffices to show that y is a unary discrimina- 
tor term on subdirectly irreducible algebras in BAO,(Z). In order to prove this, suppose 
for contradiction that A has a radical element p, while yê is not the global modality 
on A. That is, some a € A satisfies a 4 L while y“(a) 4 T, whence —y*(a) £ L. 
Since p is radical in A there are compound diamonds 4; and 2 such that p < 41a and 
p < %2—y*(a). However, from p < 41a we obtain p < ~^ (a), while from p < 42—7"(a) 
we may infer that p < y4(—y(a)) < —7*(a). This contradicts the fact that p > L, and 
so we may conclude that y is the global modality on A. m) 


A very useful property of discriminators is that they allow the effective replacement 
of universal sentences with equations. In the case of BAOs, this works out as follows. 
DEFINITION 137. Suppose that y(x) is a global modality term for K. Inductively we 
define a function A mapping quantifier-free formulas (in the first order language of BAOs) 
to T-terms: 

sxt mœ (sAnt)V(AsAt), 
~P i ayp), 
PRQ => Ap V ÀQ- 
THEOREM 138. LetK be a class of Boolean algebras with T-operators with a discrimina- 


tor term y. Then any universal formula P is equivalent over K to the equation Ap: & L, 
where P' is the quantifier-free part of P. 


Proof. A straightforward induction shows that for any algebra A in K, any assignment 
a on A and any quantifier-free formula P it holds that 


A Ea P iff A Ha Ap © L. 


From this, the statement of the theorem is immediate. m) 


Working with discriminator classes has many advantages. For instances, if K is a 
discriminator class, then we may generate Var(K) from K just by taking products and 
subalgebras (that is, homomorphic images are not needed). The result in this generality 
is due to Givant [35]. 


THEOREM 139. Let K be a class of Boolean algebras with a common global modality 
term q(x). 


Algebras and Coalgebras 389 


1. If Pu(K) C S(K), then SP(K) is a variety and S(K) is the universal class of simple 
algebras in SP(K). 


2. If K is axiomatized by a set ® of universal formulas, then SP(K) is axiomatized by 
the set {Ap ~ L| P € 9}, together with the set T of Definition 135. 


Proof. Assume that Pu(K) C S(K), then it is easy to see that the class S(K) is 
closed under taking ultraproducts and subalgebras. It then follows by standard universal 
algebra, see [17, Theorem 2.20], that S(K) is a universal class, that is, an elementary 
class axiomatized by universal formulas. 

By assumption, the algebras in K have a common discriminator term, and, hence, 
we find, reasoning as in the proof of Theorem 134(3), that SirVar(K) = SPu(K), where 
SirVar(K) denotes the class of s.i. members in Var(K). Thus by the assumption we find 
that SirVar(K) = S(K) and therefore, S(K) is the class of simple algebras in Var(K), since 
the notions of simplicity and subdirect irreducibility coincide. Finally then, by Birkhoft’s 
and Jénsson’s theorems, the variety Var(K) is the class of subdirect products of algebras 
in HSPu(K) = S(K); a straightforward calculation then will show that Var(K) = SP(K). 

Part two of the theorem is a straightforward consequence of Proposition 136 and 
Theorem 138. Q 


Finally, for more information on the global modality, the reader is referred to Chapter 8 
of this volume. 


9 COALGEBRAS: AN INTRODUCTION 


This section forms a brief introduction to the field of Coalgebra. While certain kinds of 
coalgebras had already been studied in the sixties, the field really took off after it was 
realized that coalgebra can be conceived as a general and uniform theory of dynamic 
systems, taken in a broad sense. 

Many structures in mathematics and theoretical computer science can naturally be rep- 
resented as coalgebras. Probably the first example was provided by Aczel [2], who models 
transition systems and non-well-founded sets as coalgebras. On the basis of Aczel’s work, 
Barwise & Moss [11] discuss a wide range of phenomena involving the notions of circu- 
larity and self-reference, with applications ranging from theoretical economics to the 
semantics of natural language. A second paradigmatic specimen of coalgebras in com- 
puter science is given by (deterministic) automata, see Rutten [96]. Further important 
examples include the representation of infinite data structures, and the formal modeling 
of objects and classes in object oriented programming, see Reichel [92] or Jacobs [61]. 
But for modal logicians, it will be Kripke frames and models that provide the prime 
examples of coalgebras; this link goes back to at least Abramsky [1]. In fact, the model 
theory of modal logic is coalgebraic in nature, so modal logicians entering the field will 
have much the same experience as group theorists learning about universal algebra, in 
that they will recognize many familiar notions and results, lifted to a higher level of 
generality and abstraction. 

For readers that want to learn more about coalgebras, the literature harbors some well 
written introductions and surveys (although at the time of writing there is no text book 
or monograph available). We refer the reader to Jacobs & Rutten [65] for a very accessible 
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introduction, and to Rutten [97] or Gumm [50] for comprehensive surveys. Ihringer [60] 
has an appendix on coalgebras by Gumm. For more details on the connection between 
coalgebra and modal logic, the reader may consult Kurz [75] or Pattinson [90]. 


What then are coalgebras? The most concrete, state-based specimens, called systems, 
simply consist of a set S endowed with some kind of transition, formally modeled as 
some map o from S to another set QS. Here Q is some functor constituting the type or 
signature of the coalgebra at stake. The transition map provides some kind of structure 
on S, but whereas algebraic operations are ways to construct complex objects out of 
simple ones, coalgebraic operations, going out of the carrier set, should be seen as ways 
to unfold or observe objects. This explains the central role of the notion of behavior in 
the theory of coalgebras. 

More generally, given an endofunctor Q on some base category C, an Q-coalgebra is a 
pair C = (C, y), with C an arbitrary object in C, and y a C-arrow from C to QC. The full 
functorial power of Q comes in when we turn Q-coalgebras into a category Coalg(Q) by 
introducing morphisms: A homomorphism from (C, y} to (C’,7’) is an arrow f : C — C’ 
such that y’ o f = (Qf) o y. This set-up enables the canonical definition of two notions 
of equivalence between coalgebras, namely, bisimulation and behavioral equivalence. As 
we will see as well, the definitions make the concept of a coalgebra very similar to that of 
an algebra. However, if one makes this connection mathematically precise, it turns out 
that coalgebras over the base category C are dual to algebras over the opposite category 
CP. This explains not only the name ‘coalgebra’, but, as we will see, also many of the 
peculiarities of universal coalgebra, that is, the general coalgebraic theory of systems. 

Given the nature of coalgebra as a very general model of state-based dynamics, there 
is a natural place for modal logic as a formalism for reasoning about behavior. It was 
Moss [11, 86] who realized that one may generalize the concept of modal logic from Kripke 
frames and models to coalgebras over arbitrary set functors. Over subsequent years, the 
development and study of modal languages for the specification of properties of coalgebras 
has been actively pursued and studied by various authors, including Jacobs [62, 64], 
Kurz [77, 76], Pattinson [88, 89], and Rofiger [95]. In fact, as we will see, the link 
between modal logics and coalgebra is so tight, that one may even claim that modal 
logic is the natural logic for coalgebras — just like equational logic is that for algebra. 

We now turn to the technical development of the topic, starting with the definition of 
a coalgebra. 


DEFINITION 140. Given an endofunctor Q on a category C, an Q-coalgebra is a pair 
A = (A,a), where A is an object of C called the carrier of A, and a: A — QA is an arrow 
in C, called the transition map of A. In case Q is an endofunctor on Set, Q-coalgebras 
may also be called Q-systems; a pointed Q-system is a triple (A,a,a) such that (A, a) is 
an Q-system, and a is a state in A, that is, an element of A. 


As we mentioned already, the action of the functor Q on the arrows of the category 
C will be needed when we introduce, in Definition 148 below, homomorphisms between 
Q-coalgebras. First we consider some examples of systems. 
EXAMPLE 141. Probably the simplest example of a system is that of an C-colored set, 
that is, a pair (S,y : S — C}. No matter where we start, this system can only display 
the color of the current state, and halt after doing so. 

A slightly more interesting example is provided by a black box machine which may be 
prompted to display a value, or color, from C, and to move on to a next state. These 
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states are internal to the machine, that is, invisible to an outside observer. Such a 
machine can abstractly be modeled as a coalgebra u : M —> C x M, with mo(p(s)) € C 
denoting the current value of the machine, and 7 (y(s)) € M representing the machine’s 
next internal state. (Here mo : C x M — C and mı : C x M — M are the projection 
functions.) 


EXAMPLE 142. For our second example, we turn to automata theory. Recall that 
deterministic automata are usually modeled as quintuples A = (A, ar, C, ð, F) such that 
A is the state space of the automaton A, a; € A is its initial state, C its alphabet, 
ô: Ax C — A its transition function and finally, F C A its collection of accepting states. 

Now observe that we may represent F by its characteristic map yr : A — 2 (with 2 
denoting the set {0,1}) which maps a € A to 1 if a € F, and to 0 if a ¢ F. Furthermore, 
we can and will view 6 as a map from A — AC, where AC denotes the collection of maps 
from C to A. Thus we see that we may represent a deterministic automaton over the 
alphabet C as a pointed system over the functor S > 2 x SŪ. 


EXAMPLE 143. Our third example provides the crown witness when it comes to the 
connection between coalgebra and modal logics: We will now see that frames and models 
are in fact coalgebras in disguise. The crucial observation is here that a binary relation 
RCS x S can be represented by the function R[-] : S — P(S) mapping a point s to 
the collection R[s] of its successors. Thus frames for the basic modal similarity type 
correspond to coalgebras over the covariant power set functor P. (This functor maps a 
set S' to its power set P(S) and a function f : S — S’ to the image map Pf given by 
(PIX) = fIX\(= (f(a) | z € X}),) 

Similarly, a ternary relation T C S? can be modeled as the function T|] : S — P(S?) 
given by T[s] = {(t1,t2) € S? | Tstıt2}. Thus for any modal similarity type T, we can 
represent T-frames as coalgebras for the functor S +> J Jye, P(S ar(V)), Also note that 
image finite frames, that is, frames in which R[s] is a finite set for all points s, correspond 
to coalgebras over the finitary power set functor P,,. 

Concerning models, in this section we let Prop denote the set of propositional vari- 
ables. It is easy to see that a valuation V : Prop > P(S) on a frame S = (S, R) could 
equivalently have been defined as a P(Prop)-coloring of S, that is, as the map sending a 
state s to the collection V~*[s] = {p € Prop | s € V(p)} of proposition letters holding at 
s. Thus models for the basic modal similarity type can be identified with coalgebras of 
the functor Q given by X + P(Prop) x P(X). 


EXAMPLE 144. For our last example, let P denote the contravariant power set functor. 
This functor agrees with the covariant power set functor on objects, while on arrows P 
takes inverse images. That is, for f : A > A’, the function Pf : PA’ > PA is given by 
(Pf)(X) = fo [X (= {a € A | f(x) € X’}). Note that P is not a functor from Set to 
Set, and thus does not produce coalgebras. Its composition with itself, however, is an 
endofunctor on Set, so that we may consider P o P- coalgebras. Because the transition 
function o of such a coalgebra (S,o) is a function o : S > PPS, the structure (S, 0c) 
may also be seen as a neighborhood frame, as daousi in Chapter 1 of this volume. 
Some variants of the functor P oP are of interest as well — we discuss the examples 
Us and Fy. Recall that Po P(S) = PP(S) is the set of all collections of subsets of 
S. Ug(S) denotes the set of all upward closed collections of subsets of S, while F (S) 
denotes the set of all filters of S. On arrows, these functors coincide with Po P; more 
precisely, for f : S — S’, we set Up f and Fyf as the restrictions of (PoP)f to Ups 
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and F735, respectively. 

It is not hard to show that Up and Fp are indeed functors Set — Set. The reader may 
in fact be familiar with (some) coalgebras for these functors. It can easily be verified that 
the Us-coalgebras correspond exactly to the monotonic neighborhood frames that were 
mentioned in Chapter 1 as the superset closed neighborhood frames. Prime examples 
of F3-coalgebras are the topological spaces (that were also mentioned in Chapter 1, 
be it rather implicitly under the name of topological semantics). To see this, represent 
the topology ø on the set S by the function mapping a point s € S to the collection 
{U € o | s € U} of its neighborhoods. 


EXAMPLE 145. For each set functor Q, the empty set Ø, with the unique map from @ 
to QØ, provides an Q-coalgebra. 


The functors mentioned in the Examples 141, 142 and 143, are examples of so-called 
Kripke polynomial functors which share some pleasant properties as we will see further 
on. 


DEFINITION 146. The collection of polynomial functors is inductively defined as fol- 
lows: 
K = I|C|Ko+Ki|Kox K| KP. (40) 


Here Z denotes the identity functor on the category Set; C the constant functor X > C; 
Ko + Kı the coproduct functor X +> Ko(X)+ Kı(X); Ko x Kı the product functor; and 
K? denotes the exponent functor X + K(X)?. 

Similarly, the collection of Kripke polynomial functors is given by 


K := T|C | Ko+ Kı | Ko x Kı | K? | PK, (41) 


where PK is the composition of K with the power set functor P. Replacing P with 
the finite power set functor P,,, and demanding the exponent D in K” to be finite, we 
obtain the collection of finitary Kripke polynomial functors. 

In each of these cases, the set IngK of ingredient functors of a (Kripke) polynomial 
functor K is defined by an obvious induction, with clauses Ing(Z) := {Z}, Ing(PK) := 
{PK} U Ing(K), ete. 


With the notation of this definition, Example 141 provides examples of coalgebras for 
the functors C and Z x C. Deterministic automata over the alphabet C are 2 x I°- 
coalgebras. Kripke frames are PZ-coalgebras, and Kripke models are coalgebras for the 
functor PProp x PZ. (Note that in the format (41), the power set functor as such is not 
a Kripke polynomial functor: It has to be represented as the functor PZ. In the sequel, 
we will keep working with Kripke frames as P-coalgebras, unless explicitly mentioned 
otherwise. ) 

After Set, the base category for coalgebras that carries most interest to modal logicians, 
is probably that of Stone spaces. 


EXAMPLE 147. Recall from Remark 60 that a Stone space is pair S = (S, o) such that o 
is a compact Hausdorff space with a basis of clopens. Let Stone denote the category with 
Stone spaces as objects, and continuous maps as arrows. We will show that descriptive 
general frames can be viewed as Stone-coalgebras for the so-called Vietoris functor V 
— for details on this observation, which is due to Abramsky [1], see Kupke, Kurz & 
Venema [74]. 
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This functor, which forms the topological counterpart of the power set functor, is 
defined as follows. Given a topological space S = (S,a), let K(S) denote the collection 
of closed subsets of S, and let 5 C K(S) x S denote the converse membership relation. 
Then (in accordance with our earlier notation), we define, for any subset U C S, the sets 
(3)U = {F € K(S) | FAU # Ø} and [S]U = {F € K(S) | F CU}. The topology on 
K(S), generated by taking the collection {(3)U,[S|U | U € o} as a subbasis, is called 
the Vietoris topology of a, and the resulting space, the Vietoris space V(S) associated 
with S. 

The Vietoris construction preserves several properties of topological spaces; in par- 
ticular, if S is a Stone space, then so is V(S). Also, we may extend it to a functor, by 
defining, for a continuous map f : S > S’, the function Vf as the image map given by 
(Vf)(X) := f[X]. Here we omit the proof that Vf is indeed an arrow in the category 
Stone, i.e., that it is a continuous map from V(S) to V(S’). 

Now let G = (G, R, A) be a descriptive general frame (cf. Definition 64), with associ- 
ated Stone space g4. Recall from Remark 65 that the map R[-] mapping a point in G to 
the collection of its successors, is a function from G to K((G,a,)). It is not too hard to 
prove that this is in fact a continuous map from (G,o,) to its Vietoris space. Thus we 
may represent G as the Stone coalgebra ((G, oa), RIJ). 


Obviously, coalgebras are not studied in isolation; the following definition provides a 
natural notion of a map between coalgebras that preserves the transition structure. 


DEFINITION 148. Let A = (A, q) and A’ = (A’,a’) be two coalgebras for the functor 
Q : C — C. Then a homomorphism from A to A’ is an arrow f : A — A’ for which the 
following diagram commutes: 


A f A' 
a a’ 
Of 
Q.A—+QA' 


EXAMPLE 149. The homomorphisms for P-coalgebras coincide with the bounded mor- 
phisms between Kripke frames. To see this, let S = (S, R) and Y = (S’, R’) be two 
frames (for the basic modal similarity type), and consider their respective coalgebraic 
representations (S, ø} and ($’,o’), as in Example 143. 

Now consider a map f : S — S’. It is straightforward to show that 


f satisfies the forth condition iff (Pf)oo(s) Co’o f(s) for all s € S, 
f satisfies the back condition iff (Pf)oo(s) Do’o f(s) forall s€ S. 


This shows that f is a bounded morphism from S to S’ if and only if it is a coalgebra ho- 
momorphism from (S, ø} to (S’,o’), and provides perhaps the most convincing argument 
that the notion of a bounded morphism is a natural one. 


EXAMPLE 150. Let X and X’ be two topological spaces, represented as coalgebras 
X = (X,€) and X’ = (X’, €’) for the filter functor Fp of Example 144. We leave it for 
the reader to check that a map f : S — S’ is an F-coalgebra homomorphism iff f is 
continuous and open (i.e., not only do we require f~![U’] to be open in X if U’ is open 
in X’, but also f[U] must be open in X’ for all X-open U). 
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Likewise, one can prove that the coalgebraic notion of a homomorphism between mono- 
tone neighborhood frames, represented as coalgebras for the functor Up, corresponds to 
that of a bounded morphism for these structures as defined in section 2. 


It is easy to check that the collection of coalgebra homomorphisms contains all iden- 
tity arrows and is closed under arrow composition. Hence, the Q-coalgebras with their 
homomorphisms form a category. 


DEFINITION 151. For any functor Q : C — C, we let Coalg(Q) denote the category with 
Q-coalgebras as objects and the corresponding homomorphisms as arrows. The category 
C is called the base category of Coalg(Q). 


The reader will already be familiar with a number of (isomorphic copies of) these 
categories. For instance, Example 149 shows in fact that the category Fr (of frames with 
bounded morphisms) is isomorphic to the category Coalg(P) of P-coalgebras. Likewise, 
elaborating Example 147, one can prove that the category DGF (of descriptive general 
frames with continuous bounded morphisms, see Definition 66) is isomorphic to the 
category of Stone coalgebras for the Vietoris functor. Of course, it is these isomorphisms 
that justify our classification of modal structures as coalgebras, not so much the simple 
fact that the objects in isolation can be presented in coalgebraic format. 


REMARK 152. Recall that an algebra over a signature Q is a set A with an Q-indexed 
collection {f^ | Ae’) — A} of operations. These operations may be combined into a 
single map a : jeg ACU) —, A, where X jeo ACU) denotes the coproduct (or sum, or 
disjoint union) of the sets {A C) | f € Q}. It is not hard to verify that a map g : A > A’ 
is an algebraic homomorphism between the algebras A = (A, aœ) and A’ = (A’,a’) iff the 
following diagram commutes: 


Q 
QA f 


QA’ 


where we now view the signature Q as the polynomial set functor >> feat orf) That 
is, Q operates as well on functions between sets. This naturally suggests the following 
generalization. 


Given an endofunctor 2 on a category C, an Q-algebra is a pair A = (A,a@) where 
a: QA — A is an arrow in C. A homomorphism from an Q-algebra A to an Q-algebra 
A’ is an arrow f : A— A’ such that f oa = a'o (Qf). The induced category is denoted 
as Alg(Q). 


Now the obvious similarities between the notions of algebra and coalgebra can be made 
very precise. The basic observation, which also explains the name ‘coalgebra’, is that a 
coalgebra C = (C, y : C — QC) over a base category C can also be seen as an algebra in 
the opposite category C°? — we will come back to this issue in section 15. Note however, 
that universal coalgebra, dealing with arbitrary set functors, is more general than (what 
is usually called) universal algebra, which involves only polynomial functors. 
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DEFINITION 153. A functor Q : C — C is said to admit a final or terminal coalgebra 
if the category Coalg(Q) has a final object, that is, a coalgebra Z such that from every 
coalgebra A in Coalg(Q) there is a unique homomorphism !, : A > Z. 


Functors admitting a final coalgebra are of special interest. In the case of state-based 
coalgebras, one reason for this is that final coalgebras often provide an intuitive encoding 
of the notion of behavior. And in fact, many interesting and well-known mathematical 
objects can be naturally associated with the final coalgebra of some functor. 


EXAMPLE 154. Consider a black box machine M = (M, u) as in Example 141. Starting 
from, say, state xo, the machine makes a transition (ao) = (co, #1) and continues with 
p(av1) = (c1,%2), u(£2) = (c2, 23), etc. Since the states xo, £1, ... are internal to the 
machine, the only observable part of this dynamics is the infinite sequence or stream 
beh(a%o) = (Co, C1, C2,.--) € CY of values in the data set C. 

The collection C” of all infinite words over C forms itself a system for the functor 
C x T. Simply endow the set C” with the transition structure y splitting an infinite 
stream u = Cocic2... into its head h(u) = co and its tail t(u) = cicoc3... Putting 
y(u) = (h(u), t(u)), one easily proves that the behavior map x + beh(x) is the unique 
homomorphism from M to this coalgebra (C”, 7). This shows that (C”,~) is the final 
object in the category Coalg(C x T). 


EXAMPLE 155. For a second example, consider again the coalgebraic representation 
of a deterministic automaton over the alphabet C as a 2 x Z°%-coalgebra. Now we will 
see that the collection P(C*) of all languages over C provides (the carrier of) the final 
coalgebra. We can turn this set P(C*) into a coalgebra by imposing on it the following 
transition function A: P(C*) > 2 x P(C*)°. Writing A(L) = (Ao(L), Ai (L)), we define 
Ao(L) := 1 iff the empty string belongs to L, and Ay(L)(c) := {w € C* | cw € L}. (The 
latter set is sometimes called the c-derivative of L.) 

We leave it for the reader to verify that with this definition, the structure (P(C%), A} 
forms the final object in Coalg(2 x Z°%). Given a 2 x Z°-coalgebra A, the unique homo- 
morphism !,4 : A > (P(C*), A) maps a state a € A to the language that is accepted by 
the automaton that we obtain by taking a as initial state of A. 


EXAMPLE 156. An interesting example in modal logic is provided by the final coalgebra 
for the Vietoris functor V of Example 147. The existence of a final V-coalgebra is in fact 
an immediate consequence of the isomorphism Coalg(V) = DGF, and the duality between 
DGF and MA (the category of modal algebras with homomorphisms). MA has an initial 
object (namely, the Lindenbaum-Tarski algebra generated by the empty set of variables, 
or, equivalently, the free modal algebra over zero generators), and so by duality, Coalg(V) 
must have a final object. In fact, the canonical descriptive general frame, based on the 
set of maximal consistent closed formulas, fulfills this role — a nice and perhaps quite 
unexpected application of this construction. 


An important application of final coalgebras is provided by the principle of coinduction, 
which is one of the fundamental coalgebraic notions. There are two sides to this principle: 
it serves both as an important proof tool and as an elegant means of providing definitions. 
As a definition principle, coinduction is based on the existence of unique homomorphisms 
into the final Q-system Z = (Z,¢). For, suppose that we can endow a set S with an Q- 
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coalgebra map o : S — QS, thus obtaining the Q-system S. Then there is a unique 
function fs = !şs : S — Z which is consistent with the coalgebra specification ø, in the 
sense that it is a coalgebraic homomorphism from (S,c) to Z. Thus the function fe is 
defined by coinduction from (the specification) ø. 


EXAMPLE 157. For instance, take the function that merges two streams by taking 
elements from either stream in turn. For a coinductive definition of this map, define the 
transition map zip : CY’ x CY’ > C x (C” x CC®) as follows: 


zip(u, v) := (h(u), (v, t(u))), 


where h and t are the head and tail maps of Example 154. Then by finality there is a 
unique homomorphism fzip : C” x CY — CH. One may verify that this indeed defines 
the map that zips two streams together. 


The previous example is fairly typical in that it uses coinduction to define a function 
from a product of the final system to itself. It should also be noted that coinduction 
works particularly well for structures that combine algebraic and coalgebraic features, 
such as streams of data objects which are subject themselves to algebraic operations. 


Unfortunately, final coalgebras do not exist for every functor Q. For instance, Set- 
endofunctors involving the power set functor in a nontrivial way, will generally not admit 
a final coalgebra; in particular, there is no final Kripke frame or model. By Cantor’s 
theorem, these results are immediate consequence of the following proposition, which is 
due to Lambek [79]. 


PROPOSITION 158. LetQ :C > C be some functor admitting a final system Z = (Z, Q). 
Then ¢ is an isomorphism (in C) between Z and QZ. 


Proof. Suppose that Z = (Z,¢) is the final object of Coalg(Q). It can easily be 
verified that ¢ is in fact a coalgebra homomorphism from Z to Zə := (QZ,Q¢). But 
then the composition !z, o ¢ is a coalgebra homomorphism from Z to itself, just like 
the identity arrow idz on Z. Thus by uniqueness it follows that !z, o ¢ = idz. For 
the reverse composition Ç o !z, we have, by the fact that !z, is a homomorphism, that 
Çolz = Mz, o QG = Q(!z, o 6) = Q(idz) = idnz. From this the result is immediate. Q 


So which functors admit final coalgebras? Some good sufficient conditions are known. 
DEFINITION 159. Let Q be some set functor, and « some cardinal. Call Q «-small if 


US) = [JAAA] |e: A> S, |A| < K}, 


for all sets S A Ø. Q is small if it is small for some cardinal x. 


In words, the definition requires every element of (S$) to be in the range of Qu for 
an appropriate inclusion map ų : A— S. In case Q is a standard functor (meaning that 
Q maps inclusions 1: A —> B to inclusions (Q4) : QA @ QB), the definition boils down 
to the requirement that Q(S) = U{Q(A) | A C S,|A] < k}. The notion of smallness 
is easily seen to be equivalent to the instantiation in Set of the more general notion of 
accessibility, and it is also equivalent to the concept of boundedness, cf. Adámek & Porst 
[6] for details. 

Examples of small functors abound; for instance, whenever we replace, in a Kripke 
polynomial functor, the power set functor by a bounded variant such as the finite power 
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set functor, the result is a small functor. For instance, the finite power set functor Pu 
is w-small. The following result, due to Aczel & Mendler [3] and Barr [9], witnesses the 
importance of the notion. 


FACT 160. Every small set functor admits a final coalgebra. 


As one of the immediate corollaries of this fact, the categories of image finite frames 
and image finite models, which can be represented as coalgebras for the functor Pu, and 
PProp x Pu, respectively, have final objects. 


REMARK 161. For Set-based functors that do not admit a final coalgebra, one may 
create a final coalgebra — at least, if one is willing to allow coalgebras with a class 
rather than a set as their carrier. Let SET be the category that has classes as objects, 
and set-continuous functions as arrows. These are functions f : C —> C’ between classes 
with the property that f(C) = U{f(S) | S C Cand S is a set}. An endofunctor on 
SET is set-based if for each class C and each c € Q(C) there is a set S C C such that 
c E€ (Q2)[Q(S)], where  : S — C is the inclusion map. (If the set functor is standard, 
this boils down to requiring that Q is a set-continuous map on objects.) Now Aczel 
& Mendler [3] proved that every set-based endofunctor = : SET — SET admits a final 
coalgebra. The similarity to Fact 160 is no coincidence: Barr [9] showed that the result 
of Aczel & Mendler can in fact be reformulated as Fact 160. 

This fact can be used as follows. Given an endofunctor Q on Set, there is a unique 
way to extend 2 to a set based endofunctor QF on SET. (On objects, simply put 
QF(C) := UL{(QV[Q(S) | 6: S — C, S aset}.) The theorem of Aczel & Mendler then 
guarantees the existence of a final object Z in Coalg(Q*). This coalgebra will be class- 
based if Q does not admit a final coalgebra, but it will be final, not only with respect to 
the set-based coalgebras in Coalg(Q*), but also with respect to the class-based ones. As 
an important instance of this idea, Aczel [2] showed that the class of non-well-founded 
sets provides the final coalgebra for (the SET-based extension of) the power set functor. 


REMARK 162. Whether the functor admits a final coalgebra or not, one may always (try 
to) approximate it. The final or terminal sequence associated with a given set functor 2, 
is an ordinal indexed sequence of objects (Za) with maps p3 : Za > Zg for B < a, such 
that (i) Za+ı = OZ, and p3fi = NpG, (ii) p3 = idz, and pf op% = p9, (iii) if A is a limit 
ordinal, then Z) with {pà | a < A} is a limit of the diagram with objects {Za | œ < A} 
and arrows {p3 | a, < A}. (In particular, taking 0 to be a limit ordinal, we find that 
Zo = 1 is some initial object 1 of the category Set.) It is not hard to prove that, modulo 
isomorphism, the final sequence is uniquely determined by these conditions. 


Intuitively, it can be seen as an approximation of the final coalgebra for Q. That 
is, where elements of the final coalgebra represent ‘complete’ behavior, elements of Za 
represent behavior that can be performed in a steps. To make this precise and formal, 
observe that for any Q-coalgebra S there is a unique ordinal-indexed class of functions 
la : S — Za such that !o is fixed by the finality of Zo in Set, !a41 = (Q!,) oo, and for 
limit A, !) is given as the unique map !, : S —> Z) such that !, = pà o la for all a < À. It 
is not hard to prove that, for instance, S, s =Q S’, s’ implies that !4(s) = la(s’) for all a. 

The relation with final coalgebras can be made precise, as follows. On the one hand, 
if the final sequence converges, in the sense that some arrow p%*! is a bijection, then 
the coalgebra (Z.,(p%t+)~+) is a final coalgebra for Q. And conversely, under some 
constraints on Q, Adámek & Koubek [5] proved that if Q admits a final coalgebra, then 
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the final sequence converges to it. More information on the final sequence of set functors 
can be found in Worrell [109]. 


11 BISIMULATION & BEHAVIORAL EQUIVALENCE 


In this section we discuss the most important notions of equivalence between systems: 
behavioral equivalence and bisimulation. Both of these generalize the concept of a bisim- 
ulation between two Kripke models. 

Probably the most intuitive notion of equivalence between systems is that of behavioral, 
or observational, equivalence. The idea here is to consider two states to be similar if we 
cannot distinguish them by observations, because they display the same behavior. For 
instance, we call two deterministic automata (pointed 2 x Z°-coalgebras) equivalent if 
they recognize the same language. In case the functor Q admits a final coalgebra Z, 
this idea is easily formalized by making state so in coalgebra So equivalent to state sı in 
coalgebra S, if !s,(59) = !s,(s1). In case the functor does not admit a final coalgebra, we 
generalize this demand as follows. 


DEFINITION 163. Let S = (S,o) and Y = (S’,o’) be two systems for the set functor 
Q. Then s € S and s’ € S’ are behaviorally equivalent, notation: S,s =Q S’,s’ if there 
is an Q-system X = (X, £) and homomorphisms f : S — X and f’: S — X such that 
f(s) = f(s’). 

REMARK 164. It is easily checked that in case Q admits a final coalgebra, then indeed 
S,s =o Y, s” iff Is(s) = !s-(s’). In the case that Q does not admit a final coalgebra, 
then one may show that behavioral equivalence is captured in the same way by the final 
coalgebra of the extension QT of Q to the category SET, see Remark 161. 


REMARK 165. As a variation of behavioral equivalence, the final sequence can be used 
to study behavior, in a way that is not unlike modal logic. For instance, call two pointed 
Q-systems (S, s) and (S’, s’) a-equivalent if !a(s) = !.(s’). In the case of Kripke models, 
this notion coincides with that of bounded bisimilarity, see Chapter 5 of this volume. 
One may prove that behavioral equivalence itself coincide with the intersection of a- 
equivalence for all ordinals a. 


In almost all cases of interest, behavioral equivalence can be characterized via the 
equally fundamental concept of bisimilarity, which is due to Aczel & Mendler [3]. The 
definition of bisimilarity and bisimulations may not be so intuitive at first sight, but, as 
we will see, these notions have some rather elegant mathematical properties. 


DEFINITION 166. Let S = (S,o) and Y = (S’,0’) be two systems for the set functor 
Q. A relation B C S x S’ is called a bisimulation between S and S’, if we can endow it 
with a coalgebra map 8 : B — QB, in such a way that the two projections 7: B— S 
and 7’ : B — S’ are homomorphisms from (B, 3) to S and S’, respectively: 

T a 


S- B -g 
o 6: o’ 

Y 1 
osL opr qy 


If there exists a bisimulation B with (s,s’) € B, we say that s and s’ are bisimilar, 
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notation: S,s © S’,s’ (or B: S,s @ S’,s’ in case we want to make the bisimulation B 
explicit). 

Finally, if S = S’ we say that B is a bisimulation on S; if this B happens to be an 
equivalence relation, we call it a bisimulation equivalence on S. 


REMARK 167. Intuitively, bisimulation equivalences correspond to congruences in uni- 
versal algebra. To make this analogy somewhat more precise, call a relation R C Ao x Aj, 
linking the carrier sets of two Q-algebras Ao and Aj, substitutive if there exists an alge- 
braic structure p : QR — R, such that the two projections m; : R — A; are (algebraic) 
homomorphisms. This is clearly an algebraic analogue (rather than a dual version) of a 
bisimulation, so that the correspondence between congruences and bisimulation equiva- 
lences obtains through the observation that a congruence is nothing but a substitutive 
equivalence relation. 


EXAMPLE 168. Let So = (So, co) and Sı = (S1,01) be two coalgebras over the functor 
PProp x P. That is, So and S; are Kripke models in coalgebraic shape; write o;(s) = 
(A;(s), Ri[s]), where A;(s) is the collection of proposition letters true at s in S;, and R,[s] 
is the successor set of s in S;, as in the examples 143 and 149. Now consider an arbitrary 
relation B C So x S1. It is a very instructive exercise to check that B is a bisimulation 
in the coalgebraic sense if and only if it is a bisimulation in the sense of Kripke models. 
Recall that the latter property means that for any pair (so, s1) E€ B: 


(atom) p € Xo(s) iff p € A1(s), for all p € Prop; 
(forth) for all to € Ro[so] there is some tı € Rı[sı] with (to, t1) € B; 
(back) for all t € Ry [s1] there is some to € Ro [so] with (ti, to) EB. 


One way to prove this equivalence uses the fact that bounded morphisms coincide with 
coalgebra morphisms, cf. Example 149. Details are left to the reader. 


EXAMPLE 169. Recall from Example 142 that deterministic automata over an alphabet 
C can be represented as 2 x Z°-coalgebras. Now let A = (A,o,v) and A’ = (A’,o', v’) 
be two such automata. We leave it for the reader to verify that B C Ax A’ isa 
bisimulation between A and A’ iff every pair (s,s’) € B satisfies (i) o(s) = o'(s’) and (ii) 
(v(s)(c),v'(s’)(c)) € B for every c € C. In this case it is easy to see that bisimilar states 
are also behaviorally equivalent. 


EXAMPLE 170. For an arbitrary set functor Q, it is easy to see that for any coalgebra 
S, the diagonal relation Ag is a bisimulation equivalence on S. Furthermore, the converse 
of a bisimulation is again a bisimulation. However, the collection of bisimulations is not 
in general closed under taking relational composition. 

Finally, homomorphisms can be seen as functional bisimulations. To be more precise, 
let f : So — Sı be a function between the carriers of two Q-coalgebras Sp and S,. Recall 
that the graph of f is the relation Gy := {(s, f(s)) | s € S}. Then it holds that 


f is a coalgebraic homomorphism iff its graph is a bisimulation. (42) 


In order to see why this is so, first suppose that Gf : So © S4. Since the projection map 
To : Gf — So is a bijective homomorphism, its inverse mg 1 is also a homomorphism. But 
then f = 7107 1 as the composition of two homomorphisms, is also a homomorphism. 
For the other direction, suppose that f is a homomorphism; then it is straightforward 
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to verify that the map (Q79)~' o ø o To equips the set Gy with the required coalgebraic 
structure. 


Bisimulations admit an elegant alternative characterization which involves the notion 
of relation lifting. As an example, consider the power set functor P. Recall that B C 
So x Sı is a bisimulation between So = (So, Ro[-]) and Sı = (51, Ri[-]) iff B satisfies 
the conditions (back) and (forth) of Example 168. Now suppose that we define, for an 
arbitrary relation R C So x S1, the relation P(R) C P(So) x P(S1) by putting 


P(R) := {(Qo, Q1) | Yao € Qo 3m € Q1. (qo, q1) € R and Var € Qi Iqo € Qo. (qo; q1) € R}- 

(43) 
In other words, we lift the relation R to the level of the power sets of Sọ and S1. The 
definition of a bisimulation between P-coalgebras can now be nicely characterized as 
follows: 


B : Sọ € Sı iff (Ro[so], Ri[si]) E P(B) for all (so, $1) E€ B. 


This nice way of characterizing bisimulation via relation lifting is not limited to the power 
set functor — it applies in fact to every set functor. 


DEFINITION 171. Let Sọ and Sı be two coalgebras for some set functor Q. Given 
a relation R C So x S1, consider the following diagram, where m; : R — S; and p; : 
QOSo x OS, —> QS; denote the projection maps. 


To Ti 


So * R > Sy 
00 O1 
(spe yp es A 
Po gi Pı 
AS) x OS; 


It follows from the category theoretic properties of the product QS 9 x QS; that there 
is a unique map pr = (Oro, 071) from OR to QSo x QS, such that p; o pr = Qr; for 
i = 0,1. We define the relation lifting of R as the relation 


TR = {((Qmo)(u), (Qm) (u)) | u € OR}, (44) 


that is, QR is the image of QR under ppr. 


The results listed in the following theorem, which summarize the most important 
properties of bisimulations, basically date back to Aczel & Mendler [3]. 


THEOREM 172. Let So and Sı be two coalgebras for some set functor Q. 
1. B : So € Sı iff (oolso), 01(81)) € Q(B) for all (so, 81) € B. 


2. The collection of bisimulations between So and Sı forms a complete lattice under 
the inclusion order, with joins given by unions. 


3. The bisimilarity relation < is the largest bisimulation between So and Sı. 
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Proof. The first part of the theorem is an almost immediate consequence of the defini- 
tions, so we leave the details to the reader. 
The crucial observation in the proof of the other two parts is that 


Q: P(So x $1) + P(QSo x OS) is a monotone operation. (45) 


For a proof, let R C R’ be two relations between Sp and S1, with .: R —> R’ denoting 
the inclusion map. By definition of Q, we may without loss of generality represent an 
arbitrary element of Q(R) as a pair pr(u) = ((OQ709)(u),(Q71)(u)) for some u € OR. 
Define u’ := (Qv)(u), then u’ belongs to QR’, and for each i we find that (Q7/)(u’) = 
(Qr; o Ov) (wu) = (O(a; o 4) (uw) = (Q7;)(u). That is, prlu) = pr (u'), which shows that 
pr(u) belongs to QR’. This proves (45). 

Now for the proof of part 2, recall that a partial order is a complete lattice if it 
closed under arbitrary joins. Hence, it suffices to prove that the union B of a collection 
{B; | j € J} of bisimulations is again a bisimulation. Take an arbitrary pair (so, s1) € B. 
Then (so, 51) belongs to B; for some j € J. Hence, by part 1, we find (sọ, s1) in Q(B;), 
so (so, $1) € Q(B) by the monotonicity of Q. But then B is a bisimulation by part 1. 

Finally, for part 3, note that it is an immediate consequence of part 2 that @, being the 
union of all bisimulations between So and Sy, is a bisimulation itself. Hence, by definition, 
it is the greatest bisimulation between So and S4. In fact, it follows by the Knaster-Tarski 
theorem (on fixed points of monotone operations on complete lattices), that < is in fact 
the greatest fixed point of the map A: R = {(s0, 81) | (70(80),01(81)) € Q(R)}. a 


In the case of Kripke polynomial functors, relation lifting can be characterized using 
induction on the construction of the functor, cf. Jacobs [63]. 


PROPOSITION 173. Let S and S' be two sets, and RC Sx S'a binary relation between 
S and S'. Then the following induction defines the relation lifting K(R) C KS x KS", 
for each Kripke polynomial functor K: 


T(R) := R, 
C(R) := Ao, 
Ko x Kı(R) := {((£0, 21), (£0, 21)) | (z0, 20) € Ko(R) and (z1, x1) € Kı(B)}, 
Ko + Kı(R) :=  {(Ko®0, Kozo) | (£0, £0) € Ko(R)} U {(k121, K121) | (21,21) € Kı(R)}, 
KP(R) := {(f, F’) | (£(d), f(a) € K(R) for all d € D}, 
PK(R) = {(Q,Q’) | Va € Q3q' € Q'. (q,q') € K(R) and 


Vq' € Q' gq € Q. (q, q) € K(R)} 


Now that we have defined these two notions of equivalence between coalgebras, the 
obvious question is how they relate to each other. One direction is clear: bisimilarity is 
a sufficient condition for behavioral equivalence. 


PROPOSITION 174. Let Q : Set — Set be some functor, and let so and sı be states of 
the Q-coalgebras So and S1, respectively. Then So, so @ S1, sı implies So, so =a S1, $1. 


Proof. The proof of this proposition is, in the general case, similar to the one of 
Theorem 177 below (with an application of pushouts instead of pullbacks), so we omit 
details. 
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In the special case that Q admits a final coalgebra, a very simple proof obtains. Assume 
that B : So 2 Si, and let 6: B — QB be a coalgebra map witnessing this. It follows 
from the definitions that both !s, © To and !s, 0 71 are coalgebraic homomorphisms from 
(B, B) to the final coalgebra, so from finality it follows that !s, © To =!s, 071. From this 
it is immediate that B C =Q. Hence in particular, since © is itself a bisimulation, we 
see that € C =o. m) 


In general however, bisimilarity is a strictly stronger notion than behavioral equiva- 
lence. For instance, the two notions do not coincide in the case of monotone neighborhood 
frames (coalgebras for the functor Up of Example 144). The reader is referred to Hansen 
& Kupke [55] for details. Here we just mention that behavioral equivalence, which for 
monotone neighborhood frames is formulated exactly like the topobisimilarity defined in 
Chapter 1 of this volume, seems to be the more natural notion. 

For a constraint on the functor that guarantees the two notions to coincide, consider 
the following. 


DEFINITION 175. A weak pullback of two arrows 
fo : Ao > B, fı : Ai —> B in a category C is a pair 
of arrows po : W — Ao, pı : W —> A; such that (i) 
fo © po = fı © pi, while (ii) for every pair ph : W” > 
Ao, p} : W’ — A, that also satisfies foo ph = fı ° pi, 
there is a mediating arrow w’ : W” — W such that 
po ow’ = ph and pı ow’ = p}. 

A functor Q : C — C’ preserves weak pullbacks if for 
any weak pullback (po, pi) of any (fo, fı) in C, the 
pair (Qpo,Qpi) is a weak pullback of (Q fo, Q fı) in 
C. 

Note that the mediating arrow w’ need not be unique: adding this requirement to the 
definition would give the more familiar, and stronger, notion of a pullback. The category 
Set has pullbacks: for fo : 4g —> B and fı : A; — B, we can take the projections to Ao 
and A, from the set pb( fo, fr) = {(a0, a1) = Ao x Ay | fo(ao) = fi(ar)}. 

Many but not all endofunctors on Set in fact preserve weak pullbacks. 


PROPOSITION 176. All polynomial functors preserve pullbacks, and all Kripke polyno- 
mial functors preserve weak pullbacks. 


This prima facie rather exotic property is of great importance in the theory of universal 
coalgebra. The main reason for this is that Q preserving weak pullbacks is equivalent to 
Q commuting with relational composition, that is, satisfying Q(Ro R’) = Q(R) o N(R’). 
In fact, one may show that any set functor Q preserves weak pullbacks if and only if Q 
is an endofunctor on the category with sets as objects and binary relations as arrows. 
This result is often attributed to Carboni, Kelly & Wood [19], but it already follows 
from earlier work by Trnková [104, 105] and Barr [10]. In any case, the importance of 
the notion in the theory of coalgebras lies in the results from Rutten [97] that are given 
in the next theorem. 


THEOREM 177. Assume that the functor Q : Set — Set preserves weak pullbacks. Then 
the collection of bisimulations is closed under taking relational composition, and the no- 
tions of bisimilarity and behavioral equivalence coincide. 
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Proof. We leave the proof of the first statement as an exercise for the reader, and 
concentrate on the second statement. Let so and sı be states of the Q-coalgebras So and 
S4, respectively. We need to prove that So, so © Sj, 81 iff So,s9 =o S1, 51. Because of 
Proposition 174 it suffices to prove the direction from right to left. 

Let fo: So —> X and fı : Sı — X be two homomorphisms such that fo(so) = f1(s1). 
Then in Set, the set B := {(s0,81) E So x Si | fo(so) = fi(si)}, together with the 
projection functions mo : B — So and 7, : B — Sı constitutes a pullback of fp and fi, 
cf. the square in the foreground of the picture. Because 2 preserves weak pullbacks, the 
diagram in the background of the picture is a weak pullback diagram in Set. 


Now consider the two arrows g; 0 m; : B > Q(S;). First 


observe that Of; ooi = £o fi for each i, because each OQ So 2 fo OX 
fi is a coalgebra homomorphism. Hence, chasing the oy 4 
di find that 

lagram we fin a o fo x 
Q fo © oo O To =€0 fo © To =€0 from = Rfi 0010m. Sio Of 
Since Qro and Q7, form a weak pullback of Ofo and ro fi 
Q fı, this implies the existence of a mediating function QB T) QS, 
B: B — QB such that Q2;08 = ciom. In other words, Pa Tı Hi 
B := (B, 8) is an Q-coalgebra, and the projection maps a B s j 
To and mı are homomorphisms from B to So and S4, B TI 1 
respectively. 

Q 


We finish the section with a brief discussion of coinduction as a coalgebraic proof 
principle. This principle states, for a system S, that C Ag; or equivalently, that every 
bisimulation is a subset of the diagonal As. The importance of this principle is that, 
when applicable to S, in order to prove the identity of two states in S, it suffices to show 
that they are linked by some bisimulation. It is not hard to prove that final coalgebras, 
if existing, satisfy the principle of coinduction. This principle has surprisingly powerful 
applications. For instance, since the class of non-well-founded sets is (in Coalg(P*), 
cf. Remark 161) the final coalgebra of the power set functor, bisimilarity may serve as 
a notion of identity between sets, see Aczel [2]. As a second example, Rutten [96] is a 
presentation of the theory of deterministic automata and (regular) languages in which 
coinduction on the final coalgebra of Example 155 is the basic proof principle. 


12 COVARIETIES 


What is the coalgebraic analog of a variety? In other words, what are natural closure 
operations on classes of coalgebras? We start with homomorphic images. 


DEFINITION 178. Let Q be some endofunctor on Set. If y : A —> B is a surjective 
homomorphism between the Q-coalgebras A and B, then we say that B is a homomorphic 
image of A. 


In universal algebra, one finds a one-one correspondence between homomorphic images 
and congruences. Something similar applies here, but the analogy is perfect only in the 
case of functors that preserve weak pullbacks. 


404 Yde Venema 


PROPOSITION 179. Let S= (S,c) be an Q-coalgebra for some set functor Q. Then 


1. Given a bisimulation equivalence E on S, there is a unique coalgebra structure o' 
on SJE such that the quotient map v : S > S/E is a homomorphism. 


2. If Q preserves weak pullbacks, then ker(y) is a bisimulation equivalence for any 
homomorphism y : S >Y. 


Proof. For part 1, the coalgebra map o’ can be defined by putting o'([s] g) := (Qv)oo(s). 
Further proof details can be found in Rutten [97]. For the second part of the proposition, 
observe that ker(y) is the relational composition of the graph of y with its converse. The 
result then follows from Theorem 177. Q 


The next class operation that we consider is that of taking subcoalgebras. 


DEFINITION 180. Let A = (A,a) and S = (5,0) be two Q-coalgebras, such that S$ 
is a subset of A. If the inclusion map ų¿ : S — A is a homomorphism from (S,c) to 
(A, a), then we say that S is open with respect to A, and we call the structure (S,a[g) 
a subcoalgebra of A. 


Interestingly enough, the transition map of a subcoalgebra is completely determined 
by the underlying open set: 


PROPOSITION 181. Let So = (S,00) and Sı = (5,01) be two subcoalgebras of the 
coalgebra A. Then oo = 04. 


Proof. The case of S being empty is trivial, so suppose otherwise. Then from the 
assumption that Sọ and S, are subcoalgebras of A, we may infer that (Q1) o oo = aot = 
(Qe) 001, where v is the inclusion map of S into A. It follows from the functoriality of Q 
that Q is an injection, so that we may conclude that oo = 01. QO 


Some further observations concerning subcoalgebras are in order. First of all, the 
topological terminology is justified by the following proposition. 


PROPOSITION 182. Given a coalgebra A for some set functor Q, the collection Ta of 
A-open sets forms a topology. 


Proof. Closure of ra under taking (arbitrary) unions follows from Theorem 172, together 
with the observation that 


S C A is open with respect to A iff Ag is a bisimulation on A, (46) 


which in its turn is an immediate consequence of (42). We skip the proof of the fact that 
the intersection of two opens is open, since it requires a little more work. We refer the 
reader to Gumm & Schröder [54] for the details. Q 


It follows from the Proposition above that, given a subset S of (the carrier of) a 
coalgebra A, there is a largest subcoalgebra of A (of which the carrier is) contained 
in S: Its universe is given as the union of all open subsets of S. It also follows from 
Proposition 182 that the collection tg of open subsets of A forms a complete lattice 
under set inclusion. Hence, given a subset S of A, there is an open set U C A which is 
the meet of the collection {Q € Ta | S C Q}. However, there is no guarantee that U is 
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also the intersection of this collection, or, indeed, that S is actually a subset of U. Thus 
we may not in general speak of the smallest subcoalgebra containing a given subset, as 
the following example from Gumm [50] witnesses. 


EXAMPLE 183. Consider the standard Euclidean topology on the real numbers, seen 
as a coalgebra for the filter functor Fy, cf. Example 144. One can show, that a set S 
of reals is open in the topological sense iff it is open in the sense of Definition 180 — 
in fact, this holds for any topology. Now take an arbitrary point r in R. Obviously, we 


have that the meet of all open neighborhoods containing r is the empty set. 


Before we turn to further coalgebraic constructions, consider the following natural link 
between homomorphic images and subcoalgebras. 


PROPOSITION 184. Given a coalgebraic homomorphism ọ : A —> B, there is a (unique) 
subcoalgebra y[A] of B such that py: A > yA] is a surjective homomorphism. 


Proof. For a proof of this proposition, let S := y[A] be the (set-theoretic) image of A 
under y, and let f : S — A be a right inverse of ọ, that is, y(f(s)) = s for all s € S. 
Now define o : S — QS by o := Qy oao f. It can be shown that the resulting structure 
S is always a subcoalgebra of B, and that y : A —> S is a surjective homomorphism; for 
details the reader is referred to Rutten [97]. Q 


Our last example of a coalgebraic construction concerns the straightforward gener- 
alization of the disjoint union of Kripke models and frames. The idea is as follows. 
Recall that in Set, a concrete representation of the coproduct of a collection {A; | i € I} 
of sets is given by the disjoint union (J, Ai, together with the inclusions/embeddings 
ei : A; — lH; Aj. Hence, the defining property of coproducts provides the key ingredient 
of the coalgebraic notion of a coproduct, or sum of a family of coalgebras. 


DEFINITION 185. The sum [], A; of a family {A; | i € I} of coalgebras for some set 
functor Q, is defined by endowing the disjoint union A := J, A; with the unique map 
a: A — QA which turns all embeddings e; : A; — A into homomorphisms. 


We have now gathered all the basic class operations needed to define the notion of a 
covariety, which was introduced in Rutten [97] as the natural dual of a variety in universal 
algebra. 


DEFINITION 186. Let Q be some endofunctor on Set. A class of Q-coalgebras is a 
covariety if it closed under taking homomorphic images, subcoalgebras and sums. The 
smallest covariety containing a class K of 0-coalgebras is called the covariety generated 
by K, notation: Covar(K). 

As in the case of universal algebra, in order to obtain a more succinct characterization 


of the covariety generated by a class of coalgebras, one may develop a calculus of class 
operations. 

DEFINITION 187. Let H, S and © denote the class operations of taking (isomorphic 
copies of) homomorphic images, subcoalgebras, and sums, respectively. 

On the basis of these (and other) operations one may investigate the validity of ‘in- 
equalities’ like HS < SH (meaning that HS(K) C SH(K) for all classes K of coalgebras). 
Results of these kind lead to the following coalgebraic analog of Tarski’s HSP-theorem 
in universal algebra, due to Gumm & Schröder [53]. 
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THEOREM 188. Let K be a class of Q-coalgebras for some set functor Q. Then 


Covar(K) = SHX (K). 


Proof. It is straightforward to prove the theorem on the basis of the idempotency of the 
class operations H, S and È, together with the following three ‘inequalities’: HS < SH, 
XS < SÈ, and XH < HÈ. For proofs of these (and more) inequalities, the reader is 
referred to Gumm & Schröder [53]. Q) 


As in the case of varieties, one may wonder about the basic building blocks of varieties. 
Dualizing the notion of subdirect irreducibility, we arrive at the following definition. It 
uses the notion of a conjunct sum, which is known, in the case of Kripke frames, under 
the name of bounded union. 


DEFINITION 189. Let A be some Q-coalgebra for some set functor Q. A conjunct 
representation A by a family {A; | 7 € I} of coalgebras is a family of embeddings 
{e; : A; > A | i € I} such that A = U,-;e;[Ai]. In this case we call A a conjunct 
sum of the A;. A coalgebra A is called conjunctly irreducible if each of its conjunct 
representations is trivial in the sense that one of the embeddings is an isomorphism. 


Covarieties are easily seen to be closed under taking conjunct sums — we will use this 
fact without further notice. 

Given the results on dualizing the notion of subdirect irreducibility in section 5, in 
particular, Theorem 68, one would expect that conjunct irreducibility can be explained in 
terms of roots. Call a state s of a system S a root of S if S itself is the only subcoalgebra 
of S that contains s. It is then fairly easy to prove that a coalgebra is conjunctly 
irreducible if and only if it has a root. However, Gumm [50] proves that there is no 
analog of Birkhoff’s s.i. theorem here, at least not for an arbitrary functor. For instance, 
expanding Example 183, one easily shows that a topological coalgebra will generally not 
be a conjunct sum of rooted coalgebras. 


13 MODAL LOGIC AND COALGEBRAS 


If coalgebras are mathematical structures that represent the essence of dynamics, then 
there is an obvious need for logics to represent and reason about properties of such 
structures. This is of particular importance for computer scientists who are interested 
in the formal specification and verification of the behavior of a system. The kind of 
properties that one wants to describe formally may differ from one application to another, 
but it seems natural to restrict attention to properties that are invariant under behavioral 
equivalence. Moss [11, 86] was the first to realize that such properties can be conveniently 
formalized in a version of modal logic, properly generalized from Kripke structures to 
systems for an arbitrary set functor. This connection between modal logic and coalgebra 
has provided a quite active research area. At the time of writing, quite a few proposals 
for coalgebraic modal logics are around; most of them are roughly based on one of the 
approaches to be discussed in this section. 

We start with Moss’ original approach, which is also the most general. In order to 
introduce his formalism, we first put ordinary modal logic in a slightly different perspec- 
tive by introducing a new connective V. The meaning of this modality, which takes a 
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set of formulas as its argument, can be summarized by presenting the formula V®, with 
® a set of formulas, as the following abbreviation: 


Vo =0\/oa \ oe, (47) 


where ©® denotes the set {Oy | y € ®}, and V and A denote disjunction and conjunc- 
tion. We do not want to exclude the possibility that ® is an infinite set — coalgebraic 
logic is generally of an infinitary nature. The operator V pops up in a number of areas 
in modal logic, cf. for instance the characteristic formulas of Chapter 5. We may also 
decide to treat this V as a primitive connective. As long as we keep V and T in our 
language, both the standard diamond and box connective are definable in terms of V, 
since we have the following equivalences: 


op = V{y,T}, 
p = VØV Vip}, 


so that we may in fact replace the diamond and box with this new modality. 

Spelling out the truth definition of V®, we see that it can in fact be expressed in terms 
of the relation lifting that we defined in section 11. For, let S = (S, A, R[-]) be a modal 
model in coalgebraic shape. Then it is straightforward to verify that S,s I- V® if and 
only if the pair (R[s],®) belongs to the relation lifting P(IFs) of the satisfaction relation 
ls C Sx ®: Every y € ® must hold at some successor t € R[s], and at every successor t 
of s some y € ® must hold, see (43). This fundamental insight paves the way for Moss’ 
development of coalgebraic logic, in which the same principle is applied to an arbitrary 
(but fixed) set functor Q. Basically, the idea is to have 


S, s I-s VP iff (P,o(s)) € (Its). 


Note that in this perspective, the satisfaction relation is much like a bisimulation between 
a language and a coalgebra; this observation was first made and exploited in Baltag [8]. 
In order to provide a more precise definition, recall from Remark 161 that we may 
uniquely extend Q to a set based endofunctor QF on the category SET that has classes 
as objects, and set-continuous functions as arrows. For convenience, we follow Moss [86] 
in that we confine our attention to standard set functors, that is, functors that map 
inclusions to inclusions. 
DEFINITION 190. Let Q : Set — Set be a standard set functor that preserves weak 
pullbacks. Then Lo, the language of coalgebraic formulas for Q, is defined as the least 
class C such that (i) A ® € Lo if ® C Le is a set of formulas, and (ii) VP € Le for any 
Peg (Lo). 

Categorically, (Lo, A, V) can be characterized as the initial algebra of the functor 
(P+ Q)*. This explains our move to the category SET: if we want to guarantee the 
existence of such a structure, for reasons similar as given in the discussion following 
Proposition 158, we need to allow class-based algebras. 


DEFINITION 191. Let Q : Set — Set preserve weak pullbacks. Given an (-coalgebra 
S = (S, c), define I-s C S x Lo as the least relation satisfying 


sits \® if sits ¢ forall ye, 
silts VP if (P,o(s)) € Q(W) for some set W C lrg. 
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EXAMPLE 192. Consider the functor PProp x P of Kripke models. Unraveling the 
definitions, we find that an arbitrary element of Qt (Lo) must be of the form (A, ®) with 
A C Prop a set of proposition letters, and ® C Log a set of formulas. It is not hard to 
verify that 


S, s I- V(A, ®) iff S, s IF NA^ A 7(Prop \ A) A Vea Ao, 


where A =(Prop \ A) denotes the formula A{-p | p € P \ A}. It is instructive to observe 
the difference between this and (47) which displays an arbitrary V-formula for the functor 
P of Kripke frames as opposed to models. 


EXAMPLE 193. For another example, an arbitrary element of the class Qt (Lo), where 
Q is now the functor Z x T, must be a pair of formulas, say, (po, 1). Clearly then we 
have 

S, s lk V(go, y1) iff S, to(a(s)) IF yo and S, mı (o(s)) IF g1. 


This in fact implies that all formulas are true at all states of all coalgebras; in other 
words, in the absence of propositions, the language Lo may be rather uninteresting. 


Obviously, many variations of this language exist, or may be defined. For instance, it 
is easy to develop finitary versions of the language, while independently of this, one may 
add Boolean connectives like negation or (infinitary) disjunction. Interestingly, Lo on 
its own is already powerful enough to characterize behavior. Theorem 194 below shows 
that it has the Hennessy-Milner property (cf. Chapter 5 of this volume): non-bisimilarity 
of two points is witnessed by some formula in the language. 


THEOREM 194. Let Q : Set — Set preserves weak pullbacks, and let S and S be two 
Q-coalgebras. Then for any pair of states s € S, s € S’: 


S,s © S',s' iff s and s’ satisfy the same Lr-formulas. 


Proof. The direction from left to right is proved by induction on the complexity of 
formulas. That is, we define O to be the class of formulas on which all bisimilar points 
in S and S’ agree. Then we prove that © = Lo by showing that © is closed under /\ and 
V (in the sense that A ® € © for all subsets ® C O, and that VP € O for all P € Q(O)). 
We leave the fairly straightforward details as an exercise for the reader. 

The proof for the other direction is analogous to that of Karp’s Theorem for modal 
logic (see Chapter 5 of this volume), so we confine ourselves to a brief sketch here. Given 
an Q-system S, by ordinal induction we define a family y$, : S —> Loe as follows (we omit 
the superscript): 


pols) = T 
Paı(s) = V(Q¢a)(a(s)), 
pals) = [{pal(s) | a <A}. 


One approach to the proof would then be to show that the relation =, defined via s =, t 
if pals) = Ya(t) for all a, is itself a bisimulation. Q) 


Moss’ definition provides powerful languages, of which syntax and semantics uniformly 
depend on the coalgebraic signature, but his systems are not very welcoming to our intu- 
itions on modal languages as extensions of propositional logic with diamonds and boxes 
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that are interpreted via accessibility relations. Baltag [8] introduces variants of Moss’ 
language in which the connectives 0 \/ ® and A O® of (47) are (separately) generalized 
from Kripke frames to arbitrary functors, but also his formalism is far too abstract for 
practical purposes. It therefore seems worthwhile to develop more ‘concrete’ and practical 
alternatives to Lo. 


In the case of Kripke polynomial functors, the concrete, inductive definition of the 
functor allows for more down to earth modal languages, as was first observed by Kurz [77]. 
Here we present a formalism that was introduced in Rößiger [95], and studied by 
Jacobs [62]. From the perspective of modal logic, its only non-standard feature is that 
both its syntax and semantics are sorted by the set IngK of ingredient functors of K. 


DEFINITION 195. Fix a Kripke polynomial functor K. We define the language Fmax = 
Unemg xy Pmax(A) of K-sorted modal formulas, by the following induction. (All func- 
tors appearing in the definition below are supposed to be ingredient functors of K.) 


e | € Fmax(A) for every A € Ing(K); 

e if y,w E Fmax(A) then ~y, y Vw E€ Fmax(A); 

e ifc € C then c E€ Fmax(C); 

e if y € Fmag(A;) then O,, E€ Fmag (^o + 41); 

e if p € Fmag(A;) then Or, E€ Fmax(Ao x A1); 

e if p € Fmag(A) then Oay € Fmax(A®) for all d € D; 


e if y € Fmag(A) then O3y € Fmax (PA); 


e if y € Fmag(K) then Oy € Fmax(Z). 


We say that ọ is of sort A if p € Fmag(A) — note that this sort need not be unique. 


How do we interpret these formulas in coalgebras? Intuitively, with each K-coalgebra 
S, we associate a multi-sorted frame based on the set Une mg) A(S). The accessibility 
relations of this frame (which we will not make explicit) are completely determined by 
the shape of the functor. For instance, to link the set (Ag + A1)(S) to Ao(S), we lay 
down the relation Rko = {(KoS0, So) | so E€ Ao(S)}. Likewise, the converse membership 
relation > provides the accessibility relation from PA(S) to A(S). 


DEFINITION 196. Let S = (S, o) be a K-coalgebra for some Kripke polynomial functor 
K. By formula induction we define a sorted satisfaction relation IF = Uneimgcx) FA, 
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with I-a C A(S) x Fmax (A): 


silk, L : never, 
slkx mp if sifa ọ (but s € A(S)), 
slkx pVw if slka porslka y, 
slkoc if s=c, 


SlFajta, Cn, if s =x, (t) for some t € A(S) with tlFa, y, 


SlFAgxA, Cry if s= (s0,81) and s; Ika, y, 
sl-ap Oap if s(d) lFa y, 
sl-pa Cə% if there is some t € s with flr, y, 


slkz Oy if oa(s)lFK y. 


Furthermore we employ the usual terminology concerning validity, etc. 


EXAMPLE 197. Consider the functor Q = PProp x P(T x T) corresponding to Kripke 
models based on frames with a ternary accessibility relation T. In the standard modal 
language for such models, we would be working with a binary modality ©, whereas here, 
we are dealing with four unary modalities: ©, O35, Or, and ©,,. We leave it for the 
reader to verify that the modal formula y, Og in the first language can be rendered as 
OO (Oro p1 A On, 2) in the second. That is, we have 


S, sS = OO- (Or Y1 N Om p2) iff there are ti, to with Tstıtə and S, ti IF Qi. 


Bisimulation invariance of this language is easily proved: 


PROPOSITION 198. Assume that K is some Kripke polynomial functor, and let S and 
S’ be two K-coalgebras. Then for any pair of states s E€ S, 9 € S’: 


S,s © S',s' only if s and s' satisfy the same formulas in Fmax. 


Proof. Fix a bisimulation B between S and S’. We claim that for any formula ọ of 
type A € Ing(K), it holds for any pair (s, s’) € A(S) x A(S’) that 


S, s lHa vy iff S', s’ IFA y, 


provided that (s, s’) belong to the relation lifting A(B) of B. The proof is by a straight- 
forward formula induction. m) 


The basic modal theory of this formalism has been developed. For instance, analogous 
to Theorem 38 in Chapter 5 of this volume, one may prove that if K is a finitary Kripke 
polynomial functor, then the language Fmax has the Hennessy-Milner property. Also, 
results concerning completeness and decidability are known. The interested reader is 
referred to Rößiger [95] and Jacobs [62]. 


We now move to the third approach towards coalgebraic modal logic. Pattinson [89] 
combines the generality of the first formalism with the concreteness of the second. That 
is, the approach applies to arbitrary set functors, but provides languages with standard 
diamonds and boxes. First we present a simplified version, which is based on the idea 
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to extract diamonds out of the natural transformations from the coalgebra functor 2 to 
the power set functor P. Recall that a natural transformation A : Q — P provides an 
arrow Ag : O(S) — P(S) for each set S, in such a way that for each function f : S > S$’, 
the following diagram commutes: 


as—8_-ps 
f| Of Pf 
À 1 
So Qs — ps 


Thus if we have an Q-coalgebra S = (S, o), we may define a relation Ry C S x S for such 
a A by putting Rast if t € As(a(s)). We may then introduce a diamond ©) which takes 
this R) as its accessibility relation. Natural transformations ÀA : Q — P thus literally 
transform Q-coalgebras into P-coalgebras, that is, Kripke frames. 

Similarly, if we want to have atomic propositions in our language, consider any natural 

transformation v from Q to the constant functor Prop. We then make p € Prop true at 
s depending on whether p is an element of the set vg(o(s)) or not. It is as if we add the 
valuation V, to S given by V,(p) := {s € S| p € vg(o(s))}. 
DEFINITION 199. Let Q : Set — Set be some functor, v : Q — Prop some natural 
transformation, and A some collection of natural transformations Q — P. Then L£,,, is 
the standard modal language we obtain by taking Prop as the collection of propositional 
variables, and T4 := {©) | A € A} as the modal similarity type. 


It will now be obvious how these formulas are interpreted in Q-coalgebras. We confine 
ourselves to the following clauses of the inductive truth definition: 


S,slkp if pev(a(s)), 
S,slkO,p if S,tlk y for some t€ Ag(a(s)). 


In other words, an Q-coalgebra S is treated as the Kripke model (S,{R) | A € A}, Vp). 
The reason to require the transformations to be natural is to guarantee invariance under 
behavioral equivalence. 


PROPOSITION 200. Let Q, v and A be as in Definition 199. Then for any pair S, S' 
of Q-coalgebras, and any pair of states s € S, 9 € S': 


S,s =o S, s” only if s and s' satisfy the some L,.,-formulas. 
y yY í 


Proof. It suffices to prove that for any coalgebraic homomorphism f : S > S’, each 
state s in S satisfies the same £,,,-formulas as f(s) in S’. This inductive proof is in fact 
straightforward, the crucial observation being that the naturality of the transformations 
guarantees that f is a bounded morphism between the Kripke models associated with S 
and Y. Q 


For the more general picture, Pattinson uses predicate liftings (from PS to PQS) to 
obtain modal operators. In order to introduce these, note that the semantics of the 
modal operator ©) could have been expressed as follows: 


S, sI Sag iff o(s) € uà (lel), 
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where uà : PS > POS is given by A > {I € QS | As(T) N A F Ø}, and [p] denotes the 
extension of y in S. In fact, it can be shown that uò is a natural transformation from 
the contravariant power set functor P to the functor P oQ. Generalizing this, we arrive 
at the following definition. 


DEFINITION 201. A predicate lifting for a set functor Q is a natural transformation 
L: P + Po. With each predicate lifting we can associate a modal operator ©,, with 
the following semantics: 

S, sI- Oy iff o(s) € ws([¥]). 


And as before, it is the naturality of the transformation that ensures that this language 
is invariant under behavioral equivalence. 


In order to finish this section, a number of remarks are in order. First, the above 
mentioned versions of coalgebraic logic are open for the standard expressive enhancements 
that we know from extended modal logic. As examples we mention Jacobs [64], who 
adds past operators (as in section 8.1) to a variant of the formalism defined in the 
Definitions 195 and 196, and Venema [107], who develops a finitary fixed point version 
of Moss’ logic. 

Second, it should be mentioned that for certain polynomial functors, coalgebraic spec- 
ification languages have been developed of an equational rather than modal nature. Very 
roughly, the idea is that coalgebras for such a polynomial functor K can be represented 
by a structured collection of partial functions on the carrier of the coalgebra. From the 
perspective of Definition 196, this can be explained by the observation that in the absence 
of the power set functor, each and every accessibility relation of the multi-sorted frame is 
in fact (the graph of) a partial function. Lacking the space for an appropriate survey of 
this more equational perspective, we only mention one interesting idea which adds some 
modal flavor to equational logic. In coalgebraic approaches towards specification theory, 
such as that of hidden algebra, a state equation tı ~ tg holds of a state s in a coalgebra 
S if t(s) and t$(s) evaluate to bisimilar (rather than identical) states in S. We refer the 
reader to Goldblatt [42, 43] and Roşu [94] for more details; in particular, Goldblatt [43] 
contains a clear discussion of this overlap area between modal and equational logic. 

Third, Kurz & Pattinson [78] establish a link between coalgebraic predicates and the 
final sequence, see Remark 162: they argue that finitary predicates correspond to subsets 
of some set Zn (n finite) occurring in the final sequence. This work is in fact closely 
related to that of Ghilardi [33], even though the word ‘coalgebra’ is not mentioned in the 
latter work. 

Finally, there is an interesting connection between Hennessy-Milner results and final 
coalgebras: Goldblatt [45] proves that a set functor Q admits a final coalgebra iff there 
is a coalgebraic modal language for Q, which has the Hennessy-Milner property and is 
based on a set (rather than a proper class) of formulas. 


14 CO-BIRKHOFF THEOREMS AND COFREE COALGEBRAS 


In order to give the reader some impression of universal coalgebra at work, we discuss 
one result, or better, one cluster of results, in some detail. The topic that we have chosen 
concerns the coalgebraic version of Birkhoff’s variety theorem; recall that this result in 
universal algebra states that a class C of algebras is a variety, (that is, closed under the 
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class operations H, S and P), if and only if it is equationally definable. Thus in essence, 
Birkhoff established a link between two different ways of characterizing algebraic classes: 
a logical one, in terms of the validity of certain formulas, and a structural one, in terms 
of certain class operations. 

If we are after a co-Birkhoff result, two roads seem open to us. Since we have already 
developed the concept of a covariety, the most obvious thing to do would be to try 
and find out what corresponds to it, logically. An alternative approach would be to 
investigate the structural counterpart of the logical languages developed in the previous 
section. Here we follow the first road, but interestingly, it leads us to (very natural 
generalizations of) modal languages! This provides justification for our earlier claim that 
modal logic is dual to equational logic. 

In the proof of Birkhoff’s theorem, free algebras play a key role; thus it will come as no 
surprise that we will be looking at cofree coalgebras here. However, these structures do 
not serve as proof tools only, they have a quite intuitive meaning as well. To explain this, 
first note that many set functors provide coalgebraic structures that come with a notion 
of output. For instance, the black box machines of Example 141 may be prompted to 
display some value, the states of the automata of Example 142 output 0 or 1 depending 
on whether they are final or not, and the states of a Kripke model satisfy some set of 
propositional variables. For a general functor Q : Set — Set, such a notion of output may 
not be available. However, nothing prevents us from adding an extra output feature to 
the functor. 


DEFINITION 202. Let Q be some set functor, and C a set of objects that we will call 
colors. A C-coloring of an Q-coalgebra A = (A, q} is a map y : A —> C; the structure 
(A, a, y) will be called the coalgebra A colored by y. 


As a prime example, Kripke models can be seen as PProp-colored Kripke frames. In 
general, C-colored (Q-coalgebras may be identified with Qc-coalgebras, where Qc is the 
functor C x Q; this provides us with a category of C-colored Q-coalgebras. Spelling 
it out, f : S — S’ is a morphism from ($,0,y) to ($’,0’,>) if f is an Q-coalgebra 
homomorphism from (S, o) to (S’,o’) such that y(s) = y/(fs) for all s € S. 

Colors can be seen as the coalgebraic duals of variables, colorings as the duals of 
assignments. This brings us to the definition of a cofree coalgebra, which is the formal 
dual of the notion of a free algebra. We recall the latter notion, for the purposes of the 
present context, as follows. Let Q : Set — Set be some set functor, X a set of variables, 
and T = (T,7 : QT — T} some Q-algebra such that e : X — T is some kind of injection. 
(Here we deviate from the more standard presentation, where e is taken to be an inclusion 
map.) Then T, with e, is called free over X if for every Q- -algebra A = (A, a) and every 
assignment f: X — A, there is a unique homomorphism f: T — A such that f = f oe. 


DEFINITION 203. Let Q be a set functor, C a set of colors, and Z 
Z some Q-coalgebra with a coloring y : Z > C. Then Z (with g. 
y) is called (absolutely) cofree over C if for every Q-coalgebra ga 

= (A,a) and every coloring g : A — C of A, there isa unique A- 
homomorphism g: A — Z such that g = yog. 


Observe that the diagram above is not properly typed (it mixes arrows from different 
categories). A more proper formulation of the notion of cofreeness would involve the 
right adjoint to the forgetful functor from Coalg(Q) to Set. 

It is immediate from the definitions that an Q-coalgebra with coloring y : T — C is 
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cofree over C iff the structure (T,7,) is a final coalgebra for the functor Ng = C x Q. 
This explains that we may view the carrier Z of such a cofree coalgebra as the collection 
of all behavior patterns expressible in the output set C. And this perspective paves the 
way for a dual version of Birkhoff’s variety theorem, by providing a natural means for 
characterizing classes of coalgebras in terms of permitted, or forbidden, behaviors. 


DEFINITION 204. Let Q be some set functor, and let Z, with coloring y : Z — C, be 
the cofree coalgebra over some set C of colors. Given a set Q in Z, let Cov(Q) be the 
class of Q-coalgebras A such that 7[A] C Q for all homomorphisms 7 : A > Z. 

And conversely, given a class K of Q-coalgebras, define Bhu(K) C Z to be the union 
of all images g[A] in which J arises from some C-coloring g of some coalgebra A in K. 


There are all kinds of interesting facts concerning these two maps. For instance, it is 
fairly obvious from the definitions that Bhv and Cov form a (dual) Galois connection: 
For any class K of 0-coalgebras, and any set Q of behavior patterns, we have 


Bho(K) C Q iff K € Cov(Q). (48) 


We will have use for this fact in the proof of a first co-Birkhoff result, which is basically 
due to Rutten [97]. In the remainder of this section we restrict our attention to small 
functors, in order to ensure the existence of final and cofree coalgebras. 


THEOREM 205. Let Q be some endofunctor on Set which is k-small for some cardinal 
k. Then for any set C of size k, the cofree coalgebra over C exists, and a class K of 
Q-coalgebras is a covariety iff K = Cov(Q) for some set Q of behavior patterns. 


Proof. It follows from the assumption on 2 that the functor Qc = C x Q has a final 
coalgebra. However, we already observed that this structure may be represented as a 
triple (Z, ¢, y} such that Z = (Z,¢), with coloring y, is the cofree Q-coalgebra over C. 
We fix this Z and y for the remainder of the proof. 

In order to show that Cov(Q) is a covariety, one needs to subsequently prove closure 
under taking homomorphic images, subcoalgebras, and sums. Here we restrict our at- 
tention to the proof for subcoalgebras, because that is the only part where the cofreeness 
of Z is used. 

Suppose that A is a subcoalgebra of B, with inclusion ¿, while B belongs to Cov(Q); 
we need to show that A also belongs to this class. For that purpose, consider a homo- 
morphism ņ : A — Z, and observe that yon: A — C is a coloring of A. Clearly this 
coloring can be extended to a coloring g : B — C of B. Let g : B — Z be the unique 
homomorphism such that g = y o g — such a map exists by the cofreeness of Z. 

Now g = y0 9, so that yogor=gov. But g was chosen 


A 1 Z so that got = yon. Hence we find that yogor =yoyn, 
J so by the cofreeness of Z with respect to colorings of A, we 
t Y find that go. = n, that is, g extends 7. From this it is 
g immediate that [A] = gl 4[A] C g[B], so that n[A] C Q by 


the assumption that B belongs to Cov(Q). 


For the other direction of the theorem, suppose that K is a covariety; we claim that 
K = Cov(Bhu(k)). (49) 


The inclusion C is immediate from (48). For the opposite inclusion, it easily follows from 
the definitions that Bhu(K) is Z-open. Let Bx be the (unique) subcoalgebra of Z with 
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carrier set Bhu(K). It is not hard to prove that Bx is a conjunct sum of algebras in K, 
which implies that Bx actually belongs to K since covarieties are closed under taking 
conjunct sums. Hence, in order to prove the remaining inclusion D of (49), it suffices to 
show that 


every coalgebra in Cov(Bhu(K)) is a conjunct sum of subcoalgebras of Bx. (50) 


Take an arbitrary coalgebra A in Cov(Bhu(K)). From the «-smallness of Q it may be 
derived that A is the conjunct sum of coalgebras A;, each of size at most «x. Clearly then 
it suffices to prove that each A; belongs to K, since covarieties are closed under taking 
conjunct sums. 

Fix some i € I; clearly Cov(Bhu(K)), being closed under taking subcoalgebras, contains 
A;. Since |A;| < k = |C], there is an injective coloring e; : A; + C. Hence by cofreeness 
of Z there is a unique homomorphism é; : A; —> Z such that e; = y o €;. This e; must 
also be injective, which implies that A; is isomorphic to its image é;[A;]. But, since A; 
belongs to Cov(Bhu(K)), the structure é;[A;] is a subcoalgebra of Bx, and thus, belongs 
to K. From this it is immediate that each A; belongs to K, and thus, so does the conjunct 
sum A. QO 


Clearly, not only the statement, but also the proof of Theorem 205 is dual to that of 
Birkhoff’s variety theorem. For instance, the coalgebra Bx clearly fulfills the role of the 
cofree coalgebra for the class K over the color set C. What seems to be missing from 
Theorem 205, however, is some notion of logic, involving syntaz. (It should be noted that 
also in the algebraic case, the straightforward characterization of varieties in terms of 
equations only obtains in the case of relatively simple functors.) Since we are discussing 
a dual of Birkhoff’s theorem, the question this raises is: what are co-equations? 

Given the nature of systems as state-based models of dynamics, it seems natural 
to require that formulas describe behavior. This would provide natural constraints on 
possible coequational languages, namely, that formulas are evaluated at states, in such 
a way that truth is invariant under behavioral equivalence. Furthermore, we allow the 
use of colors in order to obtain sufficient expressive power. It was an insight of Kurz [76] 
that these requirements may also be read as a natural definition of coalgebraic modal 
logic. 


DEFINITION 206. Let Q be some set functor. A coalgebraic modal language for Q 
consists of a set C of colors, a class Lc of formulas, and, for each C-colored Q-coalgebra 
(S,g), a truth or satisfaction relation ISIC S x Lo such that I- is invariant under 
behavioral equivalence. That is, if (S,g),s =o, (T,h),t, then S,s =c, T,t, where the 
latter notation indicates that s in (S,g) and t in (T,h) satisfy exactly the same £c- 
formulas y. 


In the sequel we will use notation and terminology from modal logic. For instance, we 
write (S, g), s I- y instead of s I-59 y, and we define S, g I- y and S I- » by quantifying 
over all elements and all valuations, respectively. 


How can we link such modal languages to the cofree coalgebra? The idea here is that 
modal formulas correspond to subcoalgebras: if Z, with C-coloring y is a cofree coalgebra 
over C, then define 


[p]?" = {2 € Z | Z, y, z IF g}. 
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Using the behavioral invariance of the logic, it is not hard to see that |p] (we usually 
omit superscripts) is always Z-open. Now one way to obtain nice co-Birkhoff results is 
to require the modal language to be expressive enough for the converse to hold as well. 


DEFINITION 207. Let Q be some «-small set functor, and let (C,£c,|F), with |C| = « 
constitute a coalgebraic modal logic for 2. This modal logic is called expressive if every 
open set of the C-cofree coalgebra Z is of the form [y] for some formula g. 


This may seem a strong requirement on a language, but expressive languages are not 
hard to come by. 


EXAMPLE 208. Under some mild additional assumptions on Q, one may show that 
Moss’ logic of Definition 190 and 191, extended with infinite disjunctions, is expressive. 
For a proof sketch: strengthen Theorem 194 by proving that for any pointed Qc-system 
(S, s), there is a formula y** such that for all pointed Qo-system (S’,s’) one has that 
S’, s’ Ik 5s iff S’, s’ =o, S,s. Then, given an open set U of the cofree Q¢-coalgebra Z, 
one may define y} := V{y%" | u € U}. 


Now the next theorem bears witness to the tight link between modal logic and coal- 
gebras. It is due to Kurz [76], while a very similar result was proved in Gumm & 
Schröder [53]. 


THEOREM 209. Let Q be some C-small set functor, and let (C, Lc,lF) constitute an 
expressive coalgebraic modal logic for Q. Then a class K of Q-coalgebras is a covariety 
iff for some formula p, K is the class of all Q-coalgebras S such that S IF ¢. 


Proof. Let Z, with coloring y : Z — C, be the cofree Q-coalgebra over C. Given 
a formula y, it is a direct consequence of cofreeness and truth invariance, that for any 
Q-coalgebra S with C-coloring g, and for any state s in S, we have 


S,g, s IF ọ iff g(s) € [yl], (51) 
from which one easily derives that for any Cc-formula ¢: 
Cov([y]) is the class of all Q-coalgebras S such that SIF y. (52) 


From (52) the direction ‘=’ of the Theorem is immediate. For the other direction, 
suppose that K is a covariety. Then by expressiveness, Bhu(K) = [p] for some formula 
p, so by (49) and (52) it follows that K = Cov(Bhu(K)) = Cov([y]), as required. a 


Although this theorem, being formulated in terms of a fairly general notion of modal 
logic, may still seem to be rather abstract, it does provide a useful tool to provide more 
concrete results. For instance, given Example 208, as a corollary to Theorem 209 one 
may obtain very general modal co-Birkhoff results for Moss’ coalgebraic logic. Or, to 
give an even more concrete corollary of Theorem 209, call an (ordinary) modal frame 
k-bounded for some cardinal « if every point has less than « successors. 


COROLLARY 210. A class K of «-bounded frame is (within the class of all K-bounded 
frames) definable by means of infinitary modal formulas, if and only if K is closed under 
taking generated subframes, homomorphic images and disjoint unions. 

The reader who compares the above two result to the Goldblatt-Thomasson Theo- 
rem 79, may be puzzled by the absence of ultrafilter extensions here. The explanation 
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for this absence is of course that such Stone-type completions are not relevant in the 
presence of infinite disjunctions and conjunctions. If one takes the alternative road to 
co-Birkhoff theorems and starts, not from the notion of a covariety, but from a finitary 
coalgebraic logical formalism, one will find that notions like ultrafilter extensions or ul- 
traproducts are needed in the characterization of definable classes of coalgebras. Results 
in this direction can be found in for instance Goldblatt [42, 43] or Roşu [94]. 

Finally, the search for coalgebraic versions of Birkhoff’s variety theorem has received 
considerable attention in the coalgebraic literature, as is witnessed by many contribu- 
tions in [66, 93, 20, 52, 4]. Perhaps Gumm [51] should get some special mentioning for 
developing an alternative coequational syntax based on equivalence classes of infinite 
labeled trees. 


15 DUALITY OF ALGEBRA AND COALGEBRA 


Various other coalgebraic topics may be of interest to modal logicians, but here we confine 
ourselves to a brief discussion of the duality between algebra and coalgebra. 

In remark 152 we already observed that some of the similarities between algebra and 
coalgebra are based on the fact that a coalgebra C = (C, y : C — QC) over an endofunc- 
tor Q : C — C can also be seen as an algebra in the opposite category C°?. In fact, it is 
a trivial exercise to show that 


Coalg(Q) = (Alg(°?))°?. (53) 


That is, the category of Q-coalgebras is dually isomorphic to the category of algebras 
over the functor 2°? (which acts on objects and arrows just like Q does, the difference 
being that 2°? is an endofunctor on C°?). 

This duality between algebras and coalgebras has been a major guideline in the devel- 
opment of universal coalgebra, see Rutten [97]. To mention just one example (many more 
can be found in the text): whereas initial algebras play an important role in universal 
algebra, it is the final objects that are relevant in coalgebra. For instance, whereas the 
principle of induction is based on the fact that initial algebras have no proper subalge- 
bras, the dual coinduction principle boils down to the fact that final coalgebras have no 
proper quotients. However, it is important to realize that in (53) the base category has 
been dualized. This means, for instance, that systems, or Set-coalgebras, correspond, 
not so much to algebras over Set, as to algebras over the opposite category Set?” (which 
happens to be equivalent to the category of complete and atomic Boolean algebras with 
complete homomorphisms). As a consequence, a general theory of systems cannot be 
obtained by a straightforward dualization of universal (Set-based) algebra. On the other 
hand, the fact that systems are, just like standard algebras, ‘sets with structure’, indi- 
cates that many universal algebraic concepts may apply to coalgebra by analogy rather 
than by duality — see for instance Proposition 179. Thus, the universal coalgebraic 
theory of systems is an interesting mix of dualized and non-dualized universal algebra, 
with, of course, some characteristics of its own. 

In case that there is an informative duality for the base category C, more can be said 
of (53). This applies for instance to the just mentioned duality of the category Set, but 
for the present purpose we prefer to focus on the category Stone of Stone spaces. The 
point is, that since Stone is dually equivalent to the well-known category BA of Boolean 
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algebras, every endofunctor 2 on Stone induces an endofunctor * := (-),0Qo(-)* on BA. 
It is then an immediate consequence of (53) that the categories Coalg(Q) and Alg(*) 
are dually equivalent: 


Coalg(Q) = Alg(Q*). (54) 


For an example of this, consider the Vietoris functor V of Example 147. Concretely, 
the behavior of its dual functor V* : BA — BA on objects is as follows. To a Boolean 
algebra B it assigns the Boolean algebra V*(B) freely generated by the set {Ob | b € 
B}, subject to the axioms OL = L and Oa V Ob = O(a V b). Since the category 
Coalg(V) is dually equivalent to that of modal algebras, we thus see that the latter 
category, MA, may be represented as an algebraic category Alg(V*). This insight in fact 
provided the very first connection between modal logic and coalgebra, see Abramsky [1]. 
Recently, the duality that (54) provides between algebra and coalgebra has been used 
to prove results on coalgebraic modal logics, where we now use the word ‘logic’ in the 
technical sense. For instance, Jacobs [62] and Kupke, Kurz & Venema [74] use dualities 
in the style of (54) to prove completeness results for the multi-sorted modal logic of 
Definition 195 and 196. Kupke, Kurz & Pattinson [73] apply the above framework in 
order to characterize properties of arbitrary coalgebraic modal logics. 

Let us finish the chapter with the observation that both of the fundamental duali- 
ties underlying the mathematical theory of modal logic are nontrivial instances of an 
algebra/coalgebra duality. This means that the algebraic and the coalgebraic approach 
towards modal logic may be fruitfully operated in tandem. We believe that a thorough 
study of the interaction of algebra and coalgebra will provide a better understanding, 
not only of modal logic itself, but also of its mathematical surroundings. 
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A BASICS OF UNIVERSAL ALGEBRA AND CATEGORY THEORY 


This section provides some technical preliminaries to this Chapter; we briefly review 
notation and terminology on universal algebra and category theory. 

If we equip a set with a collection of finitary operations, we call the resulting structure 
an algebra; two such structures are called similar if their operations correspond in number 
and rank. In order to formalize this notion we introduce the notion of a similarity type 
as a set X of function symbols each of which comes with a nonnegative integer to be 
called its rank or arity. The arity of a function symbol f is denoted as ar(f). Function 
symbols of rank zero are called constants. 

The similarity type of (bounded) lattices is the set Latt = {T, L, A, V} where T (‘top’) 
and L (‘bottom’) are constants, and A (‘meet’) and V (‘join’) are binary symbols. As 
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the similarity type for Boolean algebras we take the set Bool = {T, L, ~, A, V} where T, 
L, A and V are as before, and — (‘complementation’) is a unary symbol. 

A S-algebra is then a pair A = (A, I), in which the interpretation I assigns to each 
function symbol f € X an operation of arity ar(f) on the carrier A of the algebra. Usually 
we write f^ rather than I(f), and denote the algebra A = (A, I) by A = (A,{f* | f € 
S}). As an example, let, for a set S, P(S) = (P(S),S,9,~5,N,U) be the power set 
algebra, where ~s denotes the unary operation of complementation with respect to S. 
An algebra is called trivial if it has just one element; this completely determines the 
behavior of the operations. 

A homomorphism from a /-algebra A to a similar algebra B is a map 0 : A — B that 
preserves bi-structure, in the sense that, for all f € X, and all a1,...,a, in A (where 


n = ar(f)): 


O(f*(a1,...,@n)) = fP(0a1,..., Oan). (55) 


An injective homomorphism is called an embedding and a surjective one, an epimorphism; 
an isomorphism is a bijective homomorphism. A homomorphism with the same source 
as target algebra is called an endomorphism in general, and an automorphisms if it is 
bijective. 

Homomorphisms are closely related to special equivalence relations: a congruence on 
A is an equivalence relation ~ satisfying, for all f € X: 


ifa ~~ by & ... &an ~ bn, then f^(lai,... an) ~ fË(bi,..., bn), (56) 


where n is the rank of f. Given a congruence ~ on A, the quotient algebra of A by ~ is 
the algebra A/~ whose carrier is the set A/~ := {[a] | a € A} of equivalence classes of 
A under ~, and whose operations are defined by 


fas~(lai], -- -> [an]) = [fa (ar, -an )]. 


(This is well-defined by (56).) The close connection between homomorphisms and con- 
gruences is formed by the fact that if 0 : A — is a homomorphism, its kernel 
ker(0) := {(a,b) € Ax A | O(a) = 0(b)} is a congruence on A, while, on the other 
hand, for any congruence ~ on A, the associated natural map v~ taking an element 
a € A to its equivalence class [a] is a surjective homomorphism from A onto A/~. 

The set of congruences CgA of an algebra A forms in fact a complete lattice under 
the subset ordering; this lattice is denoted as Cg(A); the meet operation of this lattice 
is simply their intersection, while the join of two congruences is given by 0; V Og = 
01 U (O; o Og) U (O1 0 O2 0 O1) U-:-. 

A S-algebra A is a subalgebra of a X-algebra B if A C B and for all f € X, the 
operation f^ coincides with the restriction of fP to A. The direct product A = Tier Ai 
of a family of S-algebras is an algebra with carrier [],-; A; and such that for f € X and 
a1,- -an E [hier Aë 


icl 


fla, Perin) a= f~ (a(i), -3 an(i)) 


We assume familiarity with the notions of ultraproduct and ultrapower. 

Given a class K of algebras, we let H(K) denote the class of homomorphic images of 
algebras in K; S(K) is the class of isomorphic copies of subalgebras of algebras in K, and 
likewise definitions applies for the class operations P (products), Pu (ultraproducts) and 
Pw (ultrapowers). 
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A class of algebras is called a variety if it is closed under taking subalgebras, homo- 
morphisms, and products; the smallest variety containing a class K is called the variety 
generated by K, notation: Var(K). Using inequalities like SH < HS (meaning that, for 
any class of algebras K, SH(K) is a subclass of HS(K)), together with the idempotence of 
the class operations S, H and P, one can prove Tarski’s Theorem stating that 


Var(K) = HSP(K) (57) 


for any class of algebras K. 

Given a similarity type © and a set of variables X, we define the set Tery(X) of 
b-terms over X by a straightforward induction: it is the smallest including X which 
contains f(ti,...,t,) whenever it contains ¢1,...,¢, and f € ÈE is a function symbol 
of rank n. (In particular, Tery(X) contains all constants in X.) In this chapter we 
adopt the convention that unless explicitly indicated otherwise, X denotes a countably 
infinite set of variables; we often omit explicit reference to X, writing for instance Ters 
rather than Tery(X), etc. Also, writing s(x1,..., £n) for a term s, we indicate that the 
variables occurring in s are among 21,...,2n. 

Given an assignment a of a set X of variables to (the carrier A of) an algebra A, we 
inductively define the meaning a(s) of a term s as follows: 


a(x) 5 or: 2 (58) 
a(f(ti,..-,tn)) = fP(a(t),..-,a(tn)). 
Thus any term s(£1,..., £n) induces an n-ary term function sê on A, given by 
s*(a1, gee Gn) = a(s), 


A can also be given an 


where a is any assignment mapping each x; to a;. (Of course, s 
inductive definition.) 

Using the close resemblance between the second clause of (58) and (55), we can turn 
the meaning function into a real homomorphism by imposing /-algebra structure on the 
set Tery(X), obtaining the term algebra Tery(X). The idea is to interpret the function 


symbol f € © as follows: 
fee Oe ye bia) ef bisa th 


Elaborating on this perspective, let K be a class of U-algebras, and F a -algebra 
generated by a set X C F. Suppose that for every A in K and every mapa: X > A 
there is a homomorphism & : F — A extending a. Then we say that F has the universal 
mapping property for K over X, or that F is free for K over X. The identities of (58) 
thus reveal that Tery(X) is free over X for the class of all S-algebras; for this reason it 
is often referred to as the absolutely free algebra over X. 

Free algebras have a number of important properties of which we mention the following: 


e every algebra in K is a homomorphic image of a free algebra over an appropriately 
large set of generators; 


e all free algebras for K belongs to the class SP(K); 


e if F and F’ are free for K over the generator sets X and X’, respectively, and X 
and X’ have the same cardinality, then F and F’ are isomorphic. 


Algebras and Coalgebras 421 


Universal algebra may on the one hand be seen as generalizing the study of individual 
classes of algebras such as groups, fields, or lattices. On the other hand we may consider 
it as a rather special branch of model theory in which one is interested in structures 
for a language without relation symbols. The standard language for talking about such 
structures is equational. 

An equation is nothing but a pair (s, t) of terms, always denoted as s ~ t. The equation 
s ~ t (with s,t € Tery(X)) is true or holds in the algebra A under the assignment 
a: X — A, notation: A Ha s 7% t if s and t obtain the same meaning in A under a, that 
is, if &(s) = a(t). An equation s ~ t holds in the algebra A, or, equivalently, the algebra 
A satisfies the equation s ~ t, notation: AF s vt, if A Ha s = t for every assignment 
a. 

The relation — induces a Galois connection between sets of formulas and classes of 
algebras; the polarities of this connection are given as the maps Equ and Mod, where 
Equ(K) is the set of all equations that hold in K, and Mod(E) denotes the class of 
algebras that satisfy every equation in Æ. The classes of algebras that are stable under 
this connection, that is, the classes K of the form Mod(E) for some set E of equations, 
are called equational classes. An important result by Birkhoff states that this notion 
coincides with that of a variety, and that for any class K of algebras it holds that 


Mod(Equ(K)) = Var(K). (59) 


The relation 
s =k t :4—> KEsaxt 


corresponding to the set Equ(K) is in fact a congruence on the term algebra Ters. The 
algebra Ters(X)/ =x has the universal mapping property for K over [X] (the set of 
equivalence classes of X under =«), which, together with the third fact on free algebras 
listed above, explains why we call it the free algebra for K over [X]. 


A category C consists of a class Ob(C) of objects, and for each pair of objects A, B, a 
family C(A, B) of arrows. If f belongs to the latter set, we write f : A — B, and call A 
the domain and B the codomain of the arrow. The collection of arrows is endowed with 
some algebraic structure: for every object A of C there is an arrow id, : A — A, and 
every pair f : A— B, g : B — C can be uniquely composed to an arrow go f : A > C. 
These operations are supposed to satisfy the associative law for composition, while the 
appropriate identity arrows are left- and right neutral elements. An arrow f : A — B is an 
iso if it has an inverse, that is, an arrow g : B — A such that fog = idg and go f = id 4. 
Examples of categories are Set, the class of sets with functions, and, for every similarity 
type &, the class Alg(£) of ŁX-algebras, with homomorphisms as arrows. The opposite 
category C°? of a given category C has the same objects as C, while C°?(A, B) = C(B, A) 
for all objects A, B from C, and the operations on arrows are defined in the obvious way. 

An object X is initial in a category C if for every object A in C there is a unique arrow 
a: X — A, and final if for all A there is a unique a: A — X. In Set, the empty set 
is initial, and the final objects are precisely the singletons. A product of two objects Ao 
and A; in a category C consists of a triple (A, ao : A > Ao, @ı : A > Az), such that for 
every triple (A’,aj : A’ > Ao,a‘, : A’ — Aj) there is a unique arrow f : A’ — A such 
that a;o f = a; for both i. Coproducts of Ao and A, are defined dually as triples (A, ao : 
Ao > A,a,: A, > A), such that for every triple (A’,ag : Ag > A’, a : Ai — A’) there 
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is a unique arrow f : A — A’ such that f o a; = a; for each i. The category Set has 
both products and coproducts — that is, every pair (So, S1) of sets has both a product 
(for which we may take the cartesian product So x Sı together with the two projection 
functions 7; : So x Sı — Si), and a coproduct (for which we may take the disjoint union 
So W S1 = So x {0} U S1 x {1} together with the coproduct maps «xo and «Kı given by 
Ki(s) = (s,%)). 

A functor Q : C — D from a category C to a category D consists of an operation 
mapping objects and arrows of C to objects and arrows of D, respectively, in such a way 
that Of : QA — OB if f : A — B, O(idy) = idoa and Q(g o f) = (Qg) o (OF) for all 
objects and arrows involved. A functor Q : C > D°? is sometimes called a contravariant 
functor from C to D. An endofunctor on C is a functor Q : C > C. 

As examples we consider the following set functors (that is, endofunctors on Set): (i) 
for a fixed set C, the constant functor mapping all sets to C and all arrows to idc; this 
functor is denoted as C, (ii) the power set functor P, which maps any set S' to its power 
set PS, and any map f : S — S’ to the map Pf : PS — PS’ given by Pf : X + {fa | 
x € X}, and (iii) for every cardinal «x, the variant P, of the power set functor, which 
maps any set S' to the the collection PS := {X C S | « > |X|}, and agrees with P on the 
arrows for which is defined. Furthermore, given two functors Qo and Q4, their product 
functor Qo x Qı is given (on objects) by (Qo x Q1)S := QoS x Qı S, while for f : S— S$’, 
the map (Qo x Q1)f is given as ((Qo x Q1) f) (00, 01) = ((Qof) (a0), (a f)(o1)). The 
coproduct functor is defined similarly. Finally, every category C admits the identity 
functor Tc : C — C which is the identity on both objects and arrows of C. 

Let C and D be two categories, and let Q and W be two functors from C to D. A natural 
transformation T from 2 to WV, notation 7 : Q => Y, consists of D-arrows T4 : QA — VA 
such that Tg o Of = Yf oT; foreach f: A — B in C. 

Finally, let Q : C — D and Y : D — C be two functors linking the categories C 
and D. Q and Y constitute an equivalence between C and D if their compositions are 
naturally isomorphic to the identity functors, that is, if there are natural transformations 
o : Tc > WO and 7 : Zp = QY such that all arrows o4 : A —> WOA and Tg : B —> QUB 
are isos. If such Q and W exist, then the categories C and D are called equivalent; if Q 
and W are in fact each other’s inverse (both on maps and on arrows) then C and D are 
isomorphic. If Q and Y form a dual equivalence between the categories C and D, that 
is, an equivalence between the categories C and D°”, then we say that the categories are 
dual or dually equivalent to each other. 
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1 MODAL LOGIC AS ‘DIE KLASSENTHEORIE’ 


There are different views on the subject of Modal Logic. For the purpose of this chapter 


it is important to distinguish between two of them. 


According to the local view, Modal Logic deals with a number of concrete modal 
logics. Since the beginning of the 20th century developers and users of Modal Logic from 
philosophy, mathematics, computer science, artificial intelligence, linguistics and other 
fields have introduced and investigated dozens of particular modal logics suitable for their 


428 Frank Wolter and Michael Zakharyaschev 


needs: epistemic, provability, temporal, dynamic, description, spatial, to mention just a 
few. 

With the number of concrete modal logics introduced in the literature growing, there 
came an understanding that it may be interesting and important to formulate general 
abstract notions of modal logics and to investigate the landscape of the resulting classes 
of logics and their properties. The pioneers of this global approach were Scroggs [127] 
who considered all extensions of S5, Dummett and Lemmon [33] who studied all logics 
between S4 and S5, Bull [14] and Fine [40] who investigated the logics containing $4.3, 
and Lemmon [86, 87, 88] and Segerberg [129] who launched a systematical investigation 
of various classes of modal logics. Two other influential figures that should also be 
mentioned here are Kuznetsov [81, 84, 85] and Jankov [67, 66, 68, 69] who investigated 
the class of all extensions of intuitionistic propositional logic which is closely related to 
the class of modal logics containing S4; see Section 9. 

Although not formulated explicitly, the ‘globalist’s’ dream research programme was to 
develop a mathematical machinery that could provide general solutions to the following 
major problems: + 


1. given a class of models/structures, axiomatise the modal logic it determines, decide 
in an effective way whether it has certain important properties, say, decidability, 
compactness, interpolation, etc., and determine its computational complexity. 


2. given a modal logic in the form of a finite set of axioms and inference rules, charac- 
terise the (simplest, smallest, largest, etc.) class of models/structures with respect 
to which this logic is sound and complete, decide in an effective way whether it has 
important properties as above, and determine its computational complexity. 


This research programme is formulated in quite general terms and therefore can be 
interpreted in various ways. For example, it is not specified what kind of classes of 
frames/models we consider and what kind of axiomatic systems we take into account. Of 
course, different interpretations may lead to different solutions, but anyway first results 
within this ambitious programme looked very promising indeed! For example, Bull [14] 
proved that all extensions of $4.3 have the finite model property and Fine [40] showed 
that all of them are finitely axiomatisable, and so decidable. (Actually, Dummett and 
Lemmon [33] claimed that all logics between S4 and S5 have the finite model property, 
but their proof was wrong: ten years later Jankov [68] constructed a counterexample.) In 
view of Makinson’s theorem [94], one can effectively decide whether a given logic above 
K is consistent. Maksimova [95, 97] proved that two properties of logics containing S4— 
tabularity and interpolation—are decidable as well. It seems that many modal logicians 
did believe in an eventual success of this Big Programme. 

In this chapter we analyse the development of Modal Logic within the research frame- 
work formulated above, starting from the beginning of the 1970s, although not necessarily 
in chronological order; for a historical analysis of mathematical modal logic the reader is 
referred to the recent paper of Goldblatt [57] and notes in [24]. Because of space limita- 
tions, we mainly concentrate on normal (multi-) modal logics and their decidability and 
completeness (in particular, with respect to Kripke or finite frames). 


1Kuznetsov did formulate such problems explicitly in the context of superintuitionistic logics; e.g., 
given an axiomatisation of a superintuitionistic logic, can we decide in an effective way whether the logic 
is characterised by a finite algebra? 
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Roughly, our plan is as follows. We start in Section 2 with Thomason’s explication (i’) 

of the semantical part (i) of the research programme above. Then, in Section 3, we lay 
the foundation for the most important syntactical notion of Modal Logic, namely, that of 
a normal modal logic. Having introduced an adequate semantics for normal modal logics 
in terms of general frames, we discuss in detail Blok’s dichotomy in order to clarify the 
difference between Thomason’s semantical definition of modal logics and the syntactically 
defined normal modal logics. Based on this discussion, we then come to the appropriate 
refinement (ii’) of the syntactical part (ii) of the research programme for normal modal 
logics and solutions to it given by Chagrov and Thomason. 
Although beautiful from a mathematical point of view, the results of Thomason and 
Chagrov are ‘negative’ in the sense that almost all general algorithmic problems formu- 
lated in the Big Research Programme turn out to be undecidable. In the same way as 
the negative solution to the classical decision problem of Hilbert transformed the original 
problem into a classification problem, the ‘negative’ solution to the modal decision prob- 
lems brings us down to a more ‘modest’ and realistic ‘relativisation’ of the programme 
to various syntactically or semantically defined classes of modal logics. 

In Section 4, we consider logics axiomatised by formulas satisfying certain syntac- 
tical constraints, in particular, Sahlqvist formulas, uniform formulas, modal reduction 
principles, etc., and see whether such constraints allow us to prove general decidabil- 
ity/completeness results. In Section 5, we survey the literature on general decidabil- 
ity/completeness results for logics with some ‘strong’ axioms, say, extensions of tabular 
and pretabular logics, logics of finite depth and width, extensions of $4.3, K5, etc. 

Then, in Section 6, we discuss an attempt to attack the Big Research Programme for 
normal extensions of K4 (that is, unimodal logics with transitive general frames) and 
the tense logic Lin (of linear flows of time) by means of finite representations of modally 
definable classes of frames via frame and subframe formulas of Jankov and Fine [69, 41, 45] 
and more general ‘canonical’ formulas of [172, 174, 163]. This technique will be also used 
to draw and discuss connections between extensions of S4 and superintuitionistic logics 
in Section 9. 

In Section 7 we provide a ‘positive’ solution to the Big Research Programme for the 
class of all tense logics of linear flows of time. In fact, it turns out that for this class 
of logics all the questions posed in the programme are decidable (sometimes even in 
nondeterministic polynomial time). 

In Section 8, we consider the class of subframe logics—i.e., logics determined by classes 
of (general) frames closed under the formation of substructures in the standard model- 
theoretic sense—and explore to what extent the research programme can be realised for 
this semantically defined class of modal logics. 

A number of important open problems are formulated throughout the chapter. 


2 THOMASON’S ANALYSIS 


As we saw in Chapter 1, the standard propositional modal language with a countably 
infinite set of propositional variables (say, po,pi,...), the Boolean connectives A, = (and 
their derivatives —, V, etc.) and unary modal operators O),...,0,, can be regarded as 
a basic tool for talking about relational structures § = (W, R,,..., Rn), where the R; 
are binary relations on W 4 Ø. We denote this n-modal language by ML, and call ¥ an 
n-frame or simply a (Kripke) frame, if n is understood. 
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ME,, is interpreted in n-frames by means of valuations Y which associate with every 
propositional variable p; a subset U(p;) of W. The pair M = (F, V) is called a (Kripke) 
model based on §. Given an MCL,-formula y, the truth-relation (MR, x) = p, read as 
‘py is true at x in W (for x € W), is defined by induction on the construction of y as 
follows: 


(M, x) = pi if 2 € B(p,), 

(Mr) RvAX iff (Mr) y and (M, x) = x, 

(W, x) = = if not (M, x) E y, 

(M, x) = Oy iff (M, y) = y for all y E€ W such that xRy. 


f (M, x) H p does not hold then we write (M, x) jÆ p and say that M refutes p at 
x. Instead of (M, x) = p and (M, x) j£ p we write simply x = ọ and z KF ọ, if M is 
understood. A formula y is said to be true in M (M E y, in symbols) if x = ọ for all 
x E€ W; vis satisfied in M if x | ọ for some x € W. We say that ¢ is valid in the frame 
& (or ¥ validates y) and write § E y if ọ is true in all models based on $; ¢ is satisfiable 
in § if it is satisfied in some model based on §. For a set IT of MCZL,,-formulas, we say 
that § is a frame for T if all formulas from T are valid in ¥. In this case we write § ET. 
A formula ¢ is I-satisfiable if it is satisfiable in a frame for I. Finally, we write T K y if 
y is valid in every frame for T (that is, if y is a semantic consequence of I over Kripke 
frames). 

As in classical first-order logic, given a class K of structures for our language—that is, 
a class of n-frames—we define the theory ThK of K by the equation 


The = {pe ME,, | ¢ is valid in every frame from K}. 


For example, as we know from Chapters 1 and 2, K,, is the theory of the class of all 
n-frames and S4 is the theory of the class of all partial orders (or all quasi-orders). 

Conversely, given a set IT of MZL,,-formulas, denote by FrT the class of frames for T. 
For example, Fr {Op — Op} is the class of all transitive frames ¥ = (W, R}. This and 
other similar results were in fact obtained by Kripke in his seminal paper [79]. 


Being equipped with these notions and notations, let us take a closer look at the 
research programme from Section 1. Clearly, problem (i) depends on how exactly the class 
of models/frames we are interested in is presented. For example, it can be given as the 
class of structures satisfying certain first- or second-order sentences. This understanding 
of (i) would lead us to the branch of Modal Logic known as correspondence theory (which 
is partially considered in Chapters 1 and 5; see also [153]). In the pure modal perspective, 
it makes sense to describe frame classes by means of modal formulas, namely as Fr {yp}, 
for p E€ ML,,. Thus, we arrive to our first precise approximation of (i): 


(i’) given an arbitrary MZ,,-formula y, axiomatise Th Fr{y} = {Y E MLn | pK v}, 
decide in an effective way whether ThFr{y} has certain important properties, 
say, consistency, decidability, interpolation, etc., and determine its computational 
complexity. 


Note that this problem is not as trivial as it might look from first sight. Of course, for 
numerous formulas y the theory ThFr {y} was axiomatised and thoroughly investigated 
a long time ago. Well-known examples are, for instance, T = ThFr{Op — p}, the 
theory of the reflexive frames, and K4 = ThFr {Op — Op}, the theory of the transitive 
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frames; see Chapters 1 and 2. Our concern here, however, is not some particular formulas, 
but effective axiomatisation procedures which could work for all modal formulas. Such a 
procedure is available, for example, for first-order logic: by Gddel’s completeness theorem, 
given a first-order sentence y, we can axiomatise the theory of structures validating p 
by adding y as an extra axiom to any standard Hilbert-style first-order system. But do 
we have a Godel-type completeness theorem for MCL, with respect to Kripke frames? 


A comprehensive analysis of problem (i’) was launched by S. Thomason in his series 
of papers [140, 141, 143, 145, 144]. 


THEOREM 1 (Thomason). (a) There is an ML ,-formula p such that the set 
ThErig} = {be MLi| pk y 


is II}-complete (in particular, it is not recursively enumerable). 

(b) There is no algorithm which is capable of deciding, given an ML -formula ¢, 
whether the theory ThFr{y} is consistent, or, equivalently, whether there exists a 2- 
frame validating y. 

(c) There is a set T of ML,-formulas and an ML -formula p such that TK p, but 
Ak y for any finite ACT. 

(d) For every n < w +w, there is an ML 2-formula Yn, such that every rooted frame 
validating Yn, is of cardinality I„ and, moreover, all such frames are isomorphic? (Here 
Jo = No, Imai = 22", and Iu = lim{Im | Mm < w}.) 


Theorem 1 (a) shows that the first part of research problem (i’) cannot be solved, while 
both (a) and (b) indicate that the second part is also hopeless. In fact, this theorem 
clearly shows that modal theories behave similarly to second-order logic: we do not 
have any of the classical properties of first-order logic such as compactness, recursive 
enumerability of valid formulas or the Lowenheim—Skolem theorem. Interestingly, rather 
simple MZL,-formulas y such that Fr {y} is not first-order definable had already been 
constructed by Segerberg [129]. Perhaps, the best known example is the Löb formula 


la = O(Op > p) — Op 


which is valid in a frame § = (W, R) iff F is transitive and contains no infinite ascending 
chain xı Ra2Rxr3.... The latter condition is not definable in first-order logic. 
Thomason proved his results by constructing (rather complex and ‘artificial’) multi- 
modal formulas with the required properties. To obtain (a) and (c) he showed that 
multi-modal logics can be reduced to unimodal logics with similar properties. (For a 
discussion of this kind of reductions see Chapter 8.) Now (in 2005) we know more simple 
and natural bimodal formulas with the properties of y in (a) of Theorem 1. Take, for 
example, the conjunction ọ of the following formulas: 


1(Cip > p) > Op, 2(02p > p) > O2p, (1) 
1(01p > q) V Oi(Oig > p), 2(Oap > q) V Oe(O2q > p), (2) 
O2Oıp  O1O ap, ©1Oep > O20 1p. (3) 


(1) says that both boxes satisfy the Löb axiom above, (2) ensures that frames for O; and 
2 satisfy the connectedness condition 


Vz, y, z (@RiyNaRiz ^y £ z > yRiz V zRiy), 


2See also [16] and [75]. 
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while (3) says that Rı and Rọ commute and satisfy the Church—Rosser property, i.e., 


—— 


Jy (x Rəy A yRiz) > Jy (aRiy A yR22)), 
VaVyVz (aRoy AxRyz > Ju (yRıu A zRou)). 


Va, z 


Typical frames validating y are products of finite strict linear orders or infinite reverse 
well-founded linear orders like ({0,1,...,n},<) or (w + 1, >), where 


(Wn, Rn) x (We, Ro) = (Wi x Wy, Ri, R2), 
(u,v) Ri(u’, v") iff uRpu' and v =v, 
(u, v)Ro(u', v’) if vR and u= w. 


(For more details about product frames and logics see Chapter 15). To show that validity 
in frames for y is Ht-hard, one can reduce the following ©j-complete recurrent tiling 
problem [62] to the satisfiability problem for MLə2-formulas in frames for y: ‘given a 
finite set T of tile types (1 x 1-squares with colours along their edges) and a tọ € T, can 
T tile the N x N-grid in such a way that colours on adjacent edges of adjacent tiles match 
and to appears infinitely often in the first column?’ For details the reader is referred to 
[49, 120]. 


Of course, the notion of validity in Kripke frames is of a second-order nature. Indeed, 
we can easily define a translation -ê of MZL,, into monadic second-order logic with n extra 
binary relations Rı,..., Rn by taking inductively 


p? = R(x) 

(pAv) = Pny 

(=) = 79° 

(iv)? = Vy (xRiy > ¢*[y/z]), 


where y is a fresh variable. And then, for every frame § = (W, Ri,..., Rn) and every 
MEL, -formula y(pi,..., pk), we have ¥ E y iff VP,...VP,Vax p° is true in §. This means 
that for every set T U {p} of MZL,,-formulas, T |x y iff p° is a logical consequence of 
{y* | y E€ T} in second-order logic. 

What is more surprising is that the full monadic second-order theory of a binary 
predicate can be reduced to propositional modal logic: 


THEOREM 2 (Thomason). There is an effective translation -* of the language MSO 
of monadic second-order logic with one extra binary relation into ML, and there is an 


MEL,-formula T such that, for every set EU {¢} of MSO-formulas, 
Ç is a logical consequence of ZE iff {ryuféh lee BKC 


Thus, Thomason’s [145] conclusion was that MZL,, or even ML, can be regarded as a 
rather strong fragment of second-order predicate logic and that the modal consequence 
relation $ is as complex as it could be. In particular, there is an ML -formula y such 
that the set {Y E€ ML, | yk Y} is not definable in number theory of any finite order. 


3 NORMAL MODAL LOGICS 


The analogy with second-order logic discussed above also indicated a way of ‘regaining’ 
nice properties of first-order logic (compactness, recursive enumerability and Lowenheim— 
Skolem). Recall (see, e.g., [34]) that following Henkin’s idea of introducing a special 
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universe over which the predicates can be interpreted, one can obtain an essentially first- 
order semantics—known as general structures—for second-order logic. Actually, this 
appears to be Thomason’s [141] motivation for introducing general frames (which he 
called first-order semantics for modal logic). The idea is very simple: restrict the range 
of the valuation function U in the definition of Kripke models to some subset of 2 that 
is closed under the available operations. This leads us to the following definition. 

A general n-frame is a structure of the form 


6 = (W,R,...,Rn,P), 


where (W, Ri,..., Rn) is an ordinary Kripke frame and P is a subset of 2” containing 
W and closed under set-theoretic intersection and complementation as well as under the 
operations 


iX = {t#EW | Vy (cRiy > ye X)}, 


for alli = 1,...,n. As before, the language MCL,, is interpreted in general frames by 
means of valuations U which associate with every propositional variable p; a set U(p;). 
The only difference is that now U(p;) must belong to P. The pair M = (6, Y) is called 
then a model based on the general frame 6. The remaining semantical notions are defined 
in precisely the same way as for Kripke models, e.g., Th, a general frame for a logic, 
etc. To simplify notation, we denote general frames of the form ¥ = (W, Ay, 5 Rri 2 
by § = (W, R,..., Rn) (because the theories of these frames are the same). 

The first radical difference between Kripke and general frames is that the set of theories 
of classes of general frames can be characterised syntactically. Say that a subset L of 
MEL, is a normal n-modal logic if it contains the tautologies of classical propositional 
logic, the formulas 


i(p > q) > (oip > Oig) 


for alli = 1,...,n, and is closed under the rules of uniform substitution, modus ponens 
and necessitation p/O;p. The smallest normal n-modal logic is known to be K,,; it 
clearly coincides with the theory of the class GFr of all general n-frames. 

Now, given a set [ of MZL,,-formulas, denote by K, T the minimal normal n-modal 
logic containing T, and by GFrT the class of general frames for T. 


THEOREM 3. (a) For every class K of general n-frames, ThK is a normal n-modal 
logic. More precisely, 


Thk = kK, ® {pE ME, |y is valid in every general frame from K}. 
(b) For every set T of ML,-formulas, 


kK, 6 r = ThGFrl. 


(Some comments on the proof of this theorem will be given later on in this section; 
see also Chapter 5.) 

From now on, instead of Th K we will write Log K and call it the (normal n-modal) 
logic characterised (or determined) by K. The set of all normal n-modal logics containing 


3In fact, general frames were also introduced in 1951 by Jónsson and Tarski [71] as Stone-like repre- 
sentations of Boolean algebras with operators; see [57] for more references, details and discussion. 
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a logic L will be denoted by NExt L. In particular, NExt K, is the set of all normal n- 
modal logics. Thus, 


NExtK, = {K,@T|TCME£L,} = = {LogkK|K CGFr}. 
Let Kripke, be the set of all Kripke complete normal n-modal logics, that is 
Kripke, = {Logk|K a class of Kripke n-frames}. 


As follows from Theorem 1 (a), Kripke,, is a proper subset of NExt K,,. Indeed, take a 
formula y such that Log Fr {y} is not recursively enumerable and consider the normal 
modal logic K,, 6 y. Then 


LogFr{y} 2 LogGFr{y} = K, $ » 


simply because K,, @ ọ is recursively enumerable. On the other hand, Log Fr{y} and 
Log GFr {vy} have precisely the same Kripke frames, and so the latter cannot be Kripke 
complete. The logic Kə @ (1) © (2) @ (3) is probably the ‘simplest natural’ Kripke 
incomplete normal modal logic. 

So what is the relation between the classes Kripke,, and NExt Kn? What can be said 
about the class NExt K,, — Kripke,,? 


3.1 Blok’s dichotomy 


The first examples of Kripke incomplete logics were discovered by Thomason [141, 142] 
and Fine [42]. In order to understand the phenomenon of Kripke incompleteness more 
deeply, Fine proposed to investigate how many logics may share the same Kripke frames 
with a given normal (uni)modal logic L. The cardinality of the set 


{L' © NExtK | FrL = FrL’} 


was called by Fine the degree of Kripke incompleteness of L. A very interesting complete 
solution to this problem was found by Blok [8]. The key player in his solution was the 
concept of splitting originating in lattice theory [106] (for details see Chapter 8). 

To explain the idea behind Blok’s result informally, let us observe first that a Kripke 
complete logic L is always the maximal logic in the set {L | Fr L’ = Fr L}. Now suppose 
that L is a Kripke complete logic with the following property: there exists a Kripke frame 
$ such that L is the smallest logic in the class {L’ € NExtK | § ¢ FrLZ’}. Then the 
degree of Kripke incompleteness of L is 1. Indeed, assume that L’ is a normal modal 
logic with Fr L = Fr L’. Then § ¢ Fr L’, and so L C L’. To prove L’ C L, assume y ¢ L. 
As L is Kripke complete, there exists a Kripke frame §’ € Fr L such that 3’ A p. And 
since §’ € Fr L’, we then have y ¢ L’. Of course, the same argument goes through if 
instead of just one frame § we take some set of frames. 

Thus, we can try to generate modal logics with degree of Kripke incompleteness 1 
by taking sets F of frames, proving that the smallest normal logic Ly in the class 
{L € NExt K | 3¥ € FF ¢ FrL’} exists and showing its Kripke completeness. Blok’s 
achievement was that he (a) characterised sets F of frames for which the logics Lr 
exist, (b) proved that all these Ly are Kripke complete (actually, have the finite model 
property), and (c) showed that any normal modal logic different from such LF has degree 
of Kripke incompleteness 2*°. 
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We now introduce the notions required to explain Blok’s result in more detail. Given 
a logic Lo € NExt K, we say that a (finite rooted) frame § splits NExt Lo if ¥ is not a 
frame for the normal modal logic 


Lı = { \{LeNExt Lo | 3K L}. 


In this case we denote Lı by Lo/¥ and call it the splitting of NExt Lo by ¥. This notation 
reflects the fact that Lo/¥ is the smallest logic in NExt Lo which does not have § as its 
frame. If all frames in a set F split NExt Lo, we call B{Lo/F | Ẹ E€ F}—.c., the smallest 
normal modal logic containing U{Lo/¥ | ¥ E F}—the union-splitting of NExt Lo by F 
and denote it by Lo/F. 


EXAMPLE 4. Denote by e the Kripke frame which consists of a single irreflexive point. 
A frame comprised of a single reflexive point is denoted by o. 

(a) è splits NExtK and D = K/e (we remind the reader that D = K 6 OT is 
characterised by the class of serial Kripke frames in which every point has a successor). 
To see this, set 


Lı = { \{LeNExtK |e L}. 


Since, for every L € NExt K, e - L iff OT € L, Lı is the intersection of all normal 
modal logics containing OT. But D is the smallest such logic and therefore Lı = D. 

(b) o does not split NExt K. To see this recall that K is determined by the class of 
finite frames § = (W, R) without cycles (i.e., R-paths from a point to itself); see, e.g., 
Chapter 1. For every such §, we have o 4 Log {§} because there exists n < w such that 
nL € Log {¥}, but o nL. Therefore, 


(HL E NExtK |oþ L} C [\{Th¥ € NExtK | F finite and cycle free} = K 


which means that there does not exist a smallest normal modal logic without o among 
its frames. 

(c) No frame with cycles splits NExt K. The argument is similar to that in (b): just 
use the fact that no O” 1 is valid in a frame with cycles. 

(d) Every finite cycle-free rooted frame splits NExt K. To prove this, we associate 
with every finite rooted frame ¥ = (W, R) the formula 


ðs = NN > Op) ^ N (pe >p) A N (Pe >p) A V pe- 


xRy ~z Ry afy crew 


Suppose now that § is cycle free, r is a root of §, d(Ẹ) is the depth of F (i.e., the length 
of the longest R-path in §), and OS"y = p A OY A- A DO”g. It is not hard to see then 
that a (general) frame 6 satisfies 054553 A p, iff there is a generated subframe 9 of 
6 which can be p-morphically mapped onto ¥. It follows that the smallest normal logic 
without § among its frames exists and can be axiomatised as 


K/¥ = Koos; > pr. (4) 


(e) The inconsistent logic—i.e., MLı—can be represented as D/o = (K/e)/o (actually 
this is a variant of Makinson’s theorem [94]). 

(£) Note by the way that if Lo € NExt K4 then every finite rooted transitive frame 
¥ for Lo splits NExt Lo and Lo/¥ = Lo 6 US16z — np, (a (general) transitive frame 6 
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satisfies OŚ! őz A p, iff there is a generated subframe 9 of 6 which can be p-morphically 
mapped onto §). 


Now, returning back to the degree of Kripke incompleteness, we obtain the first part 
of Blok’s dichotomy: 


THEOREM 5 (Blok). (i) A finite rooted frame § splits NExt K iff it is cycle free. In 
this case we have K/§ = K @ O8"5z — npr, where n = d(8). 

(ii) Every union-splitting of NExt K has the finite model property, and so its degree of 
Kripke incompleteness is 1. 


The proof of (ii) is by a variant of standard filtration (see Chapter 1). By (e) from the 
example above, the inconsistent logic ML, also has degree of Kripke incompleteness 1 (it 
may be of interest to note that the degree of Kripke incompleteness of ML». in NExt Kə 
is 28°), The second part of Blok’s dichotomy states that all normal modal logics not 
covered by Theorem 5 have degree of Kripke incompleteness 2°: 


THEOREM 6 (Blok). Ifa logic L is inconsistent or a union-splitting of NExt K, then L 
has degree of Kripke incompleteness 1. Otherwise L has degree of Kripke incompleteness 
20 in NExt K. 


Before we sketch a proof of this result it is worth spending some time on its interpre- 
tation. First, it means that D is the only ‘standard’ normal modal logic with degree of 
Kripke incompleteness 1. Logics like S5, T, K4, and S4 have degree of incompleteness 
250, In fact, every consistent normal logic containing K4 or containing D properly as 
well as every consistent tabular normal modal logic (a logic is tabular if it is determined 
by a single finite frame; see Section 5), has degree of Kripke incompleteness 23°. Second, 
in frame-theoretic terms it means that for every modally definable class F of, say, tran- 
sitive frames (that is, F = FrT for some set I of modal formulas containing Op > p) 
there exist uncountably many different L € NExt K such that 


F = Frl. 


This applies, for example, to the class of all frames based on equivalence relations, quasi- 
orders, linear orders, and so on. 


Ly x} gk=1 xk Ly T2 Tn x! zł xl ae ae gk 
O——>+-O O——>-O e eo * @ = ad e. @— +e e 


Figure 1. 


Proof. Suppose that a consistent L is not a union-splitting and L’ is the greatest 
union-splitting contained in L. Since L’ has the finite model property, there is a finite 
rooted frame § = (W, R) for L’ refuting some y € L and such that every proper generated 
subframe of § validates L. Clearly, § is not cycle free. Let xı RzəR... R£ nRzı be the 
shortest cycle in § and k = md(y)+1. We construct a new frame g’ by extending the cycle 
L1,.-+,;Ln, 21 as Shown in Fig. 1 ((a) for n = 1 and (b) for n > 1). More precisely, we add 
to § copies z},..., gë of x; for each i € {1,...,n}, organise them into the nontransitive 
cycle shown in Fig. 1 and draw an arrow from a! to y E€ W — {a1,...,@n} iff 2; Ry. 
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Denote the resulting frame by 3’ = (W’, R’) and let 2’ = x*. By the construction, § is 
a p-morphic image of §’. Therefore, for all models M = (F, V) and W = (F’, VW’) such 
that 

V'(p) = Bp) U {az | xı € Wp), j < k} 


and for every x € W and every subformula w of y, we have (M, x) = w iff (W, x) = Y. 
So we can hook some other model on zx’, and points in W will not feel its presence by 
means of y’s subformulas. The frame to be hooked on x’ depends on whether e = L or 
o H} L. We consider only the former alternative. 

Fix some m > |W’|. For each I C w — {0}, let §7 = (Wz, Rr, Pr) be the frame whose 
diagram is shown in Fig. 2 (do sees the root of §’, all points e; and ej; and is seen from 
x’; the subframes in dashed boxes are transitive, e; € Wy iff i € I, and Pr consists of 
sets of the form X UY such that X is a finite or cofinite subset of Wz — {b, a; | i < w} 
and Y is either a finite subset of {a; | i < w} or is of the form {b} UY’, where Y” is a 
cofinite subset of {a; | i < w}. It is not hard to see that the points a;, c, e; and e; are 


y 
ioe transitive, 
| | 
Cc 1 b Qi ay ao dm dı do d 1 
© oO e > >@ e >e—! >-e- La >@ 
Teo... og es oxo... 1 
1 €0 €i ej 1 
I I 
| ' | 
i transitive Cj j 
Ley eet E et Ree Se Note Nee a a a 4 
Figure 2. 


characterised by the variable free formulas 


ag = (bm A O(bm—1 A+++ A O80) ++) NTO? (bm A Olm- A+++ A O80) +++); 
O41 = Oai Nn? ai, y = 2a9 A nag, 


— a 2 1 = + 
€& = y, G41 = CE AOE, E&i = CE ATO TE 41, 


(in the sense that x = a; iff x = aj, etc.), where 


ðo = COL, 6, = O69 A760, dg = O61 A nô, Antso, 
Ok+1 = Oðk A 76k A OT Skp A aoa A 307 ôo. 


Define Lr to be the logic determined by the class of frames for L and §z, that is, 
Ly = LN Log §z. Since -(€, AO™*®ay) € Ly — Ly for i € I—J (¢ is refuted at the root 
of 3’), {Lr | I Cw — {O}}| = 2%. 

Let us show now that Lr has the same Kripke frames as L. Since Ly C L, we must 
prove that every Kripke frame for Lyr validates L. Suppose there is a rooted Kripke frame 
6 such that 6 = Lr but 6 [Æ y, for some wy € L. Since w is in L, it is valid in all frames 
for L, in particular, èe = w. And since w Z Lr, w is refuted in r. Moreover, by the 
construction of §;, it is refuted at a point from which the root of ¥’ can be reached by 
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a finite number of steps. Therefore, the following formulas are valid in §; and so belong 
to Ly; and are valid in ©: 


I 
w > \f 7, (5) 
1=0 
l 
ap > A 2 (y > 0(00(00p > p) > p)), (6) 
i=0 


where p does not occur in w and ¿l is a sufficiently big number so that any point in 
®r is accessible by < l steps from every point in the selected cycle and every point at 
which 7 may be false, and Oox = O(Gap — x). According to (5), 6 contains a point 
where y is true. By the construction of y, this point has a successor y where, by (6), 
o(Oop > p) > p is true under any valuation in 6 and y = Cag. Define a valuation 
U in 6 by taking U(p) = yf, where yf is the set of all points accessible from y. Then 
y =| Op(Uop > p), from which y = p and so y € yf. Now define another valuation W 
so that U'(p) = yt —{y}. Since y is reflexive, we again have y = Oo(Oop — p), whence 
y = p, which is a contradiction. QO 


Blok’s dichotomy can be generalised in various directions. First, it holds for the 
languages MZL,, and the corresponding classes NExt K,„ as well; see [92]. And second, 
it can be extended to completeness with respect to the neighbourhood semantics [27] as 
well as some other, algebraically motivated, semantics for normal modal logics [92]. On 
the other hand, the following major problem remains open: 


PROBLEM 1. Characterise the degree of Kripke incompleteness of ‘transitive’ logics in 
the classes NExt K4, NExt S4, etc., where Theorem 5 does not hold. 


One conclusion to be drawn from these results is that Kripke complete logics are rather 
exceptional, that Kripke completeness of syntactically defined ‘standard’ modal logics is 
a kind of good luck. Another conclusion is that instead of considering logics in the class 
Kripke, it may be worthwhile to move to the larger class NExt Kn. First, as we know 
from other disciplines, more general settings can be very useful (for example, various 
problems about natural or rational numbers can only be analysed in the framework 
of real numbers). The second reason is that NExt K, is quite natural not only from 
the syntactical point of view. In fact, as follows from Chapters 6 and 8, the lattice 
(NExt K,,,C) is dually isomorphic to the lattice of varieties (alias equational theories) 
of Boolean algebras with operators. This means, in particular, that ideas and techniques 
from universal algebra are more suitable for investigating NExt K, rather than Kripke,,. 

Thus, it makes sense to extend the research programme above to the class of all normal 
n-modal logics. 


Research programme for normal modal logics 


Within the framework of normal modal logics, the original research programme can be 
interpreted as follows. By Thomason’s Theorem 1, we know that (i’) is not realisable. 
The reformulation of (i') for general frames has a trivial solution—just remember that 
Log GFr {py} is axiomatised as K,, @ y. Instead, we suggest the following reformulation a 
solution to which would clearly show how complex it is to axiomatise logics determined 
by classes of (general) frames: 
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(i”) Characterise those modal formulas y for which we can effectively recognise whether 
K $ y axiomatises Log GFr {py}. Characterise those formulas y for which we can 
effectively recognise whether K © w axiomatises Log Fr {p}. For example, is there 
an algorithm which decides, for a formula w, whether K @ vw axiomatises the 
logic of all transitive frames (i.e., LogFr{Op — p}), reflexive frames (i.e., 
Log Fr {Op — p}), etc.? 


The first part of (i”) can be reformulated as an axiomatisation problem. Given a modal 
formula y and a logic Lo € NExt K, we say that the aziomatisation problem for Lo ® y 
is decidable above Lo if the set {p E€ ML, | Lo @W = Lo @ ¢} is recursive. Then the 
first part of (i) asks for a characterisation of those modal formulas y for which the 
axiomatisation problem for K © ¢ is decidable. 

Being equipped with the notion of a normal modal logic, we can give a precise inter- 
pretation of the syntactically formulated problem (ii) from Section 1: 


(ii”) Given a modal formula y, characterise the (simplest, smallest, largest, etc.) class 
of frames with respect to which K 6 y is sound and complete. In particular, is it 
decidable whether the logic K @y is Kripke complete, has the finite model property, 
is determined by a finite frame? Furthermore, can we effectively recognise, given a 
modal formula y, whether K © ¢ is decidable, compact, has interpolation, etc.? 


3.2 Chagrov’s classification 


Rather surprisingly, the partition of NExt K into union-splittings and non-union-splittings 
not only gives a concise solution to the problem of locating Kripke,, within NExt K,,, but 
also provides means to attack (i). A comprehensive solution was found by A. Chagrov. 

To explain the intuition behind Chagrov’s classification result for the axiomatisation 
problem, consider the logic D = K/e and suppose that we want to decide, for a given 
formula w, whether K/e = K © y or, equivalently, whether 


(a) Key C K/e and 
(b) K/e © Kod. 


Now, (a) is equivalent to the problem ‘p € K/e ?’ which is decidable because the modal 
logic D is decidable. And (b) can be checked effectively because, by the definition of 
plittings, it is equivalent to the problem ‘e j£ y ?’. Thus we have proved the decidability 
of the axiomatisation problem for D using the fact that D is decidable and is a union- 
plitting of NExt K. By Theorem 5, all union-splittings have the finite model property 
and, therefore, are decidable if finitely axiomatisable. So this proof shows the decidability 
of the axiomatisation problem for every union-splitting K/F, where F is a finite set of 
finite rooted cycle free frames. Chagrov’s achievement was to show that for no other 
logic is the axiomatisation problem decidable: 


THEOREM 7 (Chagrov). The axiomatisation problem for a consistent logic K $ yp 2 K 
is decidable iff K @ ọ is a union-splitting. 


n 


n 


Hence, the axiomatisation problem is undecidable for such intuitively simple logics 
as S4 or K4. Again, D is the only ‘standard’ modal logic for which the problem is 
decidable. Before explaining the proof in some detail, we draw conclusions regarding the 
second part of (i”) and formulate and discuss solutions for (ii’’). 
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COROLLARY 8. If Fr{y} is nonempty, then the problem K ®w = LogFr{y}?’ is 
decidable iff 


e LogFr{y} is a union-splitting of NExt K or 


e LogFr{y} is not finitely axiomatisable. 


Similarly to Blok’s dichotomy, this means, for example, that for any nonempty modally 
definable class F of transitive frames such that Log F is finitely axiomatisable, no algo- 
rithm can recognise whether a given formula axiomatises Log F. 

The following result due to Thomason [146] and Chagrov [18, 19, 22] (for more details 
see [24] and references therein) gives ‘negative’ solutions to (ii”): 


THEOREM 9 (Thomason & Chagrov). The following sets are undecidable: 
(a) {p E€ MLi | Kọ is Kripke complete}, 
(b) {pE ML, | K Sy is decidable}, 


d) {pE MLı |K @ọ is tabular}, 


) 

) 
(c) {p € MLi| K@¢g has the fmp}, 
(a) 

) 


(e) {1p E MLı | Ky = L}, where L is an arbitrarily fixed consistent tabular logic. 


Proof. We begin by showing how to prove Theorem 7. The implication (<=) should 
be clear from the example D = K/e discussed above. 

(=) We show that if L = K $ y £ K is a consistent logic that is not a union-splitting 
then the axiomatisation problem for L is undecidable. The proof is by reduction of the 
undecidable configuration problem for Minsky (alias register) machines with two tapes 
(registers). 

We remind the reader that a Minsky machine (with two tapes) is a finite set of in- 
structions for transforming triples (s, m, n) of natural numbers, called configurations. The 
intended meaning of the current configuration (s,m,n) is as follows: s is the number (la- 
bel) of the current machine state and m, n represent the current state of information. 
Each instruction has one of the four possible forms: 


s— (t,1,0), s— (t,0,1), s— (t,-1,0) ((t’,0,0)), s — (t,0,—-1) ((#’,0,0)). 


The last of them, for instance, means: transform (s, m,n) into (t,m,n—1) if n > 0 and 
into (t’,m,n) if n = 0. For a Minsky machine P, we write P : (s,m,n) — (t, k,l) if 
starting with (s, m,n) and applying the instructions in P, in finitely many steps (possibly, 
in 0 steps) we can reach (t, k,l). 

We use the well known fact (see, e.g., [102]) that the following configuration problem is 
undecidable: given a program P and configurations (s, m, n), (t, k,l), determine whether 
P: (s,m,n) > (t, k,l). 

Now let L = Kọ. Similarly to the proof of Blok’s Theorem 6, we analyse two cases: 
e = y and o = vy. Here we only show that the axiomatisability problem for L = K © y 
with e = ọ is undecidable and leave the remaining case to the reader. 

We will use a modification of the (general) frame ¥; constructed in the proof of Blok’s 
theorem. Let us take another look at this frame. The root of $’ refutes some formula 
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Figure 3. 


in L; without loss of generality we may assume that this formula is y. The part of r 
comprising points a;, b, c was used to ensure that the logic of r is Kripke incomplete, 
while the points eo, ej, e} (j > 0) were used to produce a continuum of frames of the 
form 7, i.e., to make sure that Log {87} 4 Log {83} whenever I # J. Finally, the points 
dk (—1 < k < m) ensured, in particular, that a;, b, c, eo, ej, ej have no impact on §' 
and the other way round. 

For our present aims the subframe consisting of points aj, b, C, €o, €j, e; is not required 
and we can modify it. Namely, we remove from §; the points e;, e} (j = 1) and replace 
them with the frame shown in Fig. 3. More precisely, the frame in Fig. 3 is transitive, e? is 
its only reflexive point, all points are accessible from dp and ‘see’ eg; the points of the form 
s(t, k,l) to not see each other and occur in the frame iff P : (s,m,n) —> (t, k,l), where P, 
(s,m,n) are some fixed Minsky machine and configuration. Denote the resulting frame 
by §(P, (s,m, n)). 

Now, starting with the formula €o from the proof of Blok’s theorem, we define the 
following formulas 


eg = Oe ^ne, e = eg ACE, 

& = CEASE AACE, E = Se ROO NSCOR, 
ee = OBAO ASO, ey = Og Anene, 
e = O A 2006 A A065, a = S$ A O06 A O65. 


These variable free formulas characterise points e in §(P, (s,m,n)) in the sense that €$ 
is true in §(P, (s,m,n)) only at the point denoted by eż. Further, let 


p = Ogag, = CERACEAAWOOEZ ATO, 


2 
p = CELNVEENTOOEATOOE, bh, = OF AWOOPEN [A 7d), 
iXxk=0 
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for i € {0,1,2}, j > 0. The formula ¢% is true only at fj. The formulas characterising 
s(t, k,l) are denoted by o(t, 61, $7), where 


t 


oltp, X) = NOA ACPA O7*PA OX A7O?x. 
1=0 


We also require formulas characterising not only fixed but arbitrary configurations: 


kı = (Cph V ei) Anp A ROG A pi AAO, 
k2 = Opinn Angi A Opi AAO? pr, 
Tmi = (Ogo V $9) AAOGH A7OGH A p2 A 7WOpa, 
Tma = O68 AAOb AAO) A Ope AAO? po, 


where pı and pə are fresh variables. 
Now we are fully equipped to simulate the behaviour of Minsky machines by means 
of modal formulas. Let 


oy = VVV Oh, 


where n is a sufficiently large number such that if ¢R*y in (P, (s,m,n)) then «R*y for 
some k < n. (Note that in the proof of Blok’s theorem we took n = m + 6.) 
With each instruction J in P we associate a formula Azl by taking: 


Atl = ~y A solt, 771,61) = Ay A Oo(t', T2, K1) 
if I has the form t — (t’, 1,0), 
Atl = ~y A solt, 71,61) = Av A Oo(t', Ti, K2) 
if I is t> (t’,0,1), 
Atl = (~ag A bolt, 72,61) > 7p A bolt, Ti, K1)) A 
(=p A bolt, $9, r1) > APA balt”, 69, 1) 
if I is t > (t’, -1,0) ((t’”, 0, 0)), 
Atl = (~ag A a(t, 71, k2) —> AeA olt, Ti, K1)) A 
(=p A a(t, Ti, po) > WEA ba(t”, T, 0)) 
if I is t > (t’,0,—1) ((t”,0,0)). The formula simulating P as a whole is 


ArP = VAN Axl. 


IEP 


Now, by induction on the length of computations one can show that, for every program 
P and all configurations (s, m,n), (t, k,l), we have the following property (4): 


P : (s,m,n) > (t, k,l) 


4 
avy A bols, ol, 02) > -~y A bolt, 4,07) € KAP. 
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Finally, define a logic L(P, (s,m, n) , (t,k,l)) by taking 
L(P, (s,m, n) ,(t,k,l)) = K@ AGP 8 (“GA bols, bm bn) > PA bolt, $i, $7) > 


Clearly, for given P and configurations (s,m,n) and (t, k,l}, the logic L(P,(s,m,n), 
(t,k,l)) is constructed effectively. We claim that 


P : (s,m,n) > (t, k,l) iff L(P, (s,m, n), (t,k, D) =K 8y. 


The implication (=) is proved using the property ({!) above and the obvious inclu- 
sion L(P,(s,m,n) ,(t,k,l)) C Kọ. To show the converse direction, it suffices to 
observe that if P : (s,m,n) A (t,k,l) then §(P,(s,m,n)) validates all the axioms of 
L(P,(s,m,n), (t,k,1)) and refutes vy. 


To prove Theorem 9, we modify the definition of the logic L(P,(s,m,n), (t,k,l)) 
above. First we take a formula y such that K © y is a consistent tabular logic. One can 
show that every such logic is not a union-splitting. 

Now observe that there exist a program P and a configuration (s,m,n) such that no 
algorithm can decide, given a configuration (t, k,l), whether P : (s,m,n) —> (t, k,l) (for 
details see [24]). Fix some P and (s,m,n) satisfying this condition, and let 


L'((t,k,l)) = K@ AP 6 (AVA bols, bm, $2) > APA Halt, 64, ¢7)) > YO@ 
l l 


apo V %7 © -7> A D (y> o(p > p) > p)), 
i=0 i=0 


where p is a fresh variable. 

If P : (s,m,n) — (t, k,l) then, as in the proof of Theorem 7, it is easy to see that we 
have L’((t,k,l)) = K © y. Thus, this logic is tabular (coincides with the chosen tabular 
logic, to be more precise), and so it is decidable, Kripke complete and has the fmp. 

If P : (s,m,n) A (t, k,l) then L'((t,k,l)) Æ K @ y, which can be shown with the help 
of the frame §(P, (s,m,n)). Thus, our logic is different from the chosen tabular logic 
K @ y. Moreover, using the last two axioms (cf. formulas (5), (6) in the proof of Blok’s 
theorem) one can show that although y ¢ L’((t,k,l)), no Kripke frame for L’((t, k, l}) 
can refute y. It follows that L’((t, k,1)) is Kripke incomplete and does not have the finite 
model property. Next we use the properties of P and (s,m,n) to show that 


P:(s,m,n) A (tk) if L'((t,k,1)) F =g A bols, bm ba) > WPA bolt, Gyr, Or). 


The implication (=) is proved by induction on the length of computation and (<4) is 
shown using the frame §(P, (s,m,n)). It follows that L’((t, k,l}) is undecidable. Q) 


In fact, using the technique above one can prove undecidability of many other im- 
portant properties of modal logics such as first-order definability (i.e., whether Fr {4} is 
definable by first-order formulas, for an arbitrarily given y), canonicity, the interpola- 
tion and the disjunction properties, etc.; see [24] and references therein. Actually, we 
know only two interesting decidable properties of finitely axiomatisable logics in NExt K: 
consistency and coincidence with K. However, even consistency becomes undecidable in 
NExt Kə [146]. 
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Theorems 7 and 9 give rise to further interesting questions. First, we still do not know 
a solution to the following open problem: 


PROBLEM 2. Is the set {p E€ MLı | K @ ọ is a union-splitting} decidable? 


Second, some of the undecidable problems formulated above may turn out to be re- 
cursively enumerable, so that we can at least effectively enumerate finitely axiomatisable 
logics with this or that property. For example, it is easy to show recursive enumerability 
of the set {p € ML, | Kn © p = L}, where L is fixed consistent tabular logic (just 
use the fact that L is finitely axiomatisable, say, by a formula ~ and enumerate those p 
from which w is derivable in K,, and vice versa). However, for the majority of important 
properties of modal logics this problem remains open: 


PROBLEM 3. Is it possible to effectively enumerate MCL,,-formulas y for which K,, 6 y 
is decidable (Kripke complete, has the finite model property, interpolation, etc.)? 


Finally, one may wonder what happens if we consider the decision problems above for 
recursively axiomatisable modal logics, i.e., those that are given by programs generating 
their formulas. In this case we have the following analogue of the Rice theorem from 
general recursion theory: 


THEOREM 10 (Kuznetsov). No nontrivial property of recursively axiomatisable logics 
is decidable in any of the classes of logics considered above. 


In particular, this result applies even to NExt S5 (where all logics are finitely axiomati- 
sable)—provided that its logics are represented as programs computing their formulas. 
Of course, we can recognise, say, consistency in NExt S5 if all logics in the class are 
given by finite sets of axioms. The situation is different in, e.g., NExt S4 where there 
exist recursively enumerable logics that are not finitely axiomatisable. The proof of this 
theorem (Kuznetsov left it unpublished) is very simple. In fact, it has nothing to do with 
modal logics; it is rather about effective computations. The reader can find it in [24]. 


3.3 Postmortem 


So, was the Big Research Programme a failure or a success? Or simply lost illusions? 

Dealing with individual systems like K,, S4 or even PDL, one might think that 
Modal Logic is ‘harmless,’ that it is a reasonable compromise between expressiveness 
and effectiveness, especially in various application areas in computer science and artificial 
intelligence. Looking at modal logics from a more general perspective, we see, however, 
that the propositional modal language is extremely expressive, even if we have a single 
box operator. Modal Logic has been praised by ‘users’ for being robustly decidable. The 
analysis above shows that, when put in a more general setting, Modal Logic is rather 
robustly undecidable. (However, we can take comfort in the mathematical beauty of the 
splitting-based dichotomy between Kripke completeness and Kripke incompleteness and 
its transparent repercussions for modal decision problems.) 

The outcomes of the Big Research Programme discussed above appear to be similar 
to the negative solution to the Classical Decision Problem, das Entscheidungsproblem, of 
Hilbert; see [11] and references therein. According to [11], ‘the reaction of logicians to 
the discoveries of Church and Turing was that the classical decision problem was wider 
than the yes/no version of it ... The logicians started to think about the classical decision 
problem as a classification problem. Which fragments are decidable for satisfiability and 
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which are undecidable? Which fragments are decidable for finite satisfiability and which 
are undecidable? Which fragments have the finite model property and which contain 
axioms of infinity (that is satisfiable formulae without finite models)?’ 

Similar questions make sense in Modal Logic as well. The modal decision problems 
considered above can be transformed into modal classification problems: 


(iii) determine (in some sense) maximal classes of modal logics with the desirable prop- 
erties. 


Of course, particularly interesting are natural classes like 
e extensions of certain logics, e.g., K4, S5 x S5, K4;; 


e logics axiomatised by certain ‘normal’ formulas (e.g., reductions of modalities, 
Sahlqvist or uniform formulas); 


e logics whose classes of frames are closed under certain natural operations (e.g., 
taking subframes). 


To understand the landscape of modal logics in this respect, a variety of different method- 
ologies are required. One established path is to look ‘outside’ and, e.g., employ modal 
logics’ relation to finite variable/guarded fragments of first-order logic (see Chapter 5), 
or their relation to languages recognised by tree automata (see Chapter 17). In this 
chapter we follow the ‘internal’ approach and analyse how different ‘modal’ syntactic or 
semantic restrictions can guarantee this or that desirable property. 


4 SYNTACTICAL CLASSES OF MODAL LOGICS 


To understand a modal logic is, to a large extent, to understand the structure of its 
frames, in particular, Kripke frames. An obvious way of doing this is to try to characterise 
frames by means of first-order formulas in some suitable signature. Classical observations 
going back to Kripke [79] are as follows, where Ẹ = (W, R} is treated as a Kripke frame 
in the left-hand column and as a first-order structure in the right-hand one: 


§ EOp—p iff 5 H Yz Ra, x), 
ş Op > OOp iff F Yz, y, z (R(x, y) A Rly, z) > R(z,z)), 
etc. 


A nice first-order characterisation not only helps in understanding the structure of frames. 
First, using the standard translation -* of modal formulas into the first-order language 
from Section 2 (see also Chapters 1 and 5) and Gédel’s completeness theorem, it is 
readily seen that if Fr {p} is definable by a first-order formula as above, then Log Fr {yp} 
is recursively enumerable, while in general, by Theorem 1 (a), Log Fr {yy} might be Mt- 
hard and even more complex. Second, as was proved by Fine [44] (see also [156, 152]), 
we have the following: 


THEOREM 11 (Fine). Jf a logic L € NExtK is determined by a first-order definable 
class of frames then L is D-persistent.* 


4L is called D-persistent if the underlying Kripke frame of any descriptive frame for L validates L 
as well. A general frame is descriptive if it satisfies certain closure conditions which can be found in 
Chapter 5. If a logic L is D-persistent, then the underlying Kripke frame of its canonical model validates 
L. In particular, every D-persistent logic is Kripke complete. 
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This means that to investigate a first-order definable Log Fr {y}, we can use the well- 
known methods of canonical models and filtration developed in the 1960-1970s (see, e.g., 
[24] and references therein). Although the converse of Fine’s theorem does not hold, as 
has been recently shown in [58], it is nevertheless a kind of empirical rule that logics 
not determined by first-order definable classes are not D-persistent, and therefore, the 
standard way of proving completeness or the finite model property is blocked for them. 

By Chagrova’s theorem [29], there is no effective way of deciding, given a formula 
p, whether Fr {vy} is first-order definable. However, one can try to find and describe 
syntactically some classes of formulas y for which Fr {4} is first-order definable. In fact, 
this approach has been the driving force behind much research in Modal Logic since the 
1960s (see, e.g., [88]). The (so far) most general syntactically defined class of formulas 
for which this holds true was discovered by H. Sahlqvist [125]. 


4.1 Sahlquvist logics 


Sahlqvist’s theorem [125] (see also [53])—perhaps the most celebrated general result in 
Modal Logic—gives a sufficient condition for first-order definability and Kripke complete- 
ness of logics in NExt K,,. To formulate it we require the following definitions. 

Say that a formula is positive if it is constructed from variables and the constants T 


? 


L using A, V, ©; and O;. An arbitrary finite sequence of boxes O;, i = 1,...,n will be 
denoted by O*. 
A formula y € ML, is called a Sahlqvist formula if it is equivalent in K, to a formula 


of the form 0*(w — x), where y is positive and 7 is constructed from variables and their 
negations, L and T with the help of A, V, O; and ©; in such a way that no subformula 
of w of the form Yı V Y2 or Òi, containing an occurrence of a variable without ~, is in 
the scope of some O;. For example, formulas (2)—(3) from Section 2 are Sahlqvist, while 
the Löb axiom (1) and the McKinsey axiom 


ma = OOp— OOp (7) 
are not. 
THEOREM 12 (Sahlqvist). (a) Given a Sahlqvist formula p E€ MLy, one can effectively 
construct a first-order formula ¢(a) in Rı,..., Rn and = having x as its only free variable 


and such that, for every descriptive or Kripke frame § and every point a in &, 
SaRFe if 5E o@)la. 


(Here (3,a) | p means that y is true at a in § under any valuation.) 

(b) IfT is a set of Sahlqvist ML,-formulas and L € NExt K,, is a D-persistent logic 
then the logic L T (in particular, Kn T) is D-persistent as well. Moreover, LT is 
elementary (in the sense that the class of Kripke frames for it coincides with the class of 
all models for some set of first-order formulas in R; and =) whenever L is so. 


Various detailed proofs of this result can be found in [126, 70, 7] (for some general- 
isations see, e.g., [30, 60, 72, 50]). So, instead of going into technical details, we will 
concentrate on the meaning of Sahlqvist’s theorem. 

First, it gives much more than just first-order definability of Fr{y}, for a Sahlqvist 
formula y, and, therefore, recursive enumerability of Log Fr {y}. In fact, we also obtain 
an axiomatisation, namely, that Log Fr {y} = K $ y. As we know from Blok’s theorem, 
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this is much stronger than just first-order definability. (For example, there are a lot 
of formulas y such that Fr{y} is the class of transitive frames, but K $ y # K4.) 
Thus, Sahlqvist’s theorem has two aspects: the correspondence part (stating first-order 
definability of Fr {y}) and the completeness part (stating that Log Fr{y} = K @ y). 

However, Sahlqvist axioms do not guarantee good computational properties of modal 
logics. For example, there are finitely axiomatisable Sahlqvist logics without the finite 
model property in NExt S4 [26] (see also [65]). There are undecidable finitely axiomati- 
sable Sahlqvist logics in NExt K. Such a logic can easily be constructed if we have more 
than one box [23]. For instance, consider the undecidable associative calculus T of [148] 
with the axioms 


ac = ca, ad = da, bc = cb, bd = db, edb = be, eca = ae, abac = abacc. 


The reader will notice immediately an analogy between these axioms and the axioms of 
the following modal logic with five necessity operators: 


L = Ks ® 0p O30ip @ 4p > O4,0ip © 0203p > OgOop & 
204p > O402p  O50402p > O205p © UsU30ip O105p ® 
1H2H103P 7 H102 3=3P. 


Moreover, it is not hard to see that words x, y in the alphabet {a,b,c,d,e} are equiv- 
alent in T iff f(x)p — f(y)p € Ks, where f is the natural one-to-one correspondence 
between such words and modalities in language {01,..., O05} under which, for instance, 
f(cadedb) = 03004050402. It follows immediately that the Sahlqvist 5-modal logic 
L is undecidable. An even simpler example of an undecidable finitely axiomatisable 
Sahlqvist logic is the bimodal product K4 x K4; for details see Chapter 15. Now, us- 
ing the reduction of multi-modal logics to those in NExt K [77] one can construct an 
undecidable finitely axiomatisable Sahlqvist logic from NExt K. 


PROBLEM 4. Are finitely axiomatisable Sahlqvist logics in NExt K4 decidable? 


It is also worth noting that there is no effective way of recognising whether a given 
modal formula is (deductively equivalent to) a Sahlqvist formula; in particular, the set 


{p E€ ML | $46 ¢ is a Sahlqvist logic} 


is not recursive [26]. 

The simplest formula not covered by Sahlqvist’s theorem is the Mckinsey axiom ma 
(see (7) above). It is neither first-order definable [56, 154]°, nor canonical [55]. The 
problem whether the following equality holds 


K $ OOp>OOp = LogFr{OOp > OOp} 


and whether the logic K 6 ma is decidable had resisted all attempts based on the 
standard methods of canonical models and filtration until Fine [44] introduced a new 
proof technique based on certain normal forms to be considered in the next section. 

Another logic not covered by Sahlqvist’s theorem is KM” = K 9 {max | k > 1} 
defined in [88], where 


ma, = © \ (Op; > Op;). 
1<i<k 


5This result was first proved by R. Goldblatt in his PhD thesis in 1974. 
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may, is K-equivalent to ma, so KM™ D K @ ma. In fact, KM® is the logic of the 
class of frames satisfying 


Vaay (R(z,y) A Yz, 2" (Ry, 2) A Rly, 2’) > z =2')), (8) 


so by Theorem 11 it is canonical. 

In [64], the proof of Sahlqvist’s theorem is extended to KM® and other logics. The 
method uses ‘quasipositive’ hybrid sentences; see Chapter 14 for full details of hybrid 
logic. In these formulas, existential and relativised universal quantifiers over nominals 
are allowed, negation can only occur in the latter, and there are no free nominals or 
propositional variables. From any quasipositive sentence y, an infinite set of modal ax- 
ioms can be obtained effectively. The modal axioms approximate y, by treating nominals 
as propositional variables ranging over the partition sets of finite partitions of the worlds 
of a model. Each partition is defined by the truth values of an arbitrary finite set of 
modal formulas. Existential and universal quantification are simulated by disjunctions 
and conjunctions over partition sets. The axioms obtained in this way axiomatise a 
modal logic Lọ, which is shown to be the logic of the class of frames validating y: i.e., 
Ly = Log Fr{y}. 

For example, let p = ©3720, where 7 is a nominal. Then y is valid in precisely 
the frames satisfying (8). The axioms obtained from ọ are equivalent to substitution 
instances of the ma, above, and so L, = KM®™. For instance, the axiom obtained by 
approximating y with respect to the finite set X = {p,,..., px} is 


e V (Ava N ~v): 


YCX pEY pEX-Y 


and this is K-equivalent to mag. 

The method extends to sets ® of quasipositive sentences. Every Lø is the logic of an 
elementary class of frames, namely, Fr ®. [64] shows that the modal logics of elementary 
classes of frames are precisely those of the form Ag. The result applies to multi-modal 
logics and to logics with polyadic modalities. 

This result gives an interesting link between modal and hybrid logic. It is analogous 
to Sahlqvist’s completeness theorem, since LogFr® = Lə. An analogue of Sahlqvist’s 
correspondence theorem would state that Fr La is first-order definable (by ©), but this 
cannot be achieved in general, since in many cases, Fr La is non-elementary. 


4.2 Uniform logics 


Fine [44] used a modal analogue of the full disjunctive normal form for constructing finite 
models and proving the fmp of a family of logics in NExt D (containing, in particular, 


K @ ma). 
Observe first that every modal formula y(p,...,Pm) is equivalent in K either to L 
or to a disjunction of normal forms (in the variables pi,...,Pm) of degree md(y) (the 


modal depth of y), which are defined inductively in the following way. NFo, the set of 
normal forms of degree 0, contains all formulas of the form ~1pı A +++ A ampm, where 
each ~; is either blank or =. NF +1, the set of normal forms of degree n+ 1, consists of 
formulas of the form 

OA AOI, A+++ A aR OO, 
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where 0 € NF o and 6;,...,0% are all distinct normal forms in NF,. Put NF = 
Uncu NFn. Using the fact that V{O0 | 0 € NF,} € D, it is not hard to see also 
that in D every formula y with md(y) < n is equivalent either to L or to a disjunction 
of normal forms of degree n such that at least one of ~1,..., =x in the inductive step of 
the definition above is blank. Such normal forms are called D-suitable. It should be clear 
that, for any distinct 6’,0” € NEn, 7=(6’ A 6”) € K. Consequently, for every 6 € NF, 
and every y(pi,---;Pm) with md(y) < n, we have either 6 > y E K or 0 ~y E K. 

With each D-suitable normal form 6 we associate a model Ng = (Fe, Vo) based on 
so = (Wo, Ro) by taking 


Wo = {T} U {0 E€ NF | 0’ <” 0, for some n > 0}, 
<Q” iff O0’ is a conjunct of 0”, 

0 Rob” iff either 0’ > 6” or md(@’) = 0 and 0” = T 
Vo(p) = {0' € Wo | p is a conjunct of 6’}. 


According to the definition, T is the reflexive end-point in §ọ, and so ọ is serial. By 
a straightforward induction on the degree of 6’ € Wọ one can show that (Ma, 6’) = 0’. 
It follows immediately that D has the finite model property (fmp, for short). Indeed, 
given y ¢ D, we reduce ~y to a disjunction of D-suitable normal forms with at least one 
disjunct 6, and then (Mtg, 0) = @. 

It turns out that in the same way we can prove the fmp of all logics in NExt D that 
are axiomatisable by uniform formulas which are defined as follows. Every p without 
modal operators is a uniform formula of degree 0; and if y = 0(1x1,---;%mXm), where 
4; € {0,0}, md(w(p1,..-,Pm)) = 0 and x1,...,X%m are uniform formulas of degree n, 
then y is a uniform formula of degree n+ 1. A remarkable property of uniform formulas 
is the following. Suppose that y is a uniform formula of degree n and M, N are models 
based on the same frame § = (W, R} and such that, for some point x, (M, y) H p iff 
(N, y) p for every y € xf” and every variable p in y, where 


Xp = Xt = {fyeWl|aceXaRy}, XPH = (Xf. 


Then (M, x) H y iff (N, x) H y. 
Given a logic L, we call a normal form 0 L-suitable if o H= L. 


THEOREM 13 (Fine). Every logic L € NExtD aziomatisable by uniform formulas has 
the fmp. 


Proof. It suffices to prove that each formula y with md(y) < n is equivalent in L 
either to L or to a disjunction of L-suitable normal forms of degree n. And this fact will 
be established if we show that every D-suitable normal form 0 such that 0 — L ¢ L is 
L[-suitable. Suppose otherwise. Let 0 be an L-consistent and D-suitable normal form 
of the least possible degree under which it is not L-suitable. Then there are a uniform 
formula w € L of some degree m and a model M = (Fo, VW) such that (M, 0) A y. 

For every variable p in y, let T, = {6 € 01™| (Mt, 6’) =| p} and let 6, = VT, (if 
Tp = 9 then 6, = L). Observe that for every 0’ € 67” we have (Me, 0’) — ôp iff ET, 
iff (M, 0’) H p. Therefore, the formula y’ that results from w by replacing each p with 
Ôp is false at 0 in My. Now, if md(y') > n then m > n, and so 6, = L for every p in , 
i.e., ~’ is variable free. But then 7’ is equivalent in D to T or L, contrary to e E Y’ 
and L being consistent. And if md(w’) < n then either 6 > y’ € K, which is impossible, 
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since (Ma, 0) KE 0 > wv’, or 6 > aw’ € K, from which y’ — 70 € K and so 76 € L, 
contrary to 0 being L-consistent. Q 


It is not hard to extend Fine’s theorem to the multi-modal case, namely, to those logics 
that contain ©;T, for all i = 1,...,n, and are axiomatisable by formulas y in which all 
maximal sequences of nested modal operators coincide with respect to the distribution 
of the indices i of O; and ,. 

As a consequence of Theorem 13 we obtain that KM = K @ ma enjoys the fmp and 
so is decidable. Strange as it may seem, the following problem is still open: 


PROBLEM 5. What is the computational complexity of KM? 


4.3 Logics with OO-arioms 


Another result, connecting the fmp of logics with the distribution of O and © over 
their axioms, is based on the following observation which can be regarded as the modal 
analogue of Glivenko’s theorem for intuitionistic logic (see, e.g., [24]): for all formulas 
y,w E€ MLi, we have Op — Ow € S5 if OO = OOw € K4. The proof of this 
observation is almost trivial. Suppose DOy — OOw ¢ K4. Then there exist a finite 
model M, based on a transitive frame, and a point x in it such that x = OOyp and 
x Ow. It follows from the former that every final cluster accessible from x, if any, 
is non-degenerate and contains a point where ¢ is true. The latter means that x ‘sees’ a 
final cluster C at all points of which w is false. Now, by taking the generated submodel 
of M based on C, we obtain a model for S5 refuting Oy — Ow. The rest is obvious, 
since Op ~ OOp is in S5 and K4 C S5. 

ME£,-formulas in which every occurrence of a variable is in the scope of a modality 
© will be called 00-formulas. The next theorem is due to Rybakov [124]. 


THEOREM 14 (Rybakov). Jf a logic L € NExt K4 is decidable (or has the fmp) and w 
is a O0-formula then L ® w is also decidable (has the fmp). 


Proof. Suppose that Y = y/(GOx1,..-, 4Ovn), for some formula wW’(qi,.--;dn)- If 
p(p1,---;Pm) E LE Y then there exists a derivation of y in L @ wv in which substitution 
instances of p contain no variables different from pj,...,Pm. Each of these instances 
has the form w’(OOx{,..., 0x/,), where every x; is some substitution instance of x; 
containing only p1,...,Dm. Now, it is not hard to see that, similarly to classical propo- 
sitional logic, there are finitely many pairwise nonequivalent formulas in S5 built from 
P1,- - -, Pm (for more details see, e.g., [129] or [24]). In view of the observation above, there 
are finitely many pairwise nonequivalent in K4 substitution instances of DOy; of that 
sort (the reader can easily estimate the number of them). So there exist only finitely 


many pairwise nonequivalent in K4 substitution instances of p containing p,...,Dm, 
say, U1,.--,Wez, and we can effectively construct them. Then, by the deduction theorem, 
pEeLey iff (bi A+: Ade) > ge L, 


where Oty = yAQy. Thus, L% is decidable (or has the fmp) whenever L is decidable 
(has the fmp). Q 


It should be noted that by adding infinitely many 00-formulas to a logic L with the 
fmp one can construct a Kripke incomplete logic; for a concrete example see [123]. 
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4.4 Logics with noniterative axioms 


Lewis [91] considered those logics in NExt K,, that can be axiomatised by MZL,,-formulas 
without nested modal operators. We call such logics noniterative. Examples of noniter- 
ative logics are 


T = K@Op—p or Kz $ Oop — Op. 


THEOREM 15 (Lewis). All noniterative logics in NExt K, have the fmp. 


Proof. Suppose that the axioms of L = K, ®T have no nested modal operators and 
p Z L. Let suby be the set of all subformulas of y. By a y-description we mean any 
set of subformulas of y together with the negations of the remaining formulas in sub y. 
For each L-consistent -description ©, take a maximal L-consistent set Ao containing 
©. Denote by W the (finite) set of the selected Ao and define § = (W, (R; | i € I)} and 
M = (7, V) by taking 


and Y(p) = {Ae € W | p E€ Ao}. It is easily proved that (M, Ao) = w iff y € Ao, for 


all subformulas 7 of y and Ag € W. Hence ¥ KF y. It is also easy to see that for all 
truth-functional compounds w of subformulas of y, 


(9) (M, Ae) E Oi iff Oi E Ao. 


Consider now a model W = (3, VW’) and x ET. For each variable p put 


by = V{Ael4ce€x"n)} 


and denote by x’ the result of substituting Yp for p, for each p in x. Then W H x iff 
M H x’. In view of (9), we have M |= x’ because x’ has no nested modalities. Thus, 
5 = x and so FEL. Q) 


4.5 Modal reduction principles 


Modal reduction principles—that is, formulas of the form Mp — Np, where M and N 
are strings of O0; and ©;—have always attracted the attention of modal logicians, with 
the aim being to reduce the number of nested modal operators. (For example, both 
Op «= Op and OUp Op are in S5.) In the context of this chapter, we are interested 
in completeness and decidability of normal modal logics axiomatised by modal reduction 
principles. 

As we know from Section 4.1, there are undecidable logics in NExt Kə with finitely 
many modal reduction principles as their axioms. But it seems that nearly nothing is 
known about the behaviour of logics with such axioms in NExt K. Perhaps one of the 
most intriguing open problems in Modal Logic is the following: 


PROBLEM 6. Do the logics of the form K®@O"p — O™p have the finite model property? 


Note, however, that by Sahlqvist theorem all logics of the form K $ 0"p — O™p are 
characterised by their Kripke frames that are definable by first-order formulas (which are 
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similar to transitivity: if y is accessible from x in m steps, then y is accessible from x in 
n steps as well). 

Van Benthem [155] showed that modal reduction principles in M£; are all first-order 
definable over transitive frames (this is not the case in general: e.g., the McKinsey axiom 
Op — ©UOp is not first-order definable over arbitrary frames; see [155] for a complete 
characterisation). 

The following result was proved in [175] using the method of canonical formulas to be 
discussed in Section 6: 


THEOREM 16. All logics in NExt K4 aziomatisable by modal reduction principles have 
the fmp and are decidable. 


PROBLEM 7. Are extensions of K,, with modal reduction principles Kripke complete? 
PROBLEM 8. Are extensions of K with modal reduction principles decidable? 


4.6 Logics with n-variable axioms 


A very natural syntactical parameter of a modal logic LT is the number of variables in 
its extra axioms [ over L. For example, D = K @ OT is axiomatised by a variable-free 
formula over K and almost all standard modal logics—e.g., K4, S4, S5, Grz, GL—can 
be axiomatised by adding axioms with only one variable to K. (A notable exception is 
K4.3 whose axiomatisation requires two variables; see [119]). 

We start our discussion of variable-free axioms with a simple observation that the 
truth of a variable-free formula y does not depend on the valuation, i.e., for every model 
M based on a frame F, we have M H y iff F = vy. Therefore, we can reduce deduction in 
L@®¢ to ‘global’ deduction in L. More precisely, we say that a formula y% follows globally 
from a set I of formulas in a logic L if M T implies Mt H w for every model M based 
on a frame for L. Now, if global deduction is decidable for L, then L & ọ is decidable: 
indeed, Y% E€ L @ ọ iff y follows globally from ọ in L. 

To make use of this observation we need to know how to prove decidability of ‘global 
deducibility’ for modal logics L. For L € NExt K4 this is simple because 7 follows 
globally from ọ in LiffpAQypoWeL. 


THEOREM 17. If p is variable-free and L € NExt K4 is decidable, then L ® ọ is 
decidable. 


Note that there are extensions of K4 with infinitely many variable free axioms which 
are undecidable and do not have the fmp; for a concrete example and further details 
see [24]. This cannot happen in NExt GL, however, because each variable-free formula 
is deductively equivalent in GL to one of the formulas T, O” L, where n < w. Since 
ilL =~ O1¢€K4C GL, for i < j, all extensions of GL with variable-free formulas are 
finitely axiomatisable and decidable. 

The simple reduction of global deducibility above does not apparently work for ‘non- 
transitive’ logics in NExt K. In fact, there are decidable normal modal logics L such that 
global deducibility is undecidable for L. (The first example of such a logic was constructed 
by Spaan [139]. Another natural example is K x K; for details see Chapter 15 or [48].) 
It should be clear that global deducibility in a finitely axiomatisable modal logic L is 
decidable if L enjoys the so-called global finite model property (global fmp, for short): 
for every finite set I U {w} of formulas, w does not follow globally from T iff there exists 
a finite model M based on a frame for L such that M = r and Mt jÆ y. The global 
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fmp of many standard modal logics like Kn, K4,, S5,, can be proved by filtration: just 
start with a possibly infinite model Mt such that M =T and M i y, and then filtrate 
it through the subformulas of I U {w}; see [59] for details. For example, we have the 
following: 


THEOREM 18. If is variable-free, then Kn ® ọ is decidable. 
The undecidable Sahlqvist logic on page 447 shows that this result does not hold for 
axioms with one variable. Chagrov [21] constructed a one-variable formula y such that 


GL 64 ¢ is undecidable. It turns out, however, that we have the following theorem which 
was proved in [175] using the method of canonical formulas (to be discussed in Section 6): 


THEOREM 19. For every one-variable formula p, S46 y has the fmp and is decidable. 


On the other hand, an infinite number of one-variable axioms can yield an extension 
of S4 without the fmp [133]. A Kripke incomplete extension of S4 with a two-variable 
axiom was constructed by Shehtman [132] and an undecidable logic above S4 with a 
three-variable axiom by Chagrov [21]. 


PROBLEM 9. Are extensions of S4 with a two-variable axiom decidable? 


5 SEMANTICALLY CONSTRAINED CLASSES OF MODAL LOGICS 


In the previous section we considered ‘nice’ classes of modal logics defined in terms of the 
form of the logics’ axioms. Here we give a brief overview of well-behaved classes of modal 
logics determined by imposing some natural constraints on the form of their frames. 


Tabular logics 


A normal modal logic L is said to be tabular if it is determined by a finite set of finite 
frames . Since the class of frames for a normal modal logic is closed under disjoint unions, 
L is tabular iff there exists a single finite frame that determines L. In many respects 
tabular logics are easy to deal with. For instance, the problem of deciding whether a 
formula y belongs to a tabular logic is trivially decided in NP by considering all possible 
valuations in the finite frame characterising L. Moreover, it is not difficult to provide a 
finite axiomatisation for a tabular logic; for details see, e.g., [177]. Thus, we arrive at the 
following: 


THEOREM 20. Every tabular logic is coNP-complete and finitely axiomatizable. More- 
over, a normal modal logic is tabular if, and only if, it contains one of the formulas 


n-1 
tab, = “(pi A Clp A lps A+ A Opn) A A rO™(OVLA... A O¥n) 


m=0 


where pi = pi A+++ A Pi—1 Api A Piz A+++ A Pn. 


What is the position of tabular logics within the lattices NExt K,,? First, it is easy to 
see that every normal modal logic containing a tabular modal logic L is tabular as well 
and is determined by frames that are p-morphic images of generated subframes of any 
frame which determines L. Therefore, we have: 
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THEOREM 21. If L is tabular then NExt L is finite and contains only tabular logics. 
NExt L can be effectively computed. 


On the other hand, according to Theorem 9, the axiomatisation problem for tabular 
modal logics is always undecidable in NExt K,. The situation is not so hopeless if we 
consider the following relativised version of the axiomatisation problem for tabular logics 
above some sufficiently ‘strong’ logic Lo D Ky: given a tabular logic L D Lo and an 
arbitrary formula y, decide whether Lo 6 y = L. For example, one can easily show (see, 
e.g., [24, 177] and references therein) that every tabular logic containing K4 is a union- 
splitting of K4 and that a logic is tabular in NExt K4 iff it has finitely many normal 
extensions. Moreover, the following holds: 


THEOREM 22. If L € NExt K4 is tabular then {py | K4 9 y = L} is decidable. 


How to determine whether a given logic is tabular? The key idea suggested by 
Kuznetsov [82] is to consider the so-called pretabular logics. 

A logic L € NExt Lo is said to be pretabular if L is not tabular but every proper 
extension of L in NExt Lọ is tabular. In other words, a pretabular logic is a maximal 
nontabular logic in NExt Lo. Using Zorn’s lemma it is easily seen that, in NExt K,, 
every non-tabular logic is contained in a pretabular one. It is also known that every 
pretabular logic in NExt K4 has the fmp (for proofs and references consult [24]). More- 
over, Maksimova [96] and Esakia and Meskhi [38] showed that there are only five (pretty 
simple) pretabular logics in NExt S4. Using this result one can show the following: 


THEOREM 23. The set {py | S49 yọ is tabular} is decidable. 


Indeed, we launch two parallel processes: one of them generates all derivations in 
S4 6 y and stops after finding a derivation of tab,,, for some n < w; another process 
checks if p belongs to a pretabular logic in NExt S4 and stops if this is the case. The 
termination of the first process means that S4@ is tabular, and if the second one comes 
to a stop then this logic is not tabular. 

Note that there are a continuum of pretabular logics in NExt K4, while NExt GL 
contains countably many of them [10, 17], and the set {y | GL@y is tabular} is decidable. 


PROBLEM 10. Is the set {y | K4 © ọ is tabular} decidable? 


Transitive logics of finite depth and width 


A very natural semantical constraint on logics from NExt K4 is the length of maximal 
chains and antichains in their rooted frames. Say that a logic L € NExt K4 is of depth 
n < w if L has a frame (W, R) with a chain 1, Rz2R...R&£n of points from distinct 
clusters, but no frame with such chains of greater length validates L. Syntactically, 
logics of depth n can be defined as those extensions of K4 that contain the formula bdn 
but not bd,,41, where 


bd, = ©Opi > pi, 
bdy+1 = o( Pn EL A abd,,) =y Pn+1- 


The following theorem was proved in [129]: 


THEOREM 24 (Segerberg). Every logic of finite depth has the finite model property (in 
fact, is locally tabular in the sense that it has only finitely many nonequivalent formulas 
with variables p1,...,Pn), and so is decidable if finitely axiomatisable. 
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It is to be noted that there are a continuum of logics of depth 3 [84]. 

Say that a logic L € NExt K4 is of width n < w if it has a rooted frame (W, R} with 
an antichain £1,..., n (ie., x; Rx; does not hold for any distinct i, j < n) but no rooted 
frame with an n + 1-point antichain validates L. Syntactically, logics of width n can be 
described as those extensions of K4 that contain the formula bwn but not bwn+1, where 


bw, = VAN Opi > VV © (pi A (p; V ©pj)). 
i=0 0<i#j<n 


The logics of width 1 are precisely the extensions of NExt K4.3. 
The following theorem was proved in [43]: 


THEOREM 25 (Fine). All logics of finite width are Kripke complete. 


There are a continuum of logics of width 1. However, those of them that are finitely 
axiomatisable behave quite nicely as was shown in [176, 93]: 


THEOREM 26. All finitely axiomatisable logics in NExt K4.3 are decidable (in fact 
coNP-complete), though not necessarily have the finite model property. 


Nothing is known about decidability of finitely axiomatisable logics of width n > 1 
(our conjecture is that all of them are decidable): 


PROBLEM 11. Are finitely axiomatisable logics of width n > 1 decidable? What is 
their computational complexity? 


For logics above $4.3 we have the following classical result of [14, 40, 139]. Here and 
in what follows we say that a logic L has the poly-size model property if every formula 
y ¢ L is refuted in a model based of a frame for L of polynomial size. 


THEOREM 27 (Bull, Fine, Spaan). All logics in NExt S4.3 are finitely aviomatisable, 
have the poly-size model property, and are coNP-complete. 


PROBLEM 12. Does there exist an algorithm that decides, given a formula y, whether 
the logic K4 @ ọ is of finite width/depth? 


It is worth noting that if the problem whether L = K4@y is of depth depth (or, which 
is equivalent, whether L is locally tabular) is decidable, then the tabularity problem for 
K4 (that is, Problem 10) is decidable as well. Indeed, suppose that we have an algorithm 
for deciding, given a formula y, whether K4 9 ọ is locally tabular. If this hypothetical 
algorithm says that L = K4 6 ¢ is not locally tabular then L is not tabular either. 
Otherwise, we can effectively find some number n such that bd, E€ L. And then we 
use Blok’s [10] result according to which there are only finitely many pretabular logics 
containing bd,,. All these pretabular logics have rather simple Kripke frames which can 
be easily axiomatised, so all of them are decidable. What remains to be done is to run 
Kuznetsov’s algorithm described above. 


Logics containing K5 


Recall that K5 = K®OUp — Opis the logic determined by all Euclidean frames (W, R), 
where Euclidean means that 


VaVyV2(aRz A xRy > yRz). 
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The papers [113, 114] investigate the (possibly non-normal) extensions of K5. The 
following theorem summarises the results for logics in NExt K5: 


THEOREM 28 (Nagle, Thomason). All logics in NExt K5 have the finite model prop- 
erty, are finite axiomatisable, and so decidable. The lattice NExt K5 can be computed 
effectively. 


It is not difficult to see that actually all logics in NExt K5 have the poly-size model 
property and are coNP-complete. 


Logics containing S5 x S5 


S5 x S5 is the bimodal logic determined by product frames of the form (W x W, Ri, R2), 
where (w1, w2)Rı (w1, ws) iff we = wh, and (w1, w2)Ro(w1, w3) iff wı = w4. It was 
introduced and investigated because of its close relation to the two-variable fragment of 
first-order logic [130, 48]; see also Chapter 15. S5 x S5 can be axiomatised by adding to 
the fusion (see Chapter 15) of S5 with S5 the modal axiom ©, Op > O20 1p saying that 
Rı and Re commute. Logics containing S5 x S5 are surprisingly well-behaved. Indeed, 
while S5 x S5 itself is NEXPTIME-complete [103], it was proved in [6, 5] that we have 
the following: 


THEOREM 29. Every normal bimodal logic properly containing S5x S5 has the poly-size 
model property, is finitely arxiomatisable and coNP-complete. 


The axiomatisation result is based on a variant of Kruskal’s tree theorem. The picture 
is different if a constant for the diagonal {(w, w) | w € W} (motivated by its interpreta- 
tion as ‘equality’ in first-order logic) is added to the bimodal language. In this case there 
exist uncountably many normal modal logics extending S5 x S5 with the diagonal, and 
it is open whether all of them have the finite model property [3, 4]. 


Logics containing K 9 alt, 


A frame § = (W, R) validates the formula 


alt, = Op, VO(pi > pe) V+ V O(p1 At A Pn > Prt), 


where n > 0, iff each point in ¥ has at most n distinct R-successors. Segerberg [131] 
proved the following: 


THEOREM 30. All logics in NExt (K altı) have the finite model property, are finitely 
aziomatisable, and so decidable. The lattice NExt (K altı) can be computed effectively. 


It is not difficult to see that actually all extensions of K altı have the poly-size model 
property and are coNP-complete. Extensions of K 6 alt, for n > 1 are investigated in 


[1]: 
THEOREM 31. All logics in NExt (K @alt,) are Kripke complete and their frames are 
first-order definable. 


An analysis of polymodal extensions of K @ alt,, is given in [76, 61]. 
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6 FRAME-THEORETIC CHARACTERISATION 


Finding characterisations of those classes of structures that can be defined by (sets of) 
formulas of a given language £ is one of the central research problems in the development 
of a model theory for the language. This is often achieved by introducing certain truth- 
preserving operators on classes of structures (e.g., the formation of p-morphic images, 
generated subframes, disjoint unions, ultraproducts, etc.) and then proving that the 
£-definable classes are precisely those that are closed under these operators—a kind 
of Birkhoff-type theorem for varieties of abstract algebras. Such characterisations for 
modal logics are discussed in Chapters 5 and 6 on modal model theory and algebras. 
Unfortunately, abstract characterisations of this sort are of limited use when we deal 
with modal decision problems. In this context, what we need is not characterisations 
that are ‘as abstract as possible,’ but rather explicit finitely presentable ones. 

Of course, modal formulas themselves can be regarded as a ‘finitely presented charac- 
terisation’ of modally definable classes of frames. However, in general, the information 
contained in formulas is rather implicit and non-structural (or ‘non-geometric’)—one has 
to work hard to learn how to decipher their meaning. 

As a first step towards more informative finite presentations of modally definable 
classes of general frames, let us find out which of these classes F cannot be decomposed 
in the sense that whenever F = GFrI’, for some set I of modal formulas, then there is 
aw ET such that F = GFr{w}. This means, in particular, that we cannot make the 
information provided by such a formula w ‘more explicit’ by replacing it with two (or 
more) formulas yı and Y2 such that GFr {Y} = GFr{w1, Y2}, but GFr {Y} S GFr {y;} for 
(alee 

Again, as in Blok’s dichotomy and Chagrov’s classification, it is the notion of splittings 
that provides a proper framework for investigating indecomposability. In fact, one can 
show that, for every normal modal logic L, the class GFr L is indecomposable iff there 
exists a finite rooted (cycle free) frame ¥ such that L = K/¥. Indeed, suppose that 
L=K/§ =K6@T for some set of formulas T. Then there is a Y € T such that ¥ jÆ Y 
(for otherwise ¥ T and therefore ¥ € GFr L). But then L C K @ y, from which (since 
p ET) L=K y. (For the other direction and further details see Chapter 8.) Thus, 
we can say that the formula w describes F. Moreover, in view of (4), w is deductively 
equivalent to the formula OS"63; — ~p, where n = d(Ẹ), which explicitly says: ‘6 € F 
iff there does not exist a generated subframe of © having § as its p-morphic image.’ The 
formula OS"6z — ~p, can be regarded as a modal diagram of %. 

It follows from these considerations that we would have a kind of optimal explicit and 
finite presentation of modally definable classes if we could prove that for every formula 
y there exists a set F of finite rooted frames such that 


GFrp = GFr(K/F). 


Then every modally definable class could be presented by means of a set of indecompos- 
able geometrically explicit formulas as above. 

Now, the bad news is that we know from the proof of Blok’s dichotomy that this is 
far from being the case: D is the only standard modal system that can be represented 
in this way. 

But the good news is that this situation changes drastically as soon as we confine 
ourselves to ‘transitive’ modal logics, in particular, unimodal normal extensions of K4, 
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linear tense logics, or bimodal provability logics. Although, as we shall see below, it is im- 
possible to represent all normal modal logics extending, say, K4 in the form L = K4/F, 
for some set F of finite rooted frames, we can still introduce appropriate modifications 
and extensions of the notion of splitting which allow geometric finite representations of 
every normal extension of K4. In this chapter we will show such representations first 
for normal extensions of K4 and then for extensions of linear tense logics. The case of 
bimodal provability logics is considered in [167]. 


6.1 Canonical formulas for K4 


This frame-theoretic or ‘geometric’ approach to investigating modal logics in NExt K4 
and similar classes was launched by Jankov [66, 69] (in the framework of extensions of 
intuitionistic logic®), Blok [9], Fine [45] and Zakharyaschev [172, 174, 175]. Let us observe 
first that a number of standard logics in NExt K4 are indeed union-splittings, and so 
their frames can be elegantly characterised in frame-theoretic terms. For example, 


S4 = K4 6 Op—p = Ka/to, £7, 
$4.1 = S4 ® Op— Op = 84/0, 


$4.2 = $4 © OCUp—OU¢p = S4/ 


ki 


where @) is a two-point cluster. As we saw above, this means that, e.g., for every 
(general) frame § for S4, ¥ Op — Op iff there is a generated subframe of which 


can be p-morphically mapped onto @). To appreciate the elegance of this frame-theoretic 
language, compare the purely geometric characterisation above with the standard first- 
order description of the Kripke frames for S4.1: 


(W, R) =| OOp > OOp iff Vady (xRy AVz (yRz > y =2)). 


This observation leads to the following natural questions: 


(A) Is it possible to characterise transitive frames for arbitrary formulas in a similar 
way? 


(B) If this is indeed the case, then perhaps the decision problem (as well as many other 
problems) could be reduced to ‘comparing’ some finite frames? (For example, 
K4/¥ C K4/6 iff 6 is a p-morphic image of some generated subframe of ¥.) 


We analyse these questions using a number of simple examples. Consider first the Gödel- 
Löb provability logic GL = K4 6 la, where 


la = QO(Op—p)— Op. 


It is well-known that a Kripke frame § validates la iff ¥ is transitive, irreflexive (i.e., a 
strict partial order) and Noetherian in the sense that it contains no infinite ascending 


6 Jankov [69] described all ‘conjunctively indecomposable’ intuitionistic formulas—i.e., splittings of 
the extensions of intuitionistic logic—and promised to investigate ‘decomposable formulas’ in his next 
paper which has never appeared. At the beginning of the 1980s he was arrested by the KGB for his 
support of the Solidarity movement in Poland. 
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chain. It is also well-known that the condition of Noetherianness is not a first-order one. 
But what is more important in the present context, the frame 


fe) +++ —»>@— >e—> @ 


refutes la and yet contains no generated subframe that can be p-morphically mapped onto 
a finite frame refuting la. This means that GL is not a union-splitting of NExt K4 by 
means of finite frames. To find an explicit finitely presentable geometric characterisation 
of frames for GL some other frame-theoretic constructions are needed. Let us have 
another look at the structure of countermodels for la. 

Suppose that a general frame § = (W, R, P) refutes la under some valuation. Then 
the set V = {x € W | x la} is in P and V CV] = {we W | w € V wRv}. It follows 
from the former that 6 = (V, RTV, {X NV | X € P}) is a frame—we call it the subframe 
of & induced by V. And the latter condition means that there is a p-morphism from 6 
onto a single reflexive point o, which is the simplest refutation frame for la. Moreover, 
one can readily check that the converse also holds: if there is a subframe 6 of § which 
can be p-morphcally mapped onto o then § la. 

This example motivates the following definitions. Given frames ¥ = (W, R, P) and 
6 = (V,S,Q), a partial (i.e., not totally defined, in general) map f from W onto V is 
called a subreduction of § to © if, for all x,y € dom f = f~'(V) and all X € Q, it 
satisfies the following conditions 


e «Ry implies f(x)S f(y); 
e f(x)Sf(y) implies dz € W («Rz A f(z) = f(y)); 
e f(x) eP. 


In other words, an f-subreduct of § is a p-morphic image—or a reduct—of the subframe 
of ¥ induced by dom f. A frame 6 = (V, S, Q) is a subframe of § = (W, R, P) if V CW 
and the identity map on V is a subreduction of § to 6, i.e., if S = R/V and Q C P. 
Note that a generated subframe 6 of ¥ is not in general a subframe of §, since V may 
be not in P. 

Thus, the characterisation of frames for GL can be reformulated like this: § F la iff 
& is subreducible to o. Here are two more examples: 


e A frame § refutes the Grzegorczyk axiom O(O(p > Op) > p) —> p iff it is subre- 
ducible to e or to ©. 


e A quasi-order § refutes the Dummett axiom O(Op —> q) V O(Og —> p) iff F is 


V 


subreducible to 6 


Now let us consider the logic GL.2 = GL@ga, where ga is the Geach axiom OUp — Oop. 
It is easy to see that every Kripke frame refuting ga must contain the fork 


V 


as a subframe, and in general, if ¥ Æ ga then § is subreducible to this fork. However, 
the converse does not hold—just add a point e above the spikes of the fork to obtain a 
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counterexample. What we actually need is a fork-like subframe with its spikes having no 
common successor. A good mathematical notion that is capable of describing this and 
other similar cases is the notion of cofinality. 

A subreduction f of ¥ to 6 is called cofinal if 


domft C dom fUdomf | 


or in English: if a point x is accessible from the domain of f then either x belongs to 
the domain of f itself or ‘sees’ a point in dom f. For example, if we add to the fork a 
top point as above, then the resulting frame is subreducible to the original fork, but not 
cofinally because the top point cannot belong to the domain of the subreduction. 


Returning back to the Geach axiom ga, it is an easy exercise to show that a frame ¥ 


V 


for GL refutes ga iff ¥ is cofinally subreducible to ¢ . Another example: a transitive 
§ refutes OT iff ¥ is cofinally subreducible to e. 

For the majority of standard modal axioms these two notions—plain and cofinal 
subreductions—are enough. But not for all. The simplest counterexample is the density 
atiom den = p — Op. It is refuted by the chain § of two irreflexive points but 
becomes valid if we insert between them a reflexive one. In fact, ¥ j den iff there is a 
subreduction f of § to § such that f(a?) = {a} for no point x in dom ff — dom f, where 
a is the final point in 9. 


Intuitively, every refutation frame for formulas like la can be constructed by adding 
new points to a frame 6 that is reducible to some finite refutation frame of fixed size. 
For formulas like ga we have to take into account the cofinality condition and do not 
place new points ‘above’ 6. And formulas like den impose another restriction: some 
places inside 6 may be ‘closed’ for inserting new points. These ‘closed domains’ can be 
singled out in the following way. 

Suppose N = (H, U) is a model and a an antichain in H—i.e., the points in a do not 
see each other. Say that a is an open domain in Nt relative to a formula y if there is a 
pair ta = (Ta, Aq) such that Ta U Aa = suby, ATa > V Aa Z K4 and 


e OW €Ta implies Y ETa, 


e Oy €Ta iff a Oy for all a € a. 


Otherwise a is called a closed domain in N relative to y. A reflexive singleton a = {a} 
is always open: just take ta = ({w € suby | a H| Y}, {4Y E suby | a  ¢4}). It is easy 
to see also that antichains consisting of points from the same clusters are open or closed 
simultaneously; we will not distinguish between such antichains. 

Given a frame § and a (possibly empty) set D of antichains in §, we say that a 
subreduction f of ¥ to 9 satisfies the closed domain condition for D if 


(CDC) ~Jr € dom ff—domf 4d0€9D f(at) = dUdDf. 


In terms of (CDC) refutation frames for the density axiom den can be characterised as 
ea 


follows: ¥ A den iff there is a subreduction of § to i satisfying (CDC) for {{a}}. 


| 
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Suppose now that N = (H,U) is a finite countermodel for y and ® is the set of all 
closed domains in ® relative to y. We claim that in this case ¥ | y whenever there is a 
cofinal subreduction f of Ẹ to § satisfying (CDC) for D. Moreover, if y is negation free 
(i.e., contains no L, ~, ©) then a plain subreduction satisfying (CDC) for D is enough. 
Indeed, if f is cofinal and ¥ = (W, R, P} then we can assume that dom f U dom T= W. 
Define a valuation Y in § as follows. If x € dom f then we take x — p iff f(z) E p, 
for every variable p in y. If x ¢ dom f then f(x?) 4 Ø, since f is cofinal. Let a be an 
antichain in § such that aUaf= f(aT). By (CDC), a is an open domain in Ñ, and 
we put y = p iff p € La, for every y ¢ dom f such that f(yT) = f(aT). It is easy to 
check that under this valuation x = w iff f(x) = y in the case x € dom f, and x H yw iff 
w E€ PTa, where a is the open domain in ʻ associated with «x, in the case x ¢ dom f, for 
every Y% € suby. If ọ is negation free and f is a plain subreduction then f(a?) may be 
empty. In such a case we just put x = p, for all variables p. 

Moreover, given an arbitrary formula y, one can effectively construct a finite collection 
of finite rooted frames %1,...,%n (of some fixed size that depends on the size of y) and 
select in them sets 91,...,9,, of antichains such that, for any frame §, §  ¢ iff there is 
a cofinal subreduction of § to ¥;, for some i, satisfying (CDC) for 9;. If y is negation free 
then a plain subreduction satisfying (CDC) is enough. Details can be found in [172, 24]. 

This ‘explicit finitely presentable’ characterisation of the constitution of refutation 
transitive frames can be expressed in the language of modal formulas similarly to the 
equation 


K/§ = K @ Osz > pr. 


Indeed, with every finite frame § = (W, R} with root r and every (possibly empty) 
set D of antichains in § we can associate formulas a(¥,D,L) and a(%,D) such that 
6 4 a(g, D, L) (6 KF a(g, D)) iff there is a cofinal (respectively, plain) subreduction of 
6 to ¥ satisfying (CDC) for D. Consider, for example, the following formulas 


alg, D, 1) = tSS, D) = “Pr, 
where 
ATD) = N Pe > Op) A N (Pe >p) A N (Pe > py) A 
xRy aaRy xy 
\ ( \ (Opz A 7Opy) = VV Dz) ^ 
DED rEdDUDİ zEW 
youd 

\ (Px =O VV Py) 
xEW yew 


and a(%,®) is obtained by omitting the last conjunct from (g, D). The formulas 
a(¥,D,L) and a(¥,D) (or any other deductively equivalent formulas) are called the 
canonical and negation free canonical formulas for Ẹ and D, respectively (it is not hard 
to get rid of ~ and © in the latter formula; see, e.g., [24]). The semantical meaning of 
these formulas should be clear: a(%,, L) is refuted in a frame 6 iff there is a cofinal 
subreduction of 6 to § satisfying (CDC) for D. 
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D4 = K4@a(e,_) 
S4 = K4@a(e) 
GL = K4@a(o) 
Grz = K4Ga(e)Ga(Q) 
K41 = K4@a(e,1)¢a(@, 1) 
Triv = K4@a(e)@a(@) Pal) 
Verum = K4@a(0) Ga( i ) 
S5 = $4a($) 
K4B = K4@a( j ) (4 axioms) 

i f 
K42 = K4@a(b,1)ea(t, 1) Dal V , 1) (8 axioms) 
K4.3 = K46@a( V, (6 axioms) 


Dum = S4eGa( S )Ga(®@ ) 


Table 1. Canonical axioms of standard modal logics 


THEOREM 32. There is an algorithm which, given an ML -formula p, returns canon- 
ical formulas o(¥1,91, L),...,a(Fn, Dn, L) such that 


K4 p p = K4 p a(¥1,91,L) ®--- Ba(Fn, Dn, L). 


If p is negation free then one can use negation free canonical formulas. 


Table 1 shows canonical axiomatisations of some standard modal logics in the field of 
K4. For brevity we write a(%, L) instead of a(¥,0, L) and a(§) instead of a(F, 0). Each 
* in the table is to be replaced by both o and e. 

Theorem 32 provides a solution to problem (A) formulated at the beginning of this 
section. It shows that as far as such properties of modal logics (from NExt K4) as 
decidability, completeness, the fmp, etc. are concerned, we can always deal with canonical 
formulas—which explicitly describe their frames. And the following observation gives a 
partial solution to problem (B). 


THEOREM 33. (1) For every logic L = K4 © {a(¥i,0) | i € I} and every canonical 
formula a(g, D, L), we hhavea(¥,D,L) EL iff F is subreducible to Şi for some i€ I. 
(2) For every logic L = K4 & {a(¥;,0,1) | i € I} and every canonical formula 
a(g, D, 1), we havea(g,D, L) EL iff F is cofinally subreducible to §; for some i € I. 
(3) For every logic L = K4 © {a(¥i,D;,L) | i € I} and every canonical formula 
a(g, DË, L) where DË is the set of all antichains in Ẹ, we have a(¥,D*, L) € L iff there 
is a generated subframe of § that is reducible to §; for some i € I. 
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It follows from (3) that K4@ is a splitting of NExt K4 iff y is deductively equivalent 
in NExt K4 to a formula of the form a(¥,D*, L), where D? is the set of all antichains in 
$ (in this case K4/3 = K4@ a(g, DË, L)). Such formulas are known as Jankov formulas 
(Jankov [66] introduced them for intuitionistic logic in the algebraic setting), or frame 
formulas (used by Fine [43]), or Jankov-Fine formulas. 

But the most interesting consequence can be drawn from (1) or (2): all logics men- 
tioned in (1) and (2) of Theorem 33 have the fmp, and so are decidable if finitely axioma- 
tisable. It follows, for instance, that all logics in NExt $4.3—which can be represented 
in the form (2) because antichains in frames for $4.3 are reflexive singletons—have the 
fmp. It is not hard to see also that all these logics are finitely axiomatisable which gives 
the well-known result of Bull [14] and Fine [40] from Theorem 27. 

As we have already mentioned, practically all ‘standard’ modal logics in the field of K4 
can be axiomatised by canonical formulas of the form a(¥,,L) or a(¥,0). This yields 
an answer to the question ‘why modal logic is so robustly decidable?’ of Vardi [158] for 
the case of transitive unimodal logics. Although it is impossible to effectively recognise 
whether a logic K4 © ọ can be axiomatised by such formulas [25], there is a simple 
model-theoretic characterisation of logics from (1) and (2) of Theorem 33 discovered in 
[45, 174]: 


THEOREM 34. (1) A logic L € NExt K4 is axiomatisable by canonical formulas of the 
form a(%,) iff L is characterised by a class of (general) frames that is closed under the 
formation of subframes. 

(2) A logic L € NExt K4 is aziomatisable by canonical formulas of the form a(g, 0, L) 
iff L is characterised by a class of (general) frames that is closed under the formation of 
cofinal subframes. 


The logics from (1) and (2) are called subframe and cofinal subframe logics, respec- 
tively. It turns out that for these logics the notions of first-order definability, canonicity 
and strong Kripke completeness are equivalent; see [45, 174] and Theorem 44 below. It 
is worth noting that the fmp of (cofinal) subframe logics and the decidability of those of 
them that are finitely axiomatisable (there are a continuum of subframe logics [174]) is 
obtained from Theorems 32 and 33 for free: it suffices to check whether the frame of the 
tested canonical formula is (cofinally) subreducible to the frame of one of the canonical 
axioms of a given logic. This provides us with another general method of proving that a 
given logic is Kripke complete, decidable, canonical, has the finite model property, etc.: 
usually it is much easier to check that the class of general frames for a given logic is closed 
under cofinal subframes and to find the logic’s canonical axioms than to use filtration 
and/or canonical models. 


PROBLEM 13. Characterise the computational complexity of finitely axiomatisable co- 
final subframe logics (e.g., all such extensions of K4.3 are coNP-complete). 


PROBLEM 14. Give a syntactical characterisation of subframe and cofinal subframe 
logics (cf. Theorem 53). 


Note that, for every (cofinal) subframe logic L and every formula y ¢ L, there is a 
frame for L refuting y whose size is exponential in the length of y. 

In general, question (B) does not seem to have such an elegant answer as for the case 
of cofinal subframe logics (see, however, [147] for a recent attempt to introduce ‘canon- 
ical formulas’ for NExt K). We can only console ourselves with a number of sufficient 
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conditions of decidability, the fmp (in particular, Theorems 16 and 19) and some other 
properties imposed on the canonical axioms; for details consult [25, 175, 24, 177]. 


6.2 Canonical formulas for tense logics of linear time flows 


In this section we consider normal bimodal logics containing the tense logic Lin of linear 
orders (the class of all frames (W, R,, R2) in which Rə is the converse of R and R; is 
a linear order, i.e., Ry is transitive and connected (VaVyrRiy V yRix V x = y)). These 
logics are of interest in this chapter for two reasons. First, many natural and useful 
modal logics are contained in this class, e.g., the logics determined by the flows of time 
(N, <), (Z, <), (Q, <), and (R, <) [15, 128, 135]. And second, this class is of exceptional 
interest because currently NExt Lin is the only lattice of modal logics for which almost 
every decision problem is decidable and which, nevertheless, contains numerous Kripke 
incomplete modal logics—where the standard techniques based on proving the finite 
model property or tree model property do not work. 

The decidability results for logics in NExt Lin are based on two ingredients. First, 
they can be axiomatised by canonical formulas which explicitly show the geometrical and 
topological conditions they define. And second, a general completeness result establishes 
that they are determined by general frames which are composed from a set of rather 
simple ‘atomic’ general frames. In this part we introduce the canonical formulas. In the 
next section we discuss the general completeness theorem and survey its consequences 
regarding decision problems for logics in NExt Lin. 

The logic Lin is obviously axiomatised as 


Lin = K4: © p—O)Cop © p—O2O1p © O1O2pV O2O1p —> PV OC1ipV Cap. 


To begin our discussion of canonical formulas for logics extending NExt Lin observe 
that Dedekind cuts can be characterised by means of splittings with the frame o—o. In 
fact, one can show that 


Log {(R,<,>)} = Log{(Q,<,>)}/ o—o. 


The intuition behind this equation should be clear from the observation that the class of 
rooted general frames for the logic Log {(Q, <, >)}/ o—o consists of all general frames 
(W, R, R71, P) such that 


e (W, R) is a dense linear order without endpoints (i.e., it satisfies the properties 
VaVy(aRy > dz(aRz A zRy)), Very «Ry and Vary yRx) and 


e there is no p-morphism from (W, R, R71, P} onto oo. 
But such a p-morphism exists iff there is a partition X,Y € P of W such that 
Va € XVy E€ Y «Ry, Va € XJy € X xRy, Va € Yay E€ Y yRz. (10) 


Observe that (Q, <, >) ¢ Fr Log {(Q, <,>)}/ oo since, e.g., X = {x € Q| £ < V2} 
and Y = {y € Q | y > V2} form such a partition. 

To characterise the class of all linear orders without partitions satisfying (10), we have 
to weaken the splitting formula. For example, the frame ({x > 0 |x € Q}, <, >) (which 
obviously has a partition satisfying (10)) validates 


Lin/o—o, 
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simply because it contains an irreflexive left endpoint and, therefore, cannot be p- 
morphically mapped onto o—o. To obtain the class of all linear orders without partitions 
satisfying (10) the point a in 6-+% should be regarded as reflexive by the operator O; 
for the future but as an arbitrary linear order by the operator Oa for the past. To make 
this idea precise, we introduce the notion of a type assignment t = (ti, t2) which is a 
map from the set of clusters C of a finite linear order into the set of pairs over {j,m} 
such that tC = (t1C,t2C) = (m, m) for every cluster C consisting of an irreflexive point. 
Here j stands for ‘joker’ and m stands for ‘maximal.’ For example, tC’ = (m,j) means 
intuitively that cluster C should be regarded as ‘what it is’ by O; and as an arbitrary 
linear order by Og. The condition that irreflexive points are mapped to (m,m) means 
that they are always regarded as what they are, that is, irreflexive points. Before we 
associate with every finite linear order with type assignment (Ẹ, t) a formula a(¥,t) with 
the corresponding meaning some notation is required. 

Given a finite sequence ¥ = i = (Wi, Ri, Re P;) [ise n) of disjoint frames, we 
denote by [§] = 31 <--- << Gn the ordered sum of them, i.e., the frame (W, R, R-t, P) in 
which 


w= UW R = UYRU (U Wxw,) 
i=1 i=1 1<i<j<n 
and P = {X1 U --- U Xn | X; € P;}. Each finite frame can be represented then as the 
ordered sum C4 <J--- < Chn of its clusters. 
With every finite tense frame § = (W, R) = Ci <--- < Cn with cluster assignment 
t = (t1,t2) we associate the formula 


a(§,t) >= -6(§, t), 
where 
ôl, t) = 06(¥,t) A 02d(F,t) A 0,6(%,t)), 
and 
St) = A{pe>r-pyla Ay} 


[NPs > 70 1Py | 7(@Ry)} A 
[Mx > Orpy | Fi < n (t1Ci = mM Ax, y € Ci AwRy)} A 


Move > Copy | Ji < n (t20; = m A g, y € Ci n£ Rty)} A 
\V{py |y E W}^ 


Niep V Py V O2py | y E W}. 


To explain the semantical meaning of these formulas, notice first that if tC = (m,m) 
for all clusters C then 6 F a(¥,t) is iff 6 there exists a p-morphism from 6 onto §. 
Therefore, 


Lin/¥ = Lin © a(f,t). 


If t;C = j for some i € {1,2} and some cluster C in §, then the formula a(%,t) can 
be refuted in frames that do not necessarily have ¥ as a p-morphic image. In this case 
6 - a(%,t) iff there exist frames 6;, for 1 <i < n, such that 6 = 6; d--- <6, and 
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Ord, = Log {(é,<,>) | € an ordinal} = Lin © a(-, (0, (j,m))) 
E: = Lin } Ort p OT = 
Lin $ a(—, (e, (m, m))) vv a((e, (m, m)), =) 
RD = Log{6|Va(-rRa —> Jy(xRy A {z | eRzRy} = 0))} = 
Lin © a(—, (e, (m, m))) Ww a(—, (e, (m, m)) < (0, (m,j))) 
LD = the mirror image of RD 
Zi = Log(Z,<,>)= 
RD $ LD  a((2, Gj, j)) < (°, G, m))) ® a((o, (m,j)) < (o, GJ) 
Ds, = Ling@ott'p— Op = 
Lin & a(—, (e, (m,m) <--- < (e,(m,m)), —) 
Q: = Log (Q, <, >) = Ds, 9 E, 
R; = Log (R, <, >) = Q: $ a((9, (m, j)) < (o, (j, m))) 


Table 2. Axiomatisations of standard tense logics 


6; - a(Ci,t TCi) forall 1 <i < n. So it suffices to consider 6 jÆ a(C,t) for a cluster C. 
Assume for simplicity that 6 is a Kripke frame. Case 1: tC = (j,j). Then 6 KF a(C,t) 
iff |6| > |C|. Case 2: tC = (m,j). Then C is nondegenerate and 6 jÆ a(C,t) iff either 
6 contains an R-final cluster of cardinality > |C] or it has no R-final point at all. Case 
3: tC = (j,m). This is the mirror image of Case 2. Case 4: tC = (m,m). If C is an 
irreflexive point then 6 is an irreflexive point as well whenever 6 jÆ a(C,t). If C is 
non-degenerate and 6 4 a(C,t) then 6 satisfies the conditions of Cases 2 and 3. 
Now, the following is proved in [163]: 


THEOREM 35. There exists an algorithm which, given a formula p, returns canonical 
formulas a($1,t1),...,@(8n, tn) such that 


Linéy = Lin © a(fi,ti) © ... © a(n, tn). 


Canonical axiomatisations of some standard linear tense logics are shown in Table 2, 
where we use the following notation. Given a finite frame ¥ = C1 < --- < Cn, we write 
a((C1,tC1) <- < (Cn,tCn)) instead of a(¥,t) and a(—, (C1, tC1) < --- < (Cn, tCn)) 
instead of 


a((C1,tC1) erga] (Cn, tCn)) ($>) a((o, (j,j)) < (C1, tC1) <I < (Cn, tCn)). 


a( (C1, t1) <- < (Chn, tCn), —) is defined analogously. 


Applications of this result will be discussed in the section below. 
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7 DECISION PROBLEMS FOR TENSE LOGICS 


In this section we show that in NExt Lin almost all decision problems are decidable. For 
example, we can decide whether a finitely axiomatisable logic is Kripke complete, has 
the finite model property, is canonical, etc. Moreover, finitely axiomatisable linear tense 
logics turn out to be coNP-complete. Thus, NExt Lin is an example of a class of logics 
for which the original research programme has a complete and ‘positive’ solution. 

The first step in understanding logics in NExt Lin was done in the section above, 
where we saw that they can be axiomatised by canonical formulas a(¥,t) which show 
directly the geometric and topological conditions definable on linear orders by means of 
bimodal formulas. The second step is a completeness result which determines a class of 
rather simple general frames which respect to which every logic in NExt Lin is complete. 
We require the following notation: 

(1) Denote by Œ the non-degenerate cluster with k > 0 points. 

(2) Let w<(0) be the strictly ascending chain (w, <, >) of natural numbers, w<(1) the 
chain (w, <, >), w<(2) the ascending chain of natural numbers in which precisely the even 
points are reflexive, w<(3) the chain in which precisely the multiples of 3 are reflexive, 
and so on; w? (n) is the mirror image of w<(n). 

(3) €(0,@) = (w<(0) < ©, P}, where P consists of all cofinite sets containing @ and 
their complements. We generalise this construction to chains w<(n) and clusters ®©. 
Namely, for n < w, k > 1 and ® = {ao,...,ax-1}, we put 


C(n,®) = (wX(n)<®,P), 
where P is the set generated by means of the Boolean operators from the set of finite 
subsets of w< (n) and the sets {X; | 0 < i < k — 1}, for Xi = {a} U {kj +i | j €w}, 
0<i<k-1. €(®,n) denotes the mirror image of €(n, ®©). 

(4) €(0,@,0) = (w< (0) <40 <w> (0), P), where P consists of all cofinite sets containing 
@ and their complements. 

It is easy to check that the frames defined in (3) and (4) are descriptive and a singleton 
{x} is in P iff  ¢ ®. Notice also that the logics Log(€(n, ®)), Log(€(®,n)), k > 2, 
and Log€(0,@,0) are Kripke incomplete. 

For a class of frames C, we denote by C* the class of finite sequences of frames from C 
and let [C*] = {[8] | § € C*}. The class of finite clusters and the frames of the form (3) 
and (4) is denoted by B. We are now in a position to formulate the completeness result: 


THEOREM 36. Each logic L € NExt Lin is determined by a set C C [B*)]. 


Proof. We briefly explain the idea of the proof. Suppose that M = (F, YV) is a 
countermodel for a = a((C1, tC ) <--- < (Cn, tCn)) based on a descriptive frame ¥ = 
(W, R, R7}, P). We must show that there exists 6 € [B*] refuting a and such that 
Log 6 > Log ¥. Consider the sets 


Wi = {ye W| (My) H \{p |£ ECH. 


One can easily show that W; are intervals in § and § = *1 < -<§n, for the subframes §; 
of § induced by W;. Moreover, 6 = [6] is as required if 6 = (61,...,6,) is a sequence 
in B* such that Log 6; 2 Log §;, and 6; jÆ a(C;,tC;), for 1 <i < n. Frames 6; with 


those properties are constructed in [163]. Q) 
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EXAMPLE 37. The logic Q; of the rational numbers is determined by the frames ¥ € 
[B*] which contain no pair of adjacent irreflexive points. The logic R; of the real line is 
determined by the frames ¥ € [B*] which contain neither a pair of adjacent irreflexive 
points nor a pair of adjacent non-degenerate clusters. 


Now, based on both the canonical formulas for logics in NExt Lin and this complete- 
ness result, [93] shows: 


THEOREM 38. (i) All finitely axiomatisable logics in NExt Lin are coNP-complete. 
(ii) All logics determined by a frame © € [B*] are coNP-complete. 


Proof. (ii) is proved by showing that, given a formula w, it can be checked in non- 
deterministic polynomial time in the length of ~ whether it is satisfiable in a given 
6 € [6*]. To this end, [93] shows that it is sufficient to check satisfiability of w in a certain 
finite subframe of 6 (whose size is polynomial in w) under certain ‘good’ valuations. 
(i) Suppose 
L = Lin © a(%i,t1) E ® al%,tn) 


is given. Then [93] shows that any given formula ~ which is satisfiable in a frame 
6 € [B*] validating L is satisfiable in a frame of this type whose parameters (i.e., the 
number of blocks required, the size of its clusters, and the maximal n such that €(n, ®©) 
or €(@®, 7) occurs in it) are polynomial in y. By the proof of (ii), it can be checked in 
nondeterministic polynomial time whether w is satisfiable in such a frame. Additionally, 
one can show that it can be checked in polynomial time (in the length of 7) whether 
such a frame validates a formula of the form a(g, t). 


Given the coNP-completeness of all finitely axiomatisable tense logics, at least two 
questions arise: First, are there interesting classes of finitely axiomatisable linear tense 
logics? Second, how complex are non-finitely axiomatisable linear tense logics? Regard- 
ing the second question, consider, for any M CN, the logic Lm determined by the class 
of frames 

{({1,...,m},<) | me M}. 


Set L =pA-7pand T = pV-p. Then the formula 


Ym = LAT LN ST 


is satisfiable in a frame validating Lm iff m+1 € M. Thus, for any set of natural numbers 
M there exists a tense logic of the same complexity as M. Regarding the first question, 
[163] determines a number of classes of finitely axiomatisable linear tense logics. For 
example, the following result is proved using Kruskal’s tree theorem [80]: 

THEOREM 39. A linear tense logic L is finitely axiomatisable whenever there exists 
n < w such that pth — Ofp € L. In particular, all linear tense logics of reflexive 
frames as well as all extensions of the tense logic of (Q, <) are finitely axiomatisable. 


Where are the Kripke incomplete modal logics in NExt Lin? The reader can get an 
impression from the following result, proved in [163] and stated here without proof: 


THEOREM 40. Suppose that L € NExt Lin and there is a Kripke frame of infinite length 
validating L. Then there exists a Kripke incomplete logic in NExt L. 
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As promised at the beginning of this section, we conclude by discussing a complete 
solution to our original research problem relativised to the set of logics in NExtLin. The 
proofs can be found in [162, 165]. 


THEOREM 41. There are algorithms which, given a formula p, decide whether Lin y 
e has the finite model property; 
e has the interpolation property; 
e is Kripke complete; 
e is strongly complete; 


e is canonical. 


We shall not go into details of the proof here. But the reader can get some impression 
regarding the combinatorics and methods involved from the criteria which allow us to 
decide whether a linear tense logic is canonical and strongly complete. Denote by B+ 
the class of frames containing B together with frames €(n,,@,n2) defined as follows. 
Suppose k > 1, n1,n2 < w are such that nı + no >0 and ® = {ag,...,a,_1}. Then 


C(n1, ®, n2) = (wS (n1) I ® <w? (n2), P), 
where P is the set of possible values generated by {X; |0 < i < k — 1}, for 
Xi = {u}U{kj+i|j ews Ufk* i +e | jew} 


and {0*,1*,...,n*,...} being the points in w?” (ng). 
Let F be the class of frames of the form 


({0,...,ni},<,>)d@< ({0,...,n2},<,>) or ({0,...,n},<,>). 


THEOREM 42. (i) A logic L € NExtLin is canonical iff the underlying Kripke frame of 
each frame § € [BY] for L validates L as well. 

(ii) A logic L € NExtLin is strongly complete iff for each frame § € [Bi] validating 
L, there exists a Kripke frame © for L which results from § by replacing 


e every €(n,®) with w< (n) or w<(n) <9 <®, for some  € F, and 
e every €(®,n) with w?” (n) or ® <9 <w? (n), for some H € F, and 


o every E(n1,®,N2) with w< (n1) 1H <w? (n2), for some H E€ F. 


EXAMPLE 43. The logic R; of the real line is not canonical because €(2,@) = Rs, 
but w<(2) < © K R. However, R; is strongly complete, since ¥ H R, whenever 
6 € [B3] validates R; and § is obtained from 6 as in the formulation of Theorem 42 
with H = èe € F. 
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8 SUBFRAME LOGICS 


If you randomly pick a logic from the list of Modal Logic celebrities introduced in this 
handbook, it is very likely that its frames are closed under the formation of subframes 
(as before, a Kripke frame 6 = (V,Sj,...,5,) is a subframe of a Kripke frame § = 
(W, Ri,...,Rn) if V C W and S; = Ri V, for 1 < i < n). Examples are the standard 
unimodal logics K (because the class of all frames is closed under subframes), K4, S5, and 
K4.3 (because transitivity, symmetry, reflexivity, and right-linearity are definable using 
universal first-order formulas and therefore preserved under the formation subframes), as 
well as GL and Grz (because the class of Noetherian frames is closed under subframes). 

Moreover, many important operations on classes of frames preserve the property of 
being closed under forming subframes: 


e the union and intersection of two classes of frames; 


e the fusion Kı @ Kı of classes of frames Kı and Kə (see Chapter 15 which, in the 
unimodal case, is defined by 


Kı8K2 = {(W, Ri, Rə) | (W, Ri) € K1, (W2, Ro) € Ko}; 


e the tense extension (or addition of converse) K; of a class of frames K, where 


Ke = {(W,R, R`) |(W,R) € K} 


e the Boolean extension K" of a class of frames K which consists of all frames 
(W, Ri,..., Rn, Ri O Ro, W — Ri,...) 


with 2?” relations corresponding to the Boolean combinations of the R;, where 
(W, Ri,...,Rn) E K. 


Using these operators we obtain numerous additional important modal ‘subframe logics:’ 
multimodal fusions like $5,,, minimal tense extensions like K4.3,;, and Boolean Modal 
Logics like K™~ are all examples of modal logics determined by classes of frames closed 
under subframes. 

In this section we explore the extent to which the restriction to ‘subframe logics’ 
leads to general ‘positive’ results for properties like axiomatisability, decidability, Kripke 
completeness, and the fmp. A systematic investigation of subframe logics in NExt K4 was 
launched by Fine [45] (see also [174]). Subframe logics in NExt K,, as well as subframe 
tense and provability logics were investigated in [166, 167, 164]. 

We begin by observing the fact that all the ‘negative’ results above were obtained 
using logics whose frames were not closed under subframes. So one might conjecture that 
‘subframe logics’ behave better than arbitrary modal logics. The answer to this question 
is ‘yes’ and ‘no.’ Yes, because indeed there are general decidability (fmp, completeness, 
etc.) results explaining the nice behaviour of standard ‘subframe logics.’ The answer is 
‘no,’ because still one can find intuitively ‘simple’ subframe logics with ‘bad’ properties. 

First, we note, however, that for subframe logics a number of otherwise separable 
properties of modal logics fall together; for a proof see [166] or [177]. For logics from 
NExt K4 this result was first obtained by Fine [45]. 
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THEOREM 44. Suppose L is determined by a class of Kripke frames closed under sub- 
frames. Then the following conditions are equivalent: 

(i) Fr L is universal, 

(ii) Fr L is first-order definable, 

(iii) L is D-persistent, 

(iv) L is strongly Kripke complete, 

(v) Fr L has the finite embedding property—i.e., § € Fr L iff every finite subframe of 
& is in Fr L. 


Note that for cofinal subframe logics L € NExt K4 conditions (ii)-(iv) are equivalent 
[174]. 


Thomason’s analysis for subframe logics 


Now let us see to which extent Thomason’s results (Theorem 1) hold for modal logics 
determined by classes of frames Fr y closed under subframes. 


THEOREM 45. (a) There is an ML6-formula p such that Fr{p} is closed under sub- 
frames and the set 


ThFr{y} = {pEeMLe6| vky} 


is I}-complete. 

(b) It is decidable whether, given p E€ ML, with Fr{y} closed under subframes, 
Log Fr {y} is consistent. 

(c) There is a set T of ML,-formulas and an ML -formula p such that TK y, but 
Ak for any finite ACT. 

(d) Given a formula yp such that Fr {yp} is closed under subframes, every y with pK w 
is refutable in a countable frame validating p. 


Claim (a) can be proved by modifying the proof of Theorem 1 (a) discussed above 
by introducing modalities for the converse relations of the relations R, and Rz and 
modalities for the immediate successor relations for Ry and Rə and describing in MLe 
by means of a single formula y sufficiently many properties of the class of all subframes 
of the product frame (w, <, +1) x (w, <, +1). (Notice, however, that those subframes are 
not necessarily product frames). 

As the reduction of multimodal logics to unimodal logics employed in the proof of 
Theorem 1 (a) does not preserve the property of being a subframe logic, it is an open 
problem whether such examples of unimodal logics exist. 

Claim (c) still holds since the example provided in the proof of Theorem 1 (c) was 
closed under subframes. Claims (b) and (d) are now ‘positive:’ (b) is trivial because it is 
sufficient to check whether y is valid in at least one singleton frame. (d) can be proved 
by constructing inductively from a frame refuting Y a countable subframe by selecting 
the witnesses required to satisfy ©-formulas; see [166] for details. 


Normal subframe logics 


We have not defined yet the notion of a subframe logic in a formal way because a proper 
definition should be slightly more general than the one suggested by considering Kripke 
frames only: to be able to provide a syntactic characterisation of subframe logics, to 
ensure that K, 6 ©; © Xz is a subframe logic whenever both K, $ ©; and K, 6 N2 are 


472 Frank Wolter and Michael Zakharyaschev 


nontransitive 
pane e; transitive 
| 
w+1 w 2 1 0 i 
e =O -0 -0 -0 i 
Bas Nels ah zs 1 ED a l | 
Figure 4. 


subframe logics, and finally, to cover a number of interesting Kripke incomplete logics (like 
bimodal provability logics), we extend the definition of a subframe to general frames. Re- 
call that a frame 6 = (V,S1,...,5n,P) is a subframe of a frame ¥ = (W, R1,..., Rn, Q) 
fV CW, P={ANV|A€E Q}, and S; = R;[V, for 1 <i<n. A logic Lis a subframe 
logic if its class of general frames is closed under subframes. 

To describe subframe logics syntactically, define inductively the relativisation P of a 
formula y to a propositional variable p (which does not occur in y) by taking 


qg = q^p, qan atom, 
(POx)P = Pox, foroec{^,V, >} 
(Diy)? = ilp > yP) Ap 


and put yf = p > y?. It is not difficult to show that y* is valid in a frame % iff y is 
valid in all subframes of F¥. (Notice that if Mt is a model based on F, Mt’ a model based 
on the subframe of § induced by {y | (M, y) | p} and (M, x) H q iff (W, x) H q, for all 
variables q, then (M, x) = pP iff (W, x) H vy.) Therefore, we obtain 
PROPOSITION 46. The following conditions are equivalent for any L € NExt Kẹ: 

(i) L is a subframe logic, 

(ii) L = Kn ® {Yf | p ET}, for some set of formulas L, 

(iii) L is characterised by a class of frames closed under subframes. 


Based on this proposition, it is not difficult to see that the class of subframe logics 
forms a complete sublattice of NExt K,,. Now, the first question to address is whether 
there are Kripke incomplete subframe logics at all: 


EXAMPLE 47. (Van Benthem 1979) Let ¥ = (W, R, P) be the frame whose underlying 
Kripke frame is shown in Fig. 4 (w +1 sees only w and the subframe generated by w is 
transitive) and X C W is in P iff either X is finite and w ¢ X or X is cofinite in W and 
w € X. It is easy to see that P is closed under N, — and ©. 

Let L be the logic of the frame ¥ constructed in Example 47. Since every rooted 
subframe 6 of ¥ is isomorphic to a generated subframe of §, L is a subframe logic. We 
show that L has the same Kripke frames as GL.3. Suppose 6 is a rooted Kripke frame 
for GL.3 refuting y € L. Then clearly 6 contains a finite subframe 9 refuting y. Since 
§ is a finite chain of irreflexive points, it is isomorphic to a generated subframe of %, 
contrary to § j y. Thus 6 — L. Conversely, suppose 6 is a Kripke frame for L. Then 6 
is irreflexive. For otherwise 6 refutes the formula y = 0?(Op — p) A O(Op — p) > Op, 
which is valid in ¥. Let us show now that © is transitive. Suppose otherwise. Then 6 
refutes the formula Op —> O(Op V (Og —> q)), which is valid in ¥ because w is a reflexive 
point. Finally, since 6 = y, 6 is Noetherian and since § is of width 1, we may conclude 
that 6 = GL.3. It follows that the subframe logic L is Kripke incomplete. Indeed, it 
shares the same class of Kripke frames with GL.3 but Op pE GL.3 — L. 
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We now follow the path described above for NExt K,, and analyse the location of 
Kripke complete and decidable subframe logics within the lattice of subframe logics. 


Subframe logics of frames with transitive relations 


A number of surprisingly general decidability and completeness results have been ob- 
tained for subframe logics whose frames are based on transitive relations. The first 
fundamental result on the finite model property (and therefore decidability and Kripke 
completeness) of subframe logics is due to Fine [45]. Although the following theorem can 
be obtained for free using the machinery of canonical formulas, here we show its proof 
using the mazimal points technique of [43]. 


THEOREM 48 (Fine). All unimodal subframe logics of transitive general frames (i.e., 
extensions of K4) have the finite model property. All finitely axiomatisable ones are 
decidable. 


Proof. The proof is based on the following fundamental observation: call a point x 
in a transitive frame § = (W, R, P) non-eliminable if there is X € P such that z € X 
but no proper successor of x is in X (in other words, x is maximal in X); in this case we 
write x E€ maxr X. Then one can show the following: if § is descriptive and z € X € P, 
then there exists a point y E€ maxr X such that x = y or Ry. 

Now suppose that L D K4 is a subframe logic. To prove that L has the finite model 
property, suppose that y ¢ L. Take a model M = (3, VW) refuting y at a point x and based 
on a descriptive frame § = (W, R, P) for L. Say that a point x € W is non-eliminable 
relative to vy if there is a subformula w of y such that x € maxg{y E€ W | y H= w} or 
x € maxr{y E W |y H ~y}. Now select recursively a set of points W* as follows: 


e Set V = {x}. 


e If there exist y € V and Ow € suby such that y | Oy, and there does not exist 
z € V with z = ~y and yRz, then set V = V U {z} for some non-eliminable z 
(relative to y) with yRz and z H ~y. Otherwise, set W? = V and stop. 


Construct a new model M? based on the frame §° = (W?, RI W?) by taking Y? (p) = 
U(p) NW? for all variables p in y. Clearly, the Kripke frame §° is rooted, of depth 
< L(Y), and no point has more than (p) successors. Besides, one can easily show that 
(ONY, y) H y iff (MR, y) | y, for all y € suby and y € WY. Finally, one can show that 
3°” is a frame for L (this is trivial if L is D-persistent; considerably more work is required 
if L is not D-persistent.) Q) 


Let us consider now what happens if we move from a unimodal subframe logic L € 
NExt K4 to the tense logic determined by (Fr L)+. In other words, we move from uni- 
modal logics to bimodal logics, where the second operator is interpreted by the inverse of 
the accessibility relation of the first operator. From a syntactic viewpoint, this semantic 
condition is captured by the axioms 


p —> O012p and p— O20 p. 


So, we set, for any normal unimodal logic L = K $T, 


L = K @T @ {p 1O2p, p > O201p} 
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and call L the minimal tense extension of L. General questions regarding minimal tense 
extensions are: What is the relation between L+ and the logic determined by the class 
of frames (Fr L)? Are Kripke completeness and decidability inherited from unimodal 
logics to minimal tense extensions? As far as Kripke completeness is concerned, the 
answer is negative: [161] gives an example of a logic L € NExt K4 with the finite model 
property such that L; is not Kripke complete. Transfer of decidability is an open problem. 
However, for minimal tense extensions of subframe logics in NExt K4 a complete answer 
has been given in [160, 164]: 
THEOREM 49. If L € NExtK4 is a subframe logic then 

(i) Li is Kripke complete and determined by (Fr L)s; 

(ii) Lı has the finite model property iff L is canonical iff Fr L is first-order definable; 

(iii) Ly is decidable whenever L is finitely axiomatisable. 


So, by (i), L is indeed Kripke complete whenever L is a subframe logic containing 
K4. The first exciting bit of this theorem is (ii). It connects the finite model property of 
minimal tense extensions with first-order definability: for first-order definable subframe 
logics like K4, S4, K4.3, and $4.3 we obtain that their minimal tense extensions still 
have the finite model property, while minimal tense extensions of subframe logics that 
are not first-order definable, say, GL; and Grz, do not enjoy this property. For some 
examples, such as Grz;, this can be proved easily: just observe that the Grzegorczyk 
axiom 


2(O2(p > O2p) > p) > p 


is refuted in (w, >, <} and so does not belong to Grz,; however, it is clearly valid in all 
finite partial orders (which coincide with the finite frames in (Fr Grz)+). 

The second interesting news here is that (iii) provides us with a decidability result 
for a class of logics which (in general) neither have the finite model property nor the 
tree model property. In fact, to prove (iii) [164] introduces so-called quasi-frames, that 
is, frames which come together with type assignments (similar to those in Section 6.2) 
and with respect to which minimal tense extensions of subframe logics have the bounded 
finite model property. 


The decidability result in Theorem 49 does not cover Kripke incomplete logics, and 
one may wonder whether there exist at all natural and interesting classes of decidable 
modal logics containing Kripke incomplete ones. The answer is ‘yes:’ one such class is 
the set of all finitely axiomatisable (possibly non-normal) subframe logics containing the 
bimodal provability logic 


CSM, = GL®GL@ {O; > Op, O2p > 0102p} 


(named so in [159] after Carlson, Smorynski and Montagna). Almost all bimodal prov- 
ability logics discussed and investigated in the literature [112, 137] are indeed (sometimes 
non-normal) subframe logics. For the proof of this result see [167]. 


The lattice of all subframe logics 


We have seen above a lot of beautiful and useful decidability results for subframe logics 
over transitive relations. Unfortunately, the situation changes drastically as soon as not 
all accessibility relations are transitive. In this part we summarise what is known in this 
case. First we shall see that at least the ‘upper part’ of the lattice of subframe logics is 
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quite well-behaved. Recall that K 9 alt, is the logic determined by the frames in which 
no point has more than n successors. The following result is proved by first showing that 
all subframe logics containing K 6 alt, are Kripke complete [1] and then proving that 
if a formula y is refuted in a frame validating alt, then one can always select finitely 
many points from that frame in which ¢ is refuted. (It should be clear from the proof 
that this result still holds for multimodal subframe logics in which for each operator an 
axiom of the form alt,, holds.) 


THEOREM 50. All subframe logics containing some K © alt, have the finite model 
property. 

Now we say that a subframe logic L is strictly sf-complete if there does not exist another 
subframe logic L’ with the same Kripke frames as L. In comparison with NExt K, where 
according to Blok’s dichotomy for almost every interesting L there exist uncountably 
many modal logic L’ with the same Kripke frames as L, the situation is much more 
diverse in the lattice of subframe logics. Example 47 shows that GL.3 is not strictly 
sfcomplete. However, the logics T, S4 and Grz turn out to be strictly sf-complete. 
As in the full lattice of normal modal logics, the notion of strict sf-completeness is 
closely related to the notion of splittings (now in the lattice of subframe logics) and the 
decidability of the axiomatisation problem for formulas axiomatising subframe logics. 
Say that a subframe logic L € NExt K is a subframe union-splitting by a set F of finite 
rooted frames, in symbols 

L = KIIF, 


if L is the smallest subframe logic such that §  L, for at least one Ẹ € F. For example, 
T = K/*o. 


It is now readily checked that any Kripke complete subframe logic L which is a subframe 
union-splitting by finitely many rooted frames is strictly sfcomplete and that the set 
{p | K a py’! = L} is recursive whenever L is decidable. Based on these observations, 
the following partial results were obtained in [166]: 


THEOREM 51. (a) A subframe logic L containing K4 is strictly sf-complete iff L Z 
GL.3 iff L is a subframe union-splitting. Moreover, if L Z GL.3 is finitely axiomatisable, 
then {p | K @ y% = L} is recursive. 
(b) All subframe logics L € NExtK Salt, are strictly sf-complete and subframe union- 
splittings. Moreover, if L is finitely axiomatisable, then {y | K @ yf = L} is recursive. 
(c) It is decidable whether a finitely axiomatised subframe logic is determined by a 
finite number of finite frames (is tabular). 


No general undecidability results have been proved so far for subframe logics. 
PROBLEM 15. Characterise the class of subframe logics L for which {y | Ky% = L} 
is recursive. 

For example, although K4 is not a subframe union-splitting it is an open question 
whether {y | K 6 yf = K4} is recursive. 
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Cl = Int+pV-p 

SmL = Int+ (74> p)-> (((p>4) > p) > p) 
KC = Int+-7pV-—-7p 

LC = Int+(p>q)V(q-p) 

SL = _ Int+((-7p>p) > pV p) > pV =p 


Table 3. A list of standard superintuitionistic logics 


9 SUPERINTUITIONISTIC LOGICS 


Although C.I. Lewis constructed his first modal calculus S3 in 1918, it was Gédel’s [52] 
two page note that attracted serious attention of mathematical logicians to modal sys- 
tems. While Lewis [90] used an abstract necessity operator to avoid paradoxes of the 
material implication, Gödel and earlier Orlov [117] treated O as ‘it is provable’ to give 
a classical interpretation of intuitionistic propositional logic Int of Brouwer [12, 13] and 
Heyting [63] by means of embedding it into a modal ‘provability’ system which turned 
out to be equivalent to Lewis’ S4. 

Approximately at the same time Gédel [51] observed that there are infinitely many 
logics located between Int and classical logic Cl, which—together with the creation of 
constructive (proper) extensions of Int by Kleene [74] and Rose [122] (realisability logic), 
Medvedev [109] (logic of finite problems), Kreisel and Putnam [78]—gave an impetus to 
studying the class of logics intermediate between Int and Cl, started by Umezawa [149, 
150]. Gédel’s embedding of Int into S4, presented in an algebraic form by McKinsey and 
Tarski [108] and extended to all intermediate logics by Dummett and Lemmon [33], made 
it possible to develop theories of modal and intermediate logics in parallel ways. And the 
structural results of Blok [9] and Esakia [36, 36] establishing an isomorphism between 
the lattices Ext Int and NExt Grz, along with preservation results of Maksimova and 
Rybakov [100] and Zakharyaschev [171], transferring various properties from modal to 
intermediate logics and back, showed that in many respects the theory of intermediate 
logics is reducible to the theory of logics in NExt S4. 

To demonstrate this as well as some features of superintuitionistic logics is the main 
aim of this section. We will use the same system of notation as in the modal case. In 
particular, Ext Int is the lattice of all logics of the form Int +T (where T is an arbitrary 
set of formulas in the language of Int and + means taking the closure under modus 
ponens and substitution); we call them superintuitionistic logics or si-logics for short. 
Basic facts about the syntax and semantics of Int and relevant references can be found 
in [157, 24]. A list of some ‘standard’ si-logics is given in Table 3. 


9.1 Intuitionistic frames 


As in the case of modal logics, the adequate relational semantics for si-logics can be 
constructed on the base of the Stone representation of the algebraic ‘models’ for Int, 
known as Heyting (or pseudo-Boolean) algebras. It is hard to trace now who was the first 
to introduce intuitionistic general frames—the earliest references we know are [35] and 


7Orlov’s paper remained unnoticed till the end of the 1980s. It is remarkable also for constructing 
the first system of relevant logic. 
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[119]—but in any case, having at hand [71] and [54], the construction must have been 
clear. 

An intuitionistic (general) frame is a triple § = (W, R, P) in which R is a partial order 
on W #09 and P is a collection of upward closed subsets (cones) in W containing Ø and 
closed under N, U, and the operation D (for —) defined by 


XDY = {Ew |Wert(yex —yeEY)}. 


If P contains all upward closed subsets of W then ¥ is called an intuitionistic Kripke frame 
and denoted by § = (W, R). An important feature of intuitionistic models M = (F, VW) 
(where Y maps propositional variables to sets in P) is that U(y), the value of a formula 
y in M, is always upward closed. Every intuitionistic frame § = (W, R, P} gives rise to 
the Heyting algebra $+ = (P,N,U, D, ø) called the dual of ¥. Conversely, given a Heyting 
algebra XA = (A,A,V,—,L), we construct its relational representation A} = (W, R) by 
taking W to be the set of all prime filters in 2 (a filter V is prime if it is proper and 
aVb€V implies a € V or b € V), R to be the set-theoretic inclusion C and 


P = {{VEWw|aceV}]| ae A}. 


It is readily checked that 2,4, the dual of A, is an intuitionistic frame and A S (A+). 
A frame § is called descriptive if § S (¥*)+,. Duality between the basic truth-preserving 
operations on algebras and descriptive frames (taking p-morphic images, generated sub- 
frames and disjoint unions) is established by the same technique as in the modal case. 

Since every consistent si-logic L is characterised by its Tarski-Lindenbaum algebra 
Az, we conclude that L is also characterised by a class of intuitionistic frames, say, by 
the dual of Az. 

At the algebraic level, the connection between Int and S4 discovered by Gödel is re- 
flected by the fact, established in [107], that the algebra of open elements (i.e., elements a 
such that Oa = a) of every modal algebra for S4 (known as a topological Boolean algebra; 
see [118]) is a Heyting algebra and, conversely, every Heyting algebra is isomorphic to 
the algebra of open elements of a suitable algebra for S4. We explain this result in the 
frame-theoretic language. 

Given a frame § = (W, R, P) for S4 (which means that R is a quasi-order on W), we 
denote by pW the set of clusters in ¥—more generally, pX = {C (x) | £ € X}—and put 
C(x) pC(y) iff xRy, 


pP = {pX| XE€P&X=O0X} = {pX|XEPAX & XT}. 


It is readily checked that p¥ = (pW, pR, pP) is an intuitionistic frame; we call it the 
skeleton of §. The skeleton of a model M = (F, VW) for S4 is the model pM = (pF, pV), 
where pU(p) = U(Op). 

Denote by T the Gödel translation prefixing O to all subformulas of a given intuition- 
istic formula.® Then for every model M for S4, every intuitionistic formula y and every 
point x in M, 


Ii 


(PM, C2) =p iff (Mx) F T(y). 


It follows that y € Int implies T(y) € S4. To prove the converse, we should be able 
to convert intuitionistic frames ¥ into modal ones with the skeleton (isomorphic to) %. 


8The translation defined in [52] does not prefix O to conjunctions and disjunctions. However, this 
difference is of no importance as far as embeddings into logics in NExtS4 are concerned. 
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This is trivial if ¥ is a Kripke frame—we can just regard it to be a frame for S4, which 
in view of the Kripke completeness of both Int and S4, shows that T really embeds the 
former into the latter, i.e., 


yp € Int if T(p) €S84. 


In general, one can construct a modal frame from an intuitionistic frame ¥ = (W, R, P) 
by taking the closure oP of P under the Boolean operations. Then (W,R,oP) is a 
partially ordered modal frame; we denote it by øg. Moreover, we clearly have ¥ = pog. 
It is worth noting that if ¥ = (W, R) is a finite intuitionistic Kripke frame then oF is also 
a Kripke frame. However, for an infinite §, oğ is not in general a Kripke frame—witness 
(w, $). 


9.2 Canonical formulas 


The language of canonical formulas, axiomatising all si-logics and characterising the 
structure of their frames, can be easily developed following the scheme of constructing 
the canonical formulas for K4 and using the connection between modal and intuitionistic 
frames established above. We confine ourselves here only to pointing out the differences 
from the modal case and some interesting peculiarities; details can be found in [169, 170, 
24]. Actually, there are two important differences. First, in the definition of subreduction 
of § = (W, R, P) to © the third condition does not correspond to the fact that all sets 
in P are upward closed. We replace it by the following condition 


e VX EQ f-1(X)|e P, where Q={V—-X|XeQ} and P={W-X|Xe P}. 


6 is a subframe of § if there is an injective subreduction of ¥ to 6. It is of interest to 
note that in the intuitionistic case (cofinal) subreductions are dual to IC(N)-subalgebras 
of Heyting algebras which only preserve implication, conjunction (and negation) but do 
not necessarily preserve disjunction. 

Second, we have to change the definition of open domains. Now we say an antichain 
a (of at least two points) is an open domain in an intuitionistic model N relative to a 
formula y if there ia a pair ta = (Ta, Aq) such that Ta UA, = suby, NTa > V Aa ¢ Int 
and 


eVel, iffaF- y forallaca. 


It is worth noting that in any intuitionistic model every antichain a is open relative 
to every disjunction free formula vy. Indeed, let T'a be defined by condition above and 
Aa = sub — Ta. It should be clear that Y A x € Ta iff Y € Ta and x € Ta. And if 
p — X ETa, Y ETa but x E€ Aa then a H w for every a € a and b - x for some b € q, 
whence b j£ w — x, which is a contradiction. It follows that AT, > V Ag ¢ Int. 

Now, as in the modal case, with every finite rooted intuitionistic frame § = (W, R) and 
a set D of antichains in it we can associate two formulas 3(¥,D, L) and B(F,D), called 
the canonical and negation free canonical formulas, respectively, so that 6 Æ (5, D, L) 
(6 K B(¥,D)) iff there is a (cofinal) subreduction of 6 to F satisfying (CDC) for D. 


THEOREM 52. There is an algorithm which, given an intuitionistic p, returns canonical 
formulas 3(%1,91,-L),..-,;8(¥n, Dn, L) such that 


In +y = Int+88, D1, 1) +--+ + B(Gn, Dn, L). 
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CI = Int+A( i ) 

} 
SmL = Int +( ad +88) 
KC = Int+ø( Y Eo 
LC = Int+ø( v ) 
SL = Int+ø( eh) 


Table 4. Canonical axioms of standard superintuitionistic logics 


If p is negation free then one can use only negation free canonical formulas. And if p is 
disjunction free then all the D; are empty. 


In the intuitionistic case we have the following syntactical characterisation of subframe 
and cofinal subframe si-logics: 


THEOREM 53. (1) A si-logic is axiomatisable by implicative formulas iff it is determined 
by a class of (finite) frames closed under subframes. 

(2) A si-logic is axiomatisable by disjunction-free formulas iff it is determined by a 
class of (finite) frames closed under cofinal subframes. 


It follows from these two theorems (and the refutability criterion for the canonical for- 
mulas) that all cofinal subframe si-logics have the finite model property and are decidable 
if finitely axiomatisable. In fact, there are a continuum of subframe logics [173]. That 
all si-logics with disjunction-free axioms have the fmp was first proved by McKay [104] 
with the help of Diego’s [31] theorem according to which there are only finitely many 
pairwise nonequivalent in Int disjunction free formulas in variables p1,..., pn (see also 
[151]). An algebraic approach to superintuitionistic (cofinal) subframe logics has been 
recently developed in [2]. 


PROBLEM 16. Characterise the computational complexity of cofinal subframe si-logics. 


Table 4 shows canonical axiomatisations of the si-logics in Table 3. Using this ‘ge- 
ometrical’ representation it is not hard to see, for instance, that SmL, known as the 
Smetanich logic, is the greatest consistent extension of Int different from Cl; it is the 
logic of the two-point rooted frame. KC, the logic of the Weak Law of the Excluded 
Middle, is characterised by the class of directed frames. It is the greatest si-logic con- 
taining the same negation free formulas as Int [68]. LC, the Dummett or chain logic, is 
characterised by the class of linear frames [82]. 

Jankov [69] proved that logics of the form Int+6(%, D4, L) and only them are splittings 
of Ext Int. However, not every si-logic is a union-splitting of Ext Int. 


PROBLEM 17. Characterise the degree of Kripke incompleteness of si-logics. 
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9.8 Modal companions and preservation theorems 


The fact that the Gödel translation T embeds Int into S4 and the relationship between 
intuitionistic and modal frames shown above can be used to reduce various problems 
concerning Int (e.g., proving decidability, Kripke completeness or the fmp) to those for 
S4 and vice versa. Moreover, it turns out that each logic in Ext Int is embedded by T 
into some logics in NExt S4, and for each logic in NExt S4 there is a logic in Ext Int 
embeddable in it. 

We say a modal logic M € NExt S4 is a modal companion of a si-logic L if L is 
embedded in M by T, i.e., if for every intuitionistic formula y, we have y € L iff 
T(y) € M. If M is a modal companion of L then L is called the si-fragment of M and 
denoted by pM. The reason for denoting the operator ‘modal logic + its si-fragment’ 
by the same symbol we used for the skeleton operator is explained by the simple fact 
that pM = {py | T(v) € M} and, moreover, if M is characterised by a class C of modal 
frames then pM is characterised by the class pC = {pS | ¥ € C} of intuitionistic frames. 

Thus, p maps NExtS4 into ExtInt. The following observation of [33] shows that 
actually p is a surjection. Given a logic L € Ext Int, let 


TL = S4 @ {T(y)| ve L}. 


Then, for every si-logic L, TL is a modal companion of L. 

Now we use the language of canonical formulas to show a general characterisation of all 
modal companions of a given si-logic L obtained in [170, 171]. Notice first that for every 
modal frame 6 and every intuitionistic canonical formula G(%,D,L), 6 = a(g, 9, L) iff 
p& = B(B,D, L), and so $46 T(G(¥,D, L)) = $46 a(F,D, L). The same holds for the 
negation free canonical formulas. 


THEOREM 54. M € NExt S4 is a modal companion of L = Int + {8(¥i,9;,-L) | i E€ I} 
iff M can be represented in the form 


M = S4 © {a($i,Di,l)|ieT} @ {as;,Dj,1)]7 € J}, 


where every frame §;, for j E J, contains a proper cluster. 


Thus, we have: 
pS4 = pS4.1 = pDum = pGrz = Int, 


pS4.2 = p(S4.2 $ Grz) = KC, 
pS4.3 = p(S4.3 $ Grz) = LC, 
pS5 = p(S5@Grz) = Cl. 


COROLLARY 55. The set of modal companions of every consistent si-logic L forms the 
interval 


PL) = [rL,rLOa(@)] = {MeNExtS4|7TLC MCTLOGrz} 


and contains an infinite descending chain of logics. 


Proof. Notice first that a(¥,D,1) and a(¥,D) are in Grz iff ¥ contains a proper 
cluster. So p~!(L) C [rL, TL 6 a(@)]. On the other hand, the si-fragments of all logics 
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Property of logics Preserved under 
Pp T o 
Decidability Yes Yes Yes 


Kripke completeness Yes Yes No 
Finite model property Yes Yes Yes 
Tabularity Yes No Yes 
Interpolation property Yes No No 
First-order definability Yes Yes No 


Table 5. Preservation theorems 


in the interval are the same, namely L. Therefore, p~'(L) = [rL,7L 6 a(@)]. Now, if 
L is consistent then G(0) ¢ L and so 


TLO...CTL®@a(®) C- CTL Sal(@) C TL a(@) = For, 


where For is the set of all intuitionistic formulas. Q) 


This result is due to Maksimova and Rybakov [100], Blok [9] and Esakia [37]. Thus, 
all modal companions of every si-logic L are contained between the least companion TL 
and the greatest one, viz., TL © a(@)), which will be denoted by øL. 

The following theorem, which is also a consequence of Theorem 54, describes lattice- 
theoretic properties of the maps p, T and ø. Items (i), (ii) and (iv) in it were first proved 
in [100]; (iii) is known as the Blok—Esakia theorem [9, 37]. 

THEOREM 56. (i) The map p is a homomorphism of the lattice NExt S4 onto the lattice 
Ext Int. 

(ii) The map T is an isomorphism from Ext Int into NExt S4. 

(iii) The map o is an isomorphism from Ext Int onto NExt Grz. 

(iv) All these maps preserve infinite sums and intersections of logics. 


The following theorem provides a deductive characterisation of the maps T and ø. 


THEOREM 57. For every si-logic L and every modal canonical formula a(¥,D, L) built 
on a quasi-ordered frame §, 

(i) a($,D,1) € TL iff (ps, pD, 1) € L; 

(ii) a(3,D, L) € oL iff either F is partially ordered and G(%,D,L) € L or § contains 
a proper cluster. 


The theorems above can be used for transferring various properties of modal logics to 
their si-fragments and back. Some results of that sort are collected in Table 5; for proofs 
see [24]. 


9.4 Completeness 


In this section we briefly discuss the most important general results concerning com- 
pleteness of si-logics with respect to various classes of Kripke frames. (As in the modal 
case, the fmp and decidability of a good many concrete si-logics was proved using various 
forms of filtration; see, e.g., [46, 116, 136, 47, 39].) 
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That not all si-logics are complete with respect to Kripke frames was discovered by 
Shehtman [132], who found a way to adjust Fine’s [43] idea to the intuitionistic case. As 
to general positive results, notice first that the preservation theorems yield the following 
translation of Theorems 24-25 (si-logics of finite width were studied by Sobolev [138]). 


THEOREM 58. (1) Every si-logic of finite depth has the fmp (in fact, is locally tabular). 

(2) Every si-logic of width n is characterised by a class of Noetherian Kripke frames 
of width < n. 

PROBLEM 18. Are finitely axiomatisable si-logics of width n > 1 decidable? What is 
their computational complexity? 

An intuitionistic formula is said to be essentially negative if every occurrence of a 
variable in it is in the scope of some 7. If y is essentially negative then T(y) is a 
©-formula, which—together with Theorem 14—yields the following result of McKay 
105]: 

THEOREM 59 (McKay). Jf a si-logic L is decidable (or has the fmp) and ọ is an essen- 
tially negative formula then L + ọ is decidable (has the fmp). 


Say that an occurrence of a variable in a formula is essential if it is not in the scope 
of any —. A formula ¢ is mild if every two essential occurrences of the same variable in 
y are either both positive or both negative. Kuznetsov [83] claimed (we have not seen 
the proof) that all si-logics whose extra axioms do not contain negative occurrences of 
essential variables have the fmp. And Wroński [168] announced that if L is a decidable 
si-logic and y a mild formula then L + ¢ is also decidable. 

Since frames for Int contain no clusters, Theorem 44 and its analogue for cofinal 
subframe logics reduce in the intuitionistic case to the following result which is due to 
(28, 121, 134, 174]: 


THEOREM 60. All si-logics with disjunction free axioms are first-order definable (de- 
finable by VA-sentences) and D-persistent. 


Nishimura [115] described all si-logics axiomatisable by one-variable formulas. As a 
consequence of his result and Theorem 19 we obtain the following theorem due to Sobolev 
[138]: 


THEOREM 61 (Sobolev). All si-logics with extra axioms in one variable have the fmp 
and are decidable. 


In fact, Sobolev proved a more general (but rather complicated) syntactical sufficient 
condition of the fmp and constructed a formula in two variables axiomatising a si-logic 
without the fmp (Shehtman’s [132] incomplete si-logic has also axioms in two variables). 

By the Blok—Esakia and preservation theorems, the situation with tabular logics in 
ExtInt is the same as in NExt Grz. In particular, there are only three pretabular logics 
in ExtInt [95], and the tabularity problem is decidable in ExtInt. 


9.5 Medvedev’s logic 


Although this chapter’s main concern is classes of logics rather than individual systems, 
we conclude it with a brief discussion of a very elegant and interesting si-logic introduced 
by Medvedev [109, 110, 111] and known as the logic of finite problems or the Medvedev 
logic ML. Semantically it can be defined as the set of intuitionistic formulas that are 
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Figure 5. 


valid in all ‘topless’ n-ary Boolean cubes depicted in Fig. 5 for n = 1,2,3,4. More 
precisely, let W, be the family of nonempty subsets of a set with n > 0 elements and 
xzRny means y C zx, for x,y € Wn. Then 


ML = {| (Wn,Rn) Ey forall n > 1}. 


It turns out that ML is a constructive si-logic in the sense that it enjoys the following 
disjunction property 


ypVweML implies ye ML or ye ML 


and, moreover, no proper extension of ML is constructive in this sense [89, 99]. In fact, 
there are a continuum of maximal constructive si-logics [73, 98, 20, 39], and not a single 
one of them is known to be finitely axiomatisable or decidable. In particular, [101] shows 
that ML is not finitely axiomatisable. 


PROBLEM 19. Does there exist a decidable maximal si-logic with the disjunction prop- 
erty? In particular, is ML decidable? 


PROBLEM 20. Does there exist a finitely axiomatisable maximal si-logic with the dis- 
junction property? 
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1 INTRODUCTION 


Logic is generally defined as the science of reasoning. Mathematical logic is mainly con- 
cerned with forms of reasoning that lead from true premises to true conclusions. Thus 
we say that the argument from 09; 01;-+: ;On—1 to ô is logically correct if whenever c; 
is true for all i < n, then so is 6. In place of ‘argument’ one also speaks of ‘inference’. 
The language object ‘o9;01;-++ ;On—1/0 is is called a rule, of which arguments are in- 
stances. A rule is valid if all its instances are. Central to this approach is the notion 
of a consequence relation, which is a relation between sets of formulae and formulae. A 
consequence relation F specifies which arguments are valid; the argument from a set X 
to a formula ô is valid in F iff (£, 8) € F, for which we write UF ô. 6 is a tautology of H 
if Ø + 6, for which we also write F ô. 

In the early years, research into modal logic was concerned with the question of finding 
the correct inference rules. This research line is still there but has been marginalized by 
the research into modal logics, where a logic is just a set of formulae; this set is the set of 
tautologies of a certain consequence relation, but many consequence relations share the 
same tautologies. The shift of focus in the research has to do in part with the precedent 
set by predicate logic: predicate logic is standardly axiomatized in a Hilbert-style fashion, 
which fixes the inference rules and leaves only the axioms as a parameter. Another source 
may have been the fact that there is a biunique correspondence between varieties of modal 
algebras and axiomatic extensions of K, which allowed for rather deep investigations into 
the space of logics, using the machinery of equational theories. This research led to deep 
results on the structure of the lattice of modal logics and benefits also the research into 
consequence relations. Recently, however, algebraic logic has provided more and more 
tools that allow to extend the algebraic method to the study of consequence relations in 
general (see for example [60] and [14]). In particular the investigations into the Leibniz 
operator initiated by Blok and Pigozzi in [5] have brought new life into the discussion 
and allow to see a much broader picture than before. 

Now, even if one is comfortable with classical logic, it is not immediately clear what 
the correct inferences are in modal logic. The first problem is that it is not generally 
agreed what the meaning of the modal operator(s) is or should be. In fact, rather than 
a drawback, the availability of very many different interpretations is the strength of 
modal logic; it gives flexibility, however at the price that there is not one modal logic, 
there are uncountably many. For example, O as metaphysical necessity satisfies S5, 
as provability in PA satisfies G, O as future necessity (arguably) satisfies $4.3, and 
so on. This is in part because the interpretation decides which algebras are suitable 
(intended) and which ones are not. However, there is another parameter of variation, 
and this is the notion of truth itself. In the most popular interpretation, truth is truth 
at a world; but we could also understand it as truth in every world of the structure. 
The two give rise to two distinct consequence relations, the local and the global, which 
very often do not coincide even though they always have the same set of tautologies. If 
truth is defined to be truth at every world under all substitutions we finally arrive at 
the maximal consequence relation compatible with a logic, in which a rule is derived iff 
it is admissible for that logic. It is this plurality of interpretations that gives rise to the 
different topics of this contribution and provides the underlying thread that connects 
them. 
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The paper is organised as follows. We shall first review basic concepts from universal 
algebra and basic logical notions such as consequence relations, rules, the deduction 
theorem and interpolation; then we shall briefly look at modal consequence relations and 
the structure of the lattice they form; finally, we turn to the notion of a splitting. This 
concludes Section 2. In Section 3 we shall look at local and global consequence relations. 
The first part will deal with consequence relations from an algebraic perspective; the 
second part studies global consequence relations in more detail and the third part outlines 
the connection between semisimple varieties of modal algebras and weak transitivity. The 
next section deals with reductions of polymodal and polyadic modal logics to monomodal 
logic. It reviews results that establish that the lattices of polymodal and polyadic logics 
can be naturally embedded into the lattice of monomodal logics preserving and reflecting 
a good deal of properties. This justifies ex post the almost exclusive study of monomodal 
logics in spite of the practical usefulness of polymodal and polyadic logics. Section 5 looks 
at interpolation. In detail, it shall give an algebraic characterisation of interpolation and 
ways of establishing interpolation for logics. Next we shall look at Beth-definability 
and fixed point theorems and finally at uniform interpolation. Section 6 is devoted to 
admissible rules. In particular, it deals with questions of axiomatisability of the set of 
admissible rules, and with the problem of deciding whether a given rule is admissible in 
a logic. Finally, in Section 7 we take a brief look at more general notions of a rule, like 
multiple conclusion rules. 


2 BASIC THEORY OF MODAL CONSEQUENCE RELATIONS 


This chapter makes heavy use of notions from universal algebra. The reader is referred to 
Chapter 6 for background information concerning universal algebra and in particular the 
theory of BAOs and how they relate to (general) frames. We shall quickly review some 
terminology. A signature is a pair (F, v}, where F is a set of so-called function symbols 
or connectives and v : F — w a function assigning to each symbol an arity. Terms 
are expressions of this language based on variables. We shall also refer to v alone as a 
signature. We shall assume that the reader is acquainted with basic notions of universal 
algebra, such as a v-algebra. Given a map v : X — A from a set X of variables into 
the underlying set of A, there is at most one homomorphic extension U : Im,(X) > A, 
where Im,(X) denotes the algebra of terms in the signature v over the set X (whose 
underlying set is Tm,(X)). On a v-algebra 2, terms induce term functions in the 
obvious way. If we allow to expand the signature by a constant a for every a € A, the 
term functions induced by this enriched language on 2 are called polynomials. In what 
is to follow, terms will also be called formulae, F will always contain T, A and ~, and 
v(T) = 0, v(=) = 1 and v(A) = 2. Moreover, F will additionally contain connectives O;, 
i < «, called modal operators, which are unary unless otherwise stated. « need not 
be finite. The relation corresponding to O; will standardly be denoted by <;. The set of 
variables is V := {p; : i E€ w}. Sets of formulae are denoted in the usual way using the 
semicolon notation: A; x abbreviates A U {x}. We write var(y) for the set of variables 
occurring in y, and sf(w) for the set of subformulae of y. Similarly, var(A) and sf(A) 
are used for sets of formulae. A substitution is defined by a map s : V — Tm,(V). 
s(y) or yê denotes the effect on y of performing the substitution s. 
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2.1 Consequence Relations 


DEFINITION 1. Let Tm,(V) be a propositional language. A consequence relation 
over Tm,(V) is a relation FC o(Tm,(V)) x Tm,(V) between sets of formulae and a 
single formula such that 


1. yF o 
2. AF y and A C A’ implies A’ F g. 


3. AF xand X; x F y implies A; £ F y. 


F is structural if from AF ọ follows A* F ê, where s is a substitution. F is finitary 
(or compact) if from A F y follows that there is a finite A’ C A such that A’ F y. A 
tautology of | is a formula y such that + y. Taut(t+) is the set of tautologies of F. 


There is an alternative approach via deductively closed sets and via closure operators 
(see Surma [55] for a discussion of alternatives to consequence relations). Given F, let 
EF := {p : 5 F g}. The sets of the form X" are called theories of +. Then the following 
holds. 


ge Te ce Dae 
2. Soe 
H is structural iff for all substitutions s and all © 
(1) sks c ys 
F is finitary iff for all X 
(2) mY = |_J{£b : £o € E, Xo finite} 


A characterisation of a finitary structural consequence relation in terms of its theories is 
as follows. 


1. The language is a F-theory. 

2. Every intersection of -theories is a H-theory. 

3. If T is a t-theory, so is s™!(T). 

4. If T;, i € w, is an ascending chain of H-theories, (J T; is a H-theory. 


For the general theory of consequence relation see [60]. For consequence relations and 
modal logic see [50]. In the sequel, unless otherwise stated, consequence relations are 
assumed to be finitary and structural. The signatures are signatures extending classical 
propositional logic by some (typically unary) modal operators. 

One can think of a finitary consequence relation as a first order theory of formulae in 
the following way. A statement of the form A F ọ is rendered 


(3) ZATO) : 5 € A)) > TC) 
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where T is a newly introduced predicate; the universal quantifier binds off the free vari- 
ables occurring in all the formulae. Given this interpretation, the appropriate structures 
to interpret consequence relation in are matrices in the sense of the following defini- 
tion. 


DEFINITION 2. A v-matrix for a signature v is a pair M = (A, D} where is a v- 
algebra and D C A a subset. A is called the set of truth values and D the set of 
designated truth values. An assignment or a valuation into Wt is a map v from the 
set of variables into A. v makes ọ true in M if u(y) € D; otherwise it makes y false. 


Given a matrix Mt we can define a relation Fo by 
(4) Atm y © forall assignments v: If o[A] C D then U(y) € D 


If F C Foy then we also say that Wt is a matrix for +. Given A, we say that D is a 
filter for F if D is closed under the rules; equivalently D is a filter if Fyq,p) 2 F. Given 
a class S of matrices (for the same signature) we define 


(5) Fs i= (Ea: MeS) 


THEOREM 3. Letv be a signature. For each class S of v-matrices Fs is a (possibly 
nonfinitary) consequence relation. 


THEOREM 4 (Wójcicki). For every structural consequence relation + there exists a class 
S of matrices such that F = Fs. 


Proof. Given the language, let S consist of all (m, (V), T} where T is a theory of 
H. First we show that for each such matrix M, C Fo. To that end, assume © F y 
and that v[x] C T. Now v is in fact a substitution, and T is deductively closed, and 
so U(y) € T as well, as required. Now assume © ¥ y. We have to find a single matrix 
M of this form such that © Żomm y. For example, M := (Tm, (V), £"). Then with v the 
identity map, J|] = = C SY. However, (vy) = y ¢ XF by definition of £" and the fact 
that UF y. Q 


If Dt is a matrix for +, then the set of truth values must be closed under the rules. The 
previous theorem can be refined somewhat. Let M = (A, D) be a logical matrix, and © 
a congruence on 2. We write [z]O := {y: x O y}. The sets [z]O are called blocks of 
the congruence. © is called a matrix congruence if D is a union of O-blocks, that is, 
if x € D then [z]O© C D. In that case we can reduce the whole matrix by © and define 
M/O := (A/O, D/O). The following is easy to show. 


LEMMA 5. Let be a matrix and © a matrix congruence of IN. Then Fm = Fjo. 


Call a matrix reduced if the diagonal, that is the relation A = {(x,x) : x € A}, is 
the only matrix congruence. We can sharpen Theorem 4 to the following 
THEOREM 6. For each logic (£,+) there exists a class S of reduced matrices such that 
F=Fkg. 

Let S be a class of v-matrices. S is called a unital semantics for | if F = gs and for 


all (A, D) € S we have |D| < 1. (See Janusz Czelakowski [12, 13]. A unital semantics is 
often called algebraic. This, however, is different from the notion of ‘algebraic’ discussed 
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by Wim Blok and Don Pigozzi in [5].) The following is a useful fact, which is not hard 
to verify. 


PROPOSITION 7. Lett have a unital semantics. Then in + the rules p; q; p(p) F (q) 
are valid for all formulae g. 


Notice that when a logic over a language £ is given and an algebra % with appropriate 
signature, the set of designated truth values must always be a deductively closed set, 
otherwise the resulting matrix is not a matrix for the logic. A theory is consistent 
if it is not the entire language, and maximal consistent if it is maximal in the set of 
consistent theories. Every consistent theory is contained in a maximally consistent theory. 
For classical logics the construction in the proof of Theorem 4 can be strengthened by 
taking as matrices in S those containing only maximally consistent theories. For if X ¥ p 
then X; ~g is consistent and so for some maximal consistent A containing = we have 
ay € A. Taking v to be the identity, V|] = © C A, but u(y) Z A, otherwise A is not 
consistent. 


2.2 Rules 


A rule is a pair p = (A,y), where A is a set of formulae, and 6 a single formula. We 
also write A/ô. If A is finite, we call p finitary; and if A is empty, we call p an axiom. 
p is n-ary if |A| = n. p is a derived rule of | if p € H. p is admissible if for every 
substitution s: if A® C Taut(F) then ° € Taut(F 

If R is a set of finitary rules, H? denotes the smallest finitary, structural consequence 
relation that contains R. Given a consequence relation F and a rule p, H+? is the least 
consequence relation containing F and p. F is called consistent if it is not the maximal 
relation. F is consistent iff p is not a tautology. For a consistent F put 


w 


(6) E(FH) := {n : there is an n-ary rule p ¢ F such that KT? p} 


+ is called Post-complete if 0 ¢ E(+). It is structurally complete if every admissible 
rule is derivable. 

PROPOSITION 8 (Tokarz). (1) | is structurally complete iff E(-) C {0}. (2) F is 
maximal consistent iff it is both structurally complete and Post-complete. 


There is a special matrix, Taut = (Tm,(V), Ø"). Recall that ØF are simply the 
tautologies of a logic. 


THEOREM 9 (Wójcicki). | is structurally complete iff = taut. 

HË can be described as follows. If s is a substitution, say that (A5, °) is an instance 
of (A,y). An R-proof of ọ from ¥ is a sequence (ô; : i < n + 1) such that 6, = y, and 
for every i < n + 1: either 6; € X or there are jx < i, k < p, such that ({6), : k < p}, di) 
is an instance of a rule from R. 

PROPOSITION 10. © HË o iff there exists an R-proof of p from X. 


We remark here that | is finitary iff there is a set R of finitary rules such that H=H®. 
Of course, R may be infinite. H is decidable if for all finite © and all y we can decide 
whether or not Ut y. The following is from [32]. 


THEOREM 11 (Harrop). Suppose that M = (A, D) is a finite logical matrix. Then Fon 
is decidable. 


Modal Consequence Relations 497 


For example, one can use truth-tables. This procedure is generally slower than tableaux- 
methods, but only mildly so (see [15}). 


2.8 The Deduction Theorem 


The rule of modus ponens (MP) for a binary connective — is the rule ({p, p > q},q). 
(MP_.,) is called (MP) in classical logic. There are many more connectives —» for which 
(MP) is a derived rule, for example A. — is said to satisfy a deduction theorem 
with respect to F if for all ©, p, w 


(7) syhky & Uy oy 


A consequence relation | is said to satisfy the deduction theorem (DT) for — if 
— satisfies (MP_,) and (7) holds. (See [14] for a survey of deduction theorems.) Given 
(DT) it is possible to transform any rule different from (MP) into an axiom preserving 
the consequence relation. Hence it is possible to replace the original rule calculus by a 
Hilbert-style calculus, where (MP) is the only rule which is not an axiom. Given a set 
of rules R, we say it has a deduction theorem for —> if +” does. 


THEOREM 12. A Hilbert-style calculus for > has a deduction theorem for > iff > 
satisfies (MP_,) and the following are axioms of F: 
(8) p —> (q > p) 


(9) (p > (q > r)) > ((p > q) > (p > r)) 


Proof. (=) Suppose both (MP_,) and (7) hold for +». Then, since yt y, also y; Y F y 
and (by (7)) also y F w —> ọ and (again by (7)) F y > (Y —> ọ). For (9) note that the 
following sequence 


(10) (p> (Y > x) p > p,p, Y > XY, X) 


proves y > (y —> x); > p;p F x. Apply (DT) three times and the formula is 
proved. (<=) By induction on the length of an R-proof & of w from XU {y} we show that 
E F yp — yp. Suppose the length of @ is 1. Then y € NU {py}. There are two cases: (1) 
w E€ ©. Then observe that (y > (p > p), p,p — p) is a proof of y —> y from È. (2) 
yw = y. Then we have to show that U F p — y. Now observe that the following is an 
instance of (9): 


(11) (p > (Y = p) > p)) > (le > ( > p)) > (p > p)) 


But y —> ((Y > p) > p) and y > (Y —> p) are both instances of (8) and by applying 
(MP) twice we get y —> y. Now let & be of length > 1. Then we may assume that w is 
obtained by an application of (MP_,) from some formulae x and x —> w. Thus the proof 
looks as follows: 


(12) X Diag Wie ds 


Now by induction hypothesis © y —> x and Ht y —> (x > y). Now, 


(13) (p > (x > )) > (y > x) > (p > ¥)) 
is a theorem and so we get that X F y —> w with two applications of (MP). Q 
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For any given set X there exists at most one (finitary and structural) consequence 
relation F with a deduction theorem for a given connective such that © is the set of 
tautologies of F. For assume A F y for a set A. Then since | is finitary, there exists a 
finite set Ag C A such that Ao F y. Let Ao := {8; : i < n}. Put 


(14) ded(Ag, p) = ôo > (ôi mT (On—1 ad p) an 5) 
Then, by the deduction theorem for —> 


(15) AFgy = Ø ded(A, p) 


THEOREM 13. Lett and’ be consequence relations with Taut(F) = Taut(F’). Suppose 
that there exists a binary term function > such that and’ satisfy (DT) for >. Then 
RSE 


2.4 Interpolation 


+ has interpolation if whenever y+ w there exists a formula x (called interpolant) 
with var(x) C var(y) N var(y) such that both y F x and x F w. Interpolation is a 
rather strong property, and generally logics fail to have it. There is a rather simple 
theorem which allows to prove interpolation for logics based on a finite matrix. Say that 
F- has a conjunction if there is a term p A q such that the following are derivable rules: 
({p,q},p ^ q) and both ({p A q},p) and ({p ^q},q). In addition, if F = Fm for some 
logical matrix M = (M, D} we say that F- has all constants if for each s € M there 
exists a nullary term function s such that for all valuations v 0(s) = s. (Note that since 
var(s) = Ø the value of s does not depend at all on v.) This rather complicated definition 
allows that we do not need to have a constant for each truth-value; it is enough if they 
are definable from the others. For example in classical logic we may have only T = 1 as 
a primitive and then 0 = ~T. An algebra is functionally complete if every function 
A” — Aisa term function of 2; A is polynomially complete if every function A” — A 
is a polynomial function. Every functionally complete algebra is polynomially complete; 
the converse need not hold, since polynomials may employ constants for the elements of 
A. However, if XA has all constants, then it is functionally complete iff it is polynomially 
complete. 


THEOREM 14. Suppose that MN is a finite logical matrix. Suppose that Fo has a con- 
junction ^A and all constants; then Foy has interpolation. 


(See [39], Theorem 1.6.4, where a proof is given.) A property closely related to interpo- 
lation is Halldén-completeness, named after Sören Halldén, who discussed it first in [31]. 
(See also [54].) H is called Halldén-complete if for all y and 4% with var(y)Nvar(¢) = 2: 
if y F w and ọ is consistent then F w. 2-valued logics are Halldén-complete. Namely, 
assume that y is consistent. Let v : var(y) — 2 be a valuation. Since y is consistent 
there exists a u : var(y) — 2 such that U(y) = 1. Put w := uUv. Since u and v have 
disjoint domains, this is well-defined. Then @(y) = 1, and so @(w) = 1. So, B(~) = 1. 
This shows that F ~. The following generalisation is now evident. 


THEOREM 15 (Eos & Suszko). Let IM be a logical matrix. Then Foy is Halldén-complete. 
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In classical logic, the property of Halldén-completeness can be reformulated in a some- 
what more familiar form. Namely, the property says that for y and ~ disjoint in variables, 
if pV y is a tautology then either y or ~ is a tautology. 

Finally notice 


THEOREM 16. Suppose that IN is a logical matrix and Fo has all constants. Then Fo 
is structurally complete and Post-complete. 


2.5 Modal Logics and Modal Consequence Relations 


A modal consequence relation is a structural consequence relation of modal formulae 
which contains at least the classical tautologies and in which the rule (MP_,) is derived. 
Unless otherwise stated, modal consequence relations are assumed to be finitary. If in 
addition for every basic modality O the rule (En) := ({p > q}, Op > Oq} is admissible, 
F is called classical. If the rule (Mo) := ({p — q}, @p — Og) is admissible for every 
basic modality O, | is called monotone. Finally, if all rules (MNņo) := ({p}, Op) are 
admissible, + is called normal. For simplicity, we refer to the set of the rules (MNz), 
a basic modality as (MN), and treat it (somewhat inappropriately) as a single rule. 

Modal logic is typically the study of modal logics and not that of modal consequence 
relations. The relationship is one-to-many. If is a (modal) consequence relation, then 


(16) Taut(-) := {p : Ø F o} 


is a modal logic, where a modal logic is any substitution closed set of formulae which 
contains all classical tautologies and (MP_,). There is a converse map. Given a logic L, 
put 


(17) Erim eed 


where L is here identified with the set of rules (Ø, p}, p € L. Evidently, A Fz ¢ iff 
A; L HMP>) ». By Theorem 12 +; has a DT for —. We shall often tacitly identify L 
with BE 

DEFINITION 17. L is classical (monotone, normal) if Fz is. The smallest normal 
logic with « operators is denoted by K,. L is quasi-normal if L contains K,. 


We also call a consequence relation quasi-normal if its set of tautologies is. Call a 
term t(p) a normal operator for L if it satisfies (a) t(p — x) > (t(y) > t(x)) € L, and 
(b) if t(y) € L then O;t(y) € L. There is a class of formulae that generally are normal if 
all basic modalities are; these are the so-called compound modalities. A term t(p) with 
just one variable is called a compound modality if it just contains the connectives 
i i < k and A in addition to constants; and no variable except for p. One can assign 
a relation corresponding to t(p) on a frame § = (F,(<; : i < «&)) by induction on its 
structure as follows. 


R(p) := {(a, x): a € F} 
(18) R(Ojs) := <; 0 R(s) 
R(s At) := R(s) U R(t) 


Then for all valuations @ and x € F: 


(19) (8, 8,2) Ft(y) & for all y such that x R(t) y: (F,8,y) Ey 
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Let L be a modal logic. Then define 
(20) CRel(L) := {F: Taut(F) = L} 


Furthermore, let H? be the modal consequence relation containing Fz in which every 
admissible rule is derived. (It can be obtained by adding to Fz all admissible rules.) 


PROPOSITION 18. Let L be a modal logic. Then 
(21) CRel(L) = {F: Fp, CE CHP} 


Moreover, Fy is the unique member of CRel(L) having a deduction theorem for —> and 
F? is the unique member which is structurally complete. 


Now, as is reported in [39], for logics contained in G.3, | CRel(L)| = 25°. However, 
for tabular logics the situation is actually different (see also Theorem 130 below). 


THEOREM 19. Let L be a tabular modal logic over a finite k. Then CRel(L) is at 
most countable, and every member of CRel(L), indeed every extension of Fz, is finitely 
aztomatisable and decidable. 


Proof. First, a tabular logic is finitely axiomatisable. This needs some sophistication. 
Anticipating the results below, notice first that V(L) is locally finite. Then, using Corol- 
lary 49 we establish that NExt(Z) is continuous, by Theorem 47 that NExt(Z) has a 
basis, and therefore by Theorem 48 that NExt(Z) has a strong basis. It follows with 
Theorem 50 that every extension of NExt(Z) is finitely axiomatisable. So, Fm is finitely 
axiomatisable for every M D> L. Also, V(L) is locally finite. Now, every extension of 
Fz is determined by some set of matrices verifying the axioms L. This means that they 
satisfy the axiom that the algebra has at most |A| elements. This reduces the irreducible 
matrices to those of the form (%,D) where |B| < |A|, of which there are only finitely 
many. (The exact argument is nontrivial, see also [14], Corollary 2.5.20.) Thus, Fy has 
finitely many extensions. It is not difficult to show that they are all compact. Being 
determined by a finite set of finite algebras, they are all decidable. Q 


To see some more examples, consider the rule ({Op},p). It is admissible in K. For 
assume that y := p” is not a theorem. Then there exists a model (%, 6, £} H ~y based 
on the Kripke-frame (F, <). Consider the frame 6 based on F U {z}, where z ¢ F, and 
the relation <:= <U {(z,y): y € F}. Take (p) := (p). Then (6,7, z) = ~Oy. The 
rule ({p}, Op) is not admissible in K despite the admissibility of ({0p}, p}. Take p := T. 
OT is not a theorem of K. Similarly, the so-called MacIntosh rule ({p > Op}, Op —> p) is 
not admissible for K. Namely, put p := OL. OL —> L is a theorem but OOL — 01 
is not. Notice also that if a rule p is admissible in a logic L we may not conclude that p 
is admissible in every extension of L. A case in point is the rule {Op}, p}, which is not 
admissible in K $ OL. 


2.6 Lattices of Modal Consequence Relations 


Every finitary consequence relation has the form HË for some set R of finitary rules. 
Define 


(22) med eae en od 
(23) OR LS = | RUS 
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We can even define infinitary analogs of the operations: 


ier tel 
(25) [| ee eect) 
ier 


It is to be noted, though, that the infinite intersection of finitary consequence relations 
need not be finitary again. It is also not possible to axiomatize it in terms of the rules 
for the F;. Therefore in the sequel we shall frequently deal with lattices in which only 
join is infinitary. 

If a finitary rule is derivable in HS, then it is derivable already in + °° for some finite 
So, since HS is finitary by assumption. It follows that a consequence relation is compact 
iff it is finitely axiomatisable. Moreover, the lattice is algebraic, since H? = || pen 
Finally, H’ is quasi-normal iff Taut(+’) is quasi-normal iff Taut(F’) contains K,,. 


PROPOSITION 20. The set of modal consequence relations over a given language forms 
an algebraic lattice. The compact elements are exactly the finitely axiomatisable conse- 
quence relations. The lattice of quasi-normal consequence relations is the sublattice of 
consequence relations containing Fx,,. 


We write Ext(+) for the set of extensions of F. By abuse of the notation we shall also 
denote the lattice over this set by Ext(). Similarly QExt(/) denotes the set and the 
lattice of quasi-normal extensions. NExt(Z) denotes the set and the lattice of normal 
extensions of a modal logic L. 


PROPOSITION 21. For each quasi-normal logic L and each quasi-normal consequence 
relation F’, 

(26) FCH = LC Tant(¥) 

Taut(—) commutes with infinite intersections, Fr with infinite intersections and infinite 
joins. It follows that NExt(K,,) is a sublattice of Ext(Fx, ). 


Taut(—) does not commute with joins. For example, let ky:=@ g and F2:= Keo. 
Then, by Theorem 28, Fı is maximal, and so Taut(Fı U F2) = K @ L. However, 
G3UK@0OL=Ke@OL. 


PROPOSITION 22. In monomodal logic, Fr, is maximal iff L is a coatom. 


Proof. Clearly, if Fz is maximal in Ext(-x), L must be a coatom. To show the 
converse, we need to show that for a maximal consistent normal logic L, Fz is structurally 
complete. (It will follow that CRel(Z) has exactly one element.) Now, L is Post-complete 
iff it contains either the formula OT or the formula p + Op. Assume that Fz, can be 
expanded by a rule p = (A, p). Then, by using the axioms p can be transformed into 
a rule p’ = (A’,y’) in which the formulae are nonmodal. (Namely, any formula in a 
rule may be exchanged by a deductively equivalent formula. Either OT € L and any 
subformula Oy may be replaced by T, or p = Op € L and then Oy may be replaced by 
xy.) A nonmodal rule not derivable in Fy is also not derivable in its boolean fragment, 
H9. By the maximality of the latter, adding p’ yields the inconsistent logic. a 


In polymodal logics matters are a bit more complicated. There exist 2®° logics which 
are coatoms in NExt(K2) without their consequence relation being maximal. Moreover, 
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in monomodal logics there exist 2%° maximal consequence relations, which are therefore 
not of the form Fz (except for the two abovementioned consequence relations). Notice 
that even though a consequence is maximal iff it is structurally complete and Post- 
complete, Post-completeness is relative to the derivable rules. Therefore, this does not 
mean that the tautologies form a maximally consistent modal logic. 

There is another consequence relation frequently associated with a logic, namely 


(27) l-z := HMP): (MN) 


This is called the global consequence relation. Evidently, if (MN) is admissible, 
the set of tautologies is a normal logic, so Taut(l- z) is actually the least normal logic 
containing L. 


PROPOSITION 23. Let L be a normal logic. Then the following are equivalent. 
arpa lhe: 


2. IFz admits a deduction theorem for —. 


3. L2 K {p> Ojp: j <r} 
4. L is the logic of some set of Kripke-frames containing only one world. 
Clearly, if Fz Æ lFz then there are several consequence relations for a given logic. We 


will show now that the converse almost holds. For the purpose of stating the theorem, 
let [e | and | o | be the one-point irreflexive and reflexive frame, respectively. 


PROPOSITION 24. Let L be a modal logic. Then the following are equivalent. 
(a) |CRel(L)| = 1. 


(b) Fy is structurally complete. 


(c) L is the logic of a single Kripke-frame containing a single world. 


(d) L is a fusion of monomodal logics of the frames |e| or|o |. 


The nontrivial part is to show that (b) = (c). Assume (c). Then since Fz is the logic of 
a single algebra based on two elements, and has all constants, it is structurally complete. 
Now let (c) fail. There are basically two cases. If L is not the logic of one-point frames, 
then Fz is anyway not structurally complete by Proposition 22. Otherwise, it is the 
intersection of logics determined by matrices of the form (A, D}, D an open filter, 2 
the free algebra in No generators. (In fact, the freely 0-generated algebra is enough.) 2 
contains a constant c such that 0 < c < 1. Namely, take two different one point frames. 
Then, say, Oo is the diagonal on one frame and empty on the other. Then c := 41 is a 
constant of the required form. The rule ({©o T}, p) is admissible but not derivable. 
The method of the last proof can be used in many different ways. 


LEMMA 25. Let L be a logic and x a constant formula such that neither x nor =x are 
inconsistent. Then the rule p[x] := {x}, L) is admissible for L but not derivable in Fr. 


Since x ¢ L and var(x) = Ø, for no substitution s, y* € L. Hence the rule p[x] is 
admissible. If it is derivable in Fz then Fz x — L, by the DT. So ~x € L, which is not 
the case. So, ply] is not derivable. 
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Figure 1. Tm, M = {1,3,4,...} 


4° 3° 1° 
o o o 
4° 3° 2° 1° 0° 


THEOREM 26. Let L be a logic such that §t,(0) has infinitely many elements. Then 
| CRel(L)| = 2°. 

The idea is as follows. There is an infinite set C of constants such that x A Xx’ Fz L 
whenever x, x’ are distinct members of C. The relations H? for D C C are all pairwise 
distinct. 

COROLLARY 27. Let L be a monomodal logic and L C G.3. Then | CRel(L)| = 2%°. 

In addition, FG, is maximal. This follows from the following 


THEOREM 28. Let L be the logic of its 0-generated free algebra. Then FẸ is maximal. 


Proof. Let | 2 HP. Then Taut(IF) 2 L. Since L is determined by its freely 0-generated 
algebra, there is a constant x such that L G L@x C Taut(l+). Therefore, we have x ¢ L. 
(Case 1.) ay ¢ L. Then p[x] is admissible in L and so derivable in +7. Therefore 
plx] € IF, and so IF L. So, IF is inconsistent. (Case 2.) ay € L. Then Taut(it) and also 
IF is inconsistent. Q 


We will now turn to the set of coatoms in NExt(FK). Let M Cw. Put Tum := {n° : 
néewhU{n?: ne M} and 


r=m,y=n* andm>n 
(28) ray <= or (2.) rx=m°,y=n® andm>n 
r=m,y=n° andm=n 


Let Bm be the algebra of 0-definable sets. Put Tm := (Tm, <,Bm). If M # N then 
Th(Tm) 4 Th(Ty). To see this, note that every one-element set {n°} in Ty, is definable 
by a formula y(n) that depends only on n, not on M. First, take the formula 


(29) 6(n) := D+ L AnD” 


ô(n) defines the set {n°}. Now put 
(30) x(n) = O6(n) A a(n +1) AnOd(n + 1) 


It is easily checked that y(n) defines {n°}. Hence, if n g M, ax(n) € Th Tm. So, 
ay(n) € Th Tm iff n g M. This establishes that if M # N, Th Zm # Th Ty. 
THEOREM 29. The lattice of normal monomodal consequence relations contains 23° 
many coatoms. 
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2.7 The Locale of Modal Logics—General Theory 


Given a normal modal logic L and a set A of formulae, L 6 A denotes the smallest 
normal logic which contains L and A. Recall that NExt(Z) denotes the set (and lattice) 
of normal logics containing L. For logics M; = L © A; we have 


(31) | | mi=LeVUA 
tel icl 


We can also calculate the axiomatisation of the intersection of two logics. Given two 
formulae, y and y, let pVy denote a formula y V x5, where s is one-to-one and renames 
the variables of x so as to make them distinct from the variables of y. Then 


(32) (LSA)N(LEE) = Le {HyV Ex : p € A,x € 2, H a compound modality} 


(See [50] or [39].) This can be used to show that NExt(L) satisfies the following infinitary 
distributive law 


(33) an| |y=|lany 


tel el 


In particular, the usual distributivity law holds. This means that the lattice is a locale, 
where a locale is a lattice with infinitary join and finitary meet satisfying (33). Recall 
that the operation [] can be defined from |_| as follows: 


(34) [ila :=| |(y: for alli € I: y < zi) 
icl 


A locale is continuous if also L U[ l;e Mi = []je, LU Mi. Locales NExt(L) are rarely 
continuous. An important exception is NExt(S4.3) (see the remarks following Theo- 
rem 47). Call an element x of a locale meet-irreducible (strongly meet-irreducible) 
if from x = yN z follows z = y or x = z (if from x = [],-, Yi follows x = y; for some 
i € I). Call x meet-prime (strongly meet-prime) if from z > yM z follows x > y or 
x > z (if from z > [jer Yi follows x > y; for some i € I). Dually for join-irreducible 
and join-prime. If x is (strongly) meet-prime it is also (strongly) meet-irreducible. 
In a distributive lattice, meet-prime is equivalent to meet-irreducible, but in general a 
strongly meet-irreducible element need not be strongly meet-prime. However, in a locale 
a strongly join-irreducible element is also strongly join-prime. 

Given a locale £ = (L, N, |_]}, let Irr(£) be the set of strongly meet-irreducible elements 
of £. For x € L put x° := Irr(£) — f x where 


(35) tz:={y:y >z} Įæ:={y:y< zr} 


It turns out that 


(36) wü sr Ug 
(37) fEl = Ne 
icl icl 


Thus, {x° : x € L} is a topology of closed sets on Irr(£). A locale is spatial if it is 
isomorphic to the locale of open sets of a topological space. 


Modal Consequence Relations 505 


THEOREM 30. The locale NExt(L) is spatial. 


To show that NExt(Z) is spatial we need to show that the map M+ M° is injective. 
For a formula y ¢ M, the set of logics not containing y is nonempty (containing, for 
example, M) and has a maximal element, which we denote by L4. (This follows from 
Zorn’s Lemma, using the fact that NExt(L) is algebraic. L% is usually not unique.) Ly 
is easily seen to be strongly meet-irreducible. Now 


(38) M= N Lt 
pg M 


The topology {M° : M € NExt(L)} satisfies the Tọ-axiom: for every pair M, M’ of 
different logics there is an open set X such that |X N {M, M'}| = 1. Put M = M' if 
M° C M". It is easy to see that M =< M’ iff M C M' iff M < M’. Moreover, a closed 
set is lower closed, that is, if X is closed then | X = X. The converse need not be true. 
Thus, the lattice is completely reconstructible from the topology. Moreover: 


THEOREM 31. NExt(L) is continuous iff all lower closed sets are closed. 


Indeed, if NExt(L) is continuous, then the arbitrary union of closed sets is closed. Any 
lower closed set is the union of sets of the form {x£}, which are all closed. More on this 
subject can be found in [39]. 

It is interesting to know which properties are at all connected with the lattice struc- 
ture. Completeness, for example, is clearly closed under meet but not under join (for a 
counterexample see [39]). Elementarity is closed both under intersection and infinitary 
join. Decidability is closed under intersection, but not under join. Interpolation and 
Halldén-completeness show no clear connection. 


2.8 Splittings 


Splittings have been studied in the context of modal logics first by [4], from which most 
of the results below are drawn. This investigation was carried further in [49, 51]. A 
splitting of a lattice (L,1,U) is a pair (x,y) such that L = |xUTyand | £N fy = Ø. 
We say that x splits £ if there is y such that (x,y) splits £. We say that y is the 
splitting companion of x and write £/x for y (but for logics we write L/M rather 
than NExt(L)/M). 


PROPOSITION 32. If (x,y) is a splitting of £, x is strongly meet-prime and y is strongly 
join-prime. x splits L iff it is strongly meet-prime. If x < x’ and (x',y’) is a splitting, 
then y < y'. 

Notice that every join-irreducible logic is join-prime. There is a useful corollary for 
logics. Say that M is essentially 1-axiomatisable over L if for every A: if M = LẸA 
then there is a ô € A such that M = Lẹ ô. It is easy to see that this notion is equivalent 
to strong join-irreducibility. Hence we have an observation already made in [46]. 
PROPOSITION 33 (McKenzie). M is essentially 1-axiomatisable over L iff M = L/N 
for some splitting logic N. 

Furthermore, this gives rise to an axiomatisability criterion. Suppose that M = L/N. 
Then M = L @ ô iff (a) 6 € M and (b) 6 g N. If both M and N are decidable, the 


problem ‘M = L @ 0’ is decidable. For example, S5 = S4/N, where N is the logic of a 
four element algebra. Then clearly N is decidable; since also S5 is decidable, the problem 
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‘S5 = S460’ is decidable. More can be established. Also the problem ‘(Fg4)*? =gs’ is 
decidable. This is due to the following fact. Recall that Fiy is the maximal consequence 
relation that has M as its set of tautologies. 


PROPOSITION 34 (Rautenberg). Suppose that M induces a splitting of NExt(L). Then 
Hir splits the lattice Ext(F L), and Ext(F)/ Fir =F ru. 


Now, suppose a rule p is given. The problem whether p € Hy is decidable (see 
Theorem 19). (Case 1) p € +4". Then (Fga)t? CY Zk gs. (Case 2) po +". Then 
(FKga)t? 2 Fs4. Now we must check whether p € Hss. This is again decidable. If this 
holds (Kg4)t? = gs. The argument generalizes to the case where M is tabular and 
L/M is decidable. 


LEMMA 35. If M does not split NExt(L) there is a sequence N;, i E€ w, of logics such 
that Ni £ M but [l;e Ni < M. 


(And if M does split NExt(L), no such sequence can obviously exist.) If N splits 
NExt(L) it is strongly meet-prime. In particular, it is strongly meet-irreducible. It 
follows that N = Th 2, where 2 is a subdirectly irreducible (si) algebra. However, 
there are examples of subdirectly irreducible algebras such that Th 2 is not even meet- 
irreducible. The algebras that induce splittings can be characterized. Call an element 
x <1ofansi 2 an opremum if for all a < 1 there is a compound modality H such that 
a < x. Intuitively, in a finite algebra an opremum is easy to find. The dual frame is 
generated by a single world, w, in the sense that every world is indirectly accessible from 
it iff the algebra is subdirectly irreducible. (This fails in the infinite, as Giovanni Sambin 
pointed out, see [39].) Now, the set containing everything but w, is an opremum. 

Let A(X) be the so-called diagram of 2, defined by 


iEw 


(39) A(A) := {Pa V Pp > Pavo : a,b E A} 
U {P-a © Pa: a E A} 
U {po,a > Oipa:0a E A,i < K} 


Suppose that there is an algebra %, a valuation 6, and an ultrafilter U such that 8(~pz) € 
U and for every compound modality H and every ô € A(Q), (HHO) € U. Then 2 € HS B. 
Moreover, (by Jénsson’s Lemma), A € HSP B iff A € HSUp B iff every finite subset of 
Px; {EBA (XA) : H a compound modality} is satisfiable. Let V(L) denote the variety of 
L-algebras. The following result appeared in its complete form in [61], generalizing 
theorems by [51] and [36]. 


THEOREM 36 (Wolter). Let A be subdirectly irreducible with opremum x. The following 
are equivalent: 


© Th & splits NExt(L). 


© There is a finite Ag C A(N) and a compound modality such that for every 
Be V(L): if apr; BAo is satisfiable in B, so is 


De} TIENE : X a compound modality} 


If either obtains, 


(40) L/Th A= Le N BAo > pe 
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We note that the number of variables needed to axiomatize L/ Th 2 is the minimum 
number of variables needed to generate 2. This can be used to show that $4.3 cannot be 
axiomatized over $4.2 (and S4) using less than two variables. (In tense logic, however, 
one variable is sufficient.) 


2.9 Some Splittings 


Let us first look at monomodal logics. A frame § is cycle-free if there is an n € w 
such that § F O”L. K is complete with respect to all cycle-free frames. It follows 
from Lemma 35 that only logics of cycle-free frames can split NExt(K). So, let ¥ be 
finite, cycle free and generated by a single point. Let 2 be the algebra of its subsets. 
A is si. Since At OVL — Ot, it follows that if O” is satisfiable, then O”+* 1 
is satisfiable for every k € w. Thus, since 0” A(Q) is finite and implies O” L, we get 
that 0" A(2) — O"+*A(Q) for every k. So, the theory of a finite one-generated cycle 
free frame splits NExt(K). This argument generalizes easily for any finite number of 
operators. 


THEOREM 37 (Blok). L splits NExt(K) iff it is the logic of a finite, one-generated cycle 
free frame. 


There is an easy corollary. For every splitting logic L there is a splitting logic L’ < L. 
(Simply add another irreflexive point before the generator of § where L = Th(%).) 
Now, from Proposition 32 we get NExt(K)/L’ < NExt(K)/LZ. Thus, for every strongly 
join-prime element there exists a strongly join-prime element strictly below it. Atoms 
are strongly join-irreducible, and therefore strictly join-prime, hence they are splitting 
companions. We have established the following result from [3]. 


THEOREM 38 (Blok). NExt(K) is atomless. 
On the other hand we have the following from [41]. 


THEOREM 39 (Makinson). NExt(K) has exactly two coatoms. Moreover, every consis- 
tent logic is below one of them. 


The coatoms are the logics of the two two-element algebras, corresponding to the one- 
element reflexive frame, and the one-element irreflexive frame. Take a general frame ¥. 
Either OL is satisfiable, in which case the subframe of points satisfying is generated 
and can be contracted to the single one-generated irreflexive point; or is not satis- 
fiable. Then § F OT, so that ¥ is contractible to a one-element reflexive frame. The 
second fact easily follows from the following observation: if L is finitely axiomatisable, 
there is no infinite upgoing chain with limit L. The inconsistent logic is finitely axioma- 
tisable, and so it is not the limit of an upgoing chain. Hence every consistent logic must 
be below a coatom. 

Suppose now that L = K/M for some logic M. It so happens that NExt(Z) may be 
split by N even though N does not split NExt(K). This arises exactly once: L = K//e |. 
Then L = K.D, and the new splitting logic is N = Th [o |, the logic of the one-element 
reflexive frame. We call L/N an iterated splitting of K. L/N is actually inconsistent. 
However, suppose that X is a set of splitting logics of NExt(L). Then we may split off 
the logics of X in any order we like. The results is always the same. Therefore, put 


(41) L/X :=|_|(L/N: N € X) 


508 Marcus Kracht 


The following theorem is much harder to establish. Let Fs(L) be the set of all logics 
that have the same Kripke-frames as L (the Fine-spectrum of L). Call L intrinsically 
complete if | Fs(Z)| = 1. The following is from [4]. 


THEOREM 40 (Blok). L is intrinsically complete iff it is inconsistent or of the form 
K/X for a set of splitting logics X. If L is not intrinsically complete, | Fs(L)| = 25°. 


We say that N has a splitting representation over L if it has the form L/X for 
some set X. Although one can have N = L/X = L/Y for different X and Y, there is 
a unique set X* such that N = L/X* and for every X such that N = L/X we have 
X D X*. (The set X* is a minimal representation of L.) 

Say that a compound modality H is a master modality for L if (a) Hp —> O;p € L 
for all i < «x, and (b) Hp > p, Hp p€ L. Lis called weakly transitive if it 
has a master modality. Now suppose that L is weakly transitive, with master modality 
. Then if 2 is finite and subdirectly irreducible, it is splitting. (Actually, it is enough 
that X is finitely presentable.) For example, the logic M of a one-generated finite frame 
splits NExt(K4) (and every NExt(L) for L > K4 if only M > L). Many logics above 
K4 possess a splitting representation above K4. 

We present a few applications. [19] shows that there is an infinite antichain L;, i € w, 
of logics of depth 3 in NExt(S4). Now, define the following map from subsets of w into 
NExt(S4): p: U œ> S4/{L; : i € U}. This map is injective. Moreover, p(U) < p(V) 
iff U C V. So, the map is a lattice embedding. It follows not only that NExt(S4) has 
continuously many elements, but also that it has an infinite upgoing chain of elements. 

It is known that every logic L D S4.3 has the finite model property (see [7]). It follows 
that it has a representation 


(42) L =$4.3/X 


where X is the set of logics of S4.3-frames which are not L-frames. Identity holds by 
the fact that both logics have the finite model property and the same finite models. It 
follows that there is a unique minimal set X* such that L = $4.3/X*. This means 
that there is a canonical axiomatisation of every logic in terms of splitting formulae, an 
axiomatisation base in the sense defined below. 


2.10 Axiomatisation Bases 


The success of the canonical formulae of Michael Zakharyaschev (see [63, 64]) has sparked 
off the question whether it is possible to find independent sets of formulae that can 
axiomatize any given logic above L, where L is a given modal logic (in the best case, 
L=K,). The present section reviews conditions on L under which this is possible, but 
the outcome is, for practical purposes, rather negative: only very strong logics L have 
this property. 

If every extension of L is of the form L/X the locale NExt(Z) is continuous. The 
finitely axiomatisable logics are closed under finite union, just as the compact elements. 
An infinite join of finitely axiomatisable logics need not be finitely axiomatisable again. 
Likewise, the finite meet of finitely axiomatisable logics need not be finitely axiomatisable. 
However, this is the case when L is weakly transitive. 

DEFINITION 41. A locale is coherent if (i) every element is the join of compact ele- 
ments and (ii) the meet of two compact elements is again compact. 
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Coherent locales allow a stronger representation theorem. Let £ be a coherent locale, 
K(£) be the set of compact elements. They form a lattice A(L) := (K(L),N,U), by 
definition of a coherent locale. Given A(L), £ is uniquely identified by the fact that it is 
the lattice of ideals of (£). 


LEMMA 42. A locale is coherent iff it is isomorphic to the locale of ideals of a distributive 
lattice. 


If we have a lattice homomorphism (£) — A(t) then this map can be extended 
uniquely to a homomorphism of locales £ — M. Not all locale homomorphisms arise 
this way, and so not all locale maps derive from lattice homomorphisms. Hence call a 
map f : £ — M coherent if it maps compact element into compact elements. 


THEOREM 43. The category DLat of distributive lattices and lattice homomorphisms is 
dual to the category CohLoc of coherent locales with coherent maps. 


Now if L is weakly transitive, the intersection of two finitely axiomatisable extensions 
is again finitely axiomatisable. Now, a logic is compact in NExt(ZL) iff it is finitely 
axiomatisable over L. We conclude the following theorem. 

PROPOSITION 44. Let L be weakly transitive. Then NExt(L) is coherent. 


The converse need not hold. NExt(K.altı) = K@©p — Op is coherent (because every 
logic in this lattice is finitely axiomatisable) but the logic is not weakly transitive. 
DEFINITION 45. Let £ be a complete lattice. A set X C L is a generating set if 
for every member of L is the join of a subset of X. £ is said to have a basis if there 
exists a least generating set. Moreover, X is a strong basis for £ if every element has 
a nonredundant representation, that is, for each x there exists a minimal Y C X such 
that z =[]Y. 


THEOREM 46. Let £ be a locale. £ has a basis iff (i) £ is continuous and (ii) every 
element is the meet of []-irreducible elements. £ has a strong basis iff it has a basis and 
there exists no infinite properly ascending chain of | |-prime elements. 


Let £ be a locale with a strong basis. Then the elements of £ are in one-to-one 
correspondence with antichains of strongly meet-prime elements (via the splitting repre- 
sentation, which must exist). 


THEOREM 47. Let L be a modal logic. Then NExt(L) has a basis iff NExt(L) is 
continuous. 


Since continuous lattices are the exception in modal logic, most extension lattices do 
not have a basis. We can sharpen the previous theorem somewhat to obtain stricter con- 
ditions on continuity. From Theorem 47 and the next theorem it follows that NExt(S4.3) 
is continuous (using the result of [7] that all extensions of $4.3 have the fmp). 


COROLLARY 48. Let L be weakly transitive and have the finite model property. Then 
the following are equivalent. 


1. NExt(LZ) has a basis. 
2. NExt(L) has a strong basis. 
3. Every extension of L has the finite model property. 


4. Every extension of L is the join of co-splitting logics. 
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Figure 2. The Frame O 


5. Every join of co-splitting logics has the finite model property. 


COROLLARY 49. Let V(L) be locally finite. Then NExt(L) is continuous. 


The converse does not hold. The lattice NExt(S4.3) is continuous but 84.3 fails to be 
locally finite. The following once more emphasizes the importance of splittings on the 
structure of the lattice. 


THEOREM 50. Let NExt(L) have a strong basis. Then the following are equivalent. 
1. Every extension of NExt(L) is finitely axiomatisable. 
2. NExt(L) is finite or countably infinite. 


3. There exists no infinite set of incomparable splitting logics. 


Typically the locales NExt(Z) have no basis. We might ask, however, if for a given 
logic an independent axiomatisation necessarily exists. This is not so. Call a set A of 
formulae independent if for every 6 € A we have ô ¢ K ẹ (A — {6}). (For example, 
a basis is an independent set.) A logic L is independently axiomatisable if there 
exists an independent set A such that L = K @A. Every finitely axiomatisable logic is 
independently axiomatisable. It has been shown in [8] that there exists a logic which is 
not independently axiomatisable. Furthermore, [37] gives an example of a logic which 
is not finitely axiomatisable, but all its proper extensions are. Such a logic is called 
pre-finitely axiomatisable. Here is a logic that has both properties. 


THEOREM 51. The logic of the frame D shown in Figure 2 is pre-finitely axiomatisable. 
It splits the lattice of extensions of G.Q2. Moreover, it is not axiomatisable by a set of 
independent formulae. 


THEOREM 52. Let A be the algebra generated by the singleton sets of D. A is not 
finitely presentable. Its logic splits NExt(G.Q2). 


3 THE LOCAL AND THE GLOBAL 


3.1 Equivalential and Algebraisable Logics 

In recent years, there have been a lot of results concerning the algebraisability of logics. 
(See [14] for a general exposition of the topics of this section.) Research has been sparked 
off mainly by the monograph [5]. In brief, a logic is algebraisable if the notion of truth 
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and of consequence can be reduced faithfully to the equational calculus. Let us assume 
that two consequence relations, F over language £; and > over language £2, are given. 
Let &: Lı — (£2) be a map from formulae in £; to sets of formulae in £2. We write 
&(A) for the union of the «(6), 6 € A. « is a transform of | into > if 


(43) AF & for all y € K(y):K(A) > x 


If A: Lo > e(L1) is a transform of > into F and « a transform of | into > we call («, A} 
a pair of conjugate transforms if in addition 


(44) pr x = Alk) F x 
(45) px = K(A(Y)) > x 


A consequence relation is algebraisable if there is a pair of conjugate transforms to a 
calculus of equations over the same language, and both maps commute with substitutions. 
Recall that there is also a first-order theory of the algebra, using the function symbols 
of the signature and equality (=). In equational logic we are mainly interested in Horn- 
clauses of that languages, to which we turn below. 

A key element in the characterisation of algebraisability is that of the Leibniz oper- 
ator. A logic | defines the following operator Qy on an algebra 2, called the Leibniz 
operator. 


(46) OQg(D) := {(a, b) : for all polynomials p of 2%: pla) € D = p(b) € D} 


Given D, Qg is the largest congruence compatible with D. (A/a (D), D/Qay) is reduced. 
We write Q for the operator defined on the term algebra. As Wim Blok and Don Pigozzi 
have shown, many properties of the consequence relation can be defined in terms of the 
Leibniz-operator. 


THEOREM 53 (Blok & Pigozzi). A consequence relation | is algebraisable iff 
© Q is monotone on the set of theories of F; 
© Q is injective on the set of theories of F; and 


© Q commutes with inverse substitutions on the set of theories of F. 


The first is to be read as follows: if T and T’ are theories (deductively closed sets of 
formulae) and T C T’ then Q(T) C Q(T’). The latter are congruences. Similarly for the 
other conditions. 

We shall fill the notion of algebraisability with more life. The calculus of equations can 
be generalized to implications. A quasi-equation or quasi-identity is an implication 
of the form 


(47) oo =TMWAM=T1A...AOn-1 = Tn-1 > On = Tn 

Alternatively, it is a Horn-clause in the first-order theory of the algebraic signature. A 
class of algebras is called a quasi-variety if it is characterized by a set of quasi-identities. 
The following is from [30]. 

THEOREM 54 (Graetzer & Lakser). A class of algebras is a quasi-variety iff it is closed 


under ultraproducts, products and subalgebras. The least quasi-variety containing a given 
class K is SPP,(K). 
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Now, in general consequence relations use the notion of truth. They are therefore said 
to define truth implicitly if for every algebra 2 there is at most one deductively closed 
set D such that (A, D} is a reduced matrix for +. An explicit definition consists in a set 
A(p) of equations such that a € D iff A E a(a) = b(a) for all a(p) = B(p) € A(p). Since 
(A, {1}) is a matrix for all modal consequence relations, and reduced, a consequence 
relation defines truth implicitly iff (MN) is derivable. 

The following definition is due to [48]. 


DEFINITION 55. Let + bea consequence relation. A set of formulae A(p, q) := {6;(p,q) : 
i € I} is called a set of equivalential terms for | if the following holds for all basic 
function symbols f: 


(48a) - A(p, p) 
(48b) A(p,q) F Alq, p) 
(48c) A(p, q); Alq, r) F A(p,r) 
(48d) U Alpa) H AF), FO) 


i<v(f) 
(48e) p; A(p,q) Fq 


F- is called equivalential if it has a set of equivalential terms, and finitely equivalential 
if it has a finite set of equivalential terms. 


THEOREM 56. F is finitary and finitely equivalential iff the class of reduced matrices 
for - is a quasi-variety. 
COROLLARY 57. Let" be finitary and finitely equivalential and Q the quasi-variety of 
reduced matrices for +. Then the lattice of finitary extensions of + is dually isomorphic 
to the lattice of sub-quasi-varieties of Q. 

A logic is algebraisable in the sense of Blok and Pigozzi if it is finitary, algebraisable 
and finitely equivalential. Q is said to be continuous if for every upgoing chain T;, i € u, 
of theories whose limit (= union) is a theory 


(49) AUT) =U{an : ieu} 
iEn 
Continuity implies monotonicity. 
THEOREM 58. F is equivalential iff Q is monotone on the set of theories, and sQ(T) C 


Q((sT)") for all substitutions s and theories T. | is finitely equivalential iff Q is contin- 
uous on the set of theories of F. 


Clearly, for any modal logic L, Fz is always equivalential; a set of equivalential terms 
is the following. 


(50) A(p, q) := {H(p > q) : H a compound modality} 


l-z is always finitely equivalential; p > q is an equivalential term for IFz. Note that 
if a classical consequence relation F is finitely equivalential it also has an equivalential 
term. For if A(p,q) = {6;(p,q) : i < n} is a finite set of equivalential terms for F then 
ô(p, q) := Ni<n Si(p, q) is an equivalential term. 
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For algebraisability in the Blok and Pigozzi sense we have the following. 


THEOREM 59 (Blok & Pigozzi). Let} be algebraisable in the sense of Blok and Pigozzi 
and let K be the corresponding class of algebras. Then K is a quasi-variety and consists 
of all reducts of reduced matrices. Moreover, the lattice of axiomatic strengthenings is 
dually isomorphic to the lattice of sub-quasi-varieties of K. 


It is to be borne in mind that there is a substantial difference between classes of 
matrices and classes of algebras. 


3.2 Global Consequence Relations and Logics 


Call a modal consequence relation global if the rules (MN) are derived rules. If is 
global, then any extension contains (MN), and is also global, by structurality. Hence 
the lattice of global consequence relations is the lattice of extensions of Ikk. A modal 
consequence relation F is finitely equivalential via p > q iff it is global; in general, other 
equivalential formulae might exist, see below. A filter D for a consequence relation F in 
a modal algebra is a boolean filter. However, if + is global, then every filter D is open, 
that is, if a € D also Oa € D for every modality O. If D is open, it can be factored, and 
the factor algebra is unital. Hence, reduced matrices for global consequence relations 
have only one truth value, namely 1. It follows that truth is defined implicitly—and also 
explicitly via the equation p = T. Thus, we can replace talk of reduced matrices with 
talk of algebras. 


THEOREM 60. The lattice of global consequence relations is dually isomorphic to the 
lattice of quasi-varieties of modal algebras. 


Josep Font and Ramon Jansana [21] have found a way to characterize the strong 
consequence using the Leibniz operator. Say that a filter F on 2 for H is Leibniz if for 
every | -filter G C F, Qg(G) = Qy(F). The strong consequence relation corresponding 
to F is the consequence determined by all matrices (X, F}, where (24, F) is a matrix for F 
and F is a Leibniz filter. Given any filter, the largest Leibniz filter contained in F is the 
intersection of all filters G such that Qq(G) = Qy(F’). In the present context, this filter 
is the largest open filter contained in F. It consists of all elements a such that Ha € F 
for every compound modality. 

There is a difference, though, between quasi-varieties of matrices (to be considered 
below) and quasi-varieties of algebras. The local and global consequence relations for a 
logic can be characterized as follows. 


THEOREM 61. 


© A Fz x iff for every generalized frame § such that § F L, every valuation B and 
every x: if ($, B, x) E 6 for every 6 € A then (3, 3,x) F x. 


© Alty x iff for every generalized frame § such that § — L, and every valuation 8: 
if (8,8) E 6 for every 6 € A then (8, 8) Fx 


Alternatively, A l-z x if for every algebra 2% € V(L) and every valuation 8: if 3(6) = 1 
for every ô € A then G(x) = 1. 

Fz has a deduction theorem but generally, l-z does not. If it does, however, the logic 
is weakly transitive. 
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PROPOSITION 62. Suppose that Œ is a master modality for L. Then (¥, 6, £) — By iff 
x is true in the model generated by x. 


THEOREM 63. l-z has a deduction theorem iff L is weakly transitive. 


The notion of weak transitivity originated in the work of Wim Blok. In weakly tran- 
sitive logics, the global consequence can be reduced to the local consequence. For Fy 
is finitely equivalential if L is weakly transitive. Let Cg (a, b) denote the least congru- 
ence of 2 containing the pair (a,b). Say that V has elementarily definable principal 
congruences if there is a first order formula V(x, y, u,v) such that for all 2% € V and 
a,b,c,d € A, c Cg” (a,b) d iff A E V(a,b,c,d). Say that V has elementarily definable 
open filters if there is a first order formula n(x, u) such that for given a, c is in the open 
filter generated by a iff A F (a,c). In [6] we find the following. 


THEOREM 64. The following are equivalent. 


© IFz has a deduction theorem. 

© L is weakly transitive. 

© L is finitely equivalential. 

® V(L) has elementarily definable principal congruences. 


© V(L) has elementarily definable open filters. 


8.8 Semisimple Varieties of Modal Algebras 


Semisimple varieties of modal algebras are special kinds of varieties of weakly transitive 
logics. There is an exact characterisation of semisimplicity, to be found below. Say that 
@ (the diamond of some compound modality W) is a dual of O in L if p > O@pe L. 
Frame theoretically this means that if x R(O) y then y R(M) x. If Mis compound, Am) 
is a finite set of finite paths in the frame. A logic is cyclic if every basic modality 
has a dual. Notice that the dual need not be basic (although a basic modality playing 
the role of the dual can be added conservatively). If L is cyclic, also every compound 
modality has a dual. 


LEMMA 65. If L is cyclic then every finite subdirectly irreducible algebra of V(L) is 
simple. 


There are infinite algebras that are si but not simple. For example, take the set of 
integers and put x < y iff |z — y| = 1. Finally, let O be the set of finite and cofinite 
elements. The logic of 3 := (Z,<,O) is cyclic (with © the dual of O), 3 is si (with 
opremum Z — {0}), but not simple. For the set of cofinite subsets is an open filter. 

Call a variety semisimple if every si algebra is simple. Further, say that a ternary 
term t(x,y,z) is a ternary discriminator for % if for all a,b,c € A: t(a,b,c) = c if 
a = b, and t(a,b,c) = a if a 4 b. (See also Chapter 6 on this notion.) A variety V is a 
discriminator variety if there is a ternary term ¢(x,y, z) which is a discriminator for all 
subdirectly irreducible members of V. Notice that if t is a ternary discriminator, then 
u(x) := 7t(1, 2,0) has the property that u(x) = 1 if x = 1 and u(x) = 0 otherwise. (This 
is the dual notion of the one commonly used.) u(x) is called a unary discriminator. 
If L is weakly transitive it has a master modality Œ. If it is also cyclic H has a dual 
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~X. We can actually assume that X = Now look at u(x) := Ha. By weak 
transitivity, the open filter generated by a € A is THa. Assume that a = Ha. Then 
a = H- ma > 7a = a, by our assumptions. So, 7 a also is an open 
filter. Say that a is open if a = O;a for all basic O;. The open elements form a boolean 
algebra. It follows that every si algebra is simple. It also follows that u(x) := Ex is a 
unary discriminator. The converse is much harder to establish, see [35]. 


THEOREM 66 (Kracht & Kowalski). The following are equivalent for modal logics with 
finitely many operators. 


1. V(L) is semisimple. 
2. V(L) is a discriminator variety. 


3. L is weakly transitive and cyclic. 


The remaining part is (1) > (3). Moreover, if a semisimple variety is weakly transitive, 
cyclicity is easy to show (because both mean that one-generated is the same as connected). 
So the hard part is to show that semisimple varieties are weakly transitive. We assume 
that the basic operators are O;, i < n, and put 


(51) a:=an N ia 


<n 


The proof is rather involved. It proceeds by first showing that all semisimple varieties of 
finite type of modal algebras satisfy the property (52) for r = k and l = 0. 


(52) For every k € w there are r,l € w such that VE x < O'O% O" g. 


Note that this is weaker than cyclicity. Now we assume that V satisfies (52). Define r(i) 
to be the smallest number such that there exists an 1 € w with VE O'O!O"Me < x. 
The function r is increasing. We define l(i) to be the smallest number such that V F 
HOO" s < a. Thus, | depends on i via r(i). If V falsifies O"+!a = O"a for each 
n € w, then for each i € w there is a simple algebra A; in V and a; € A; such that 
Ora; <1 but orta; = 1. Now put b; := EOT? and fix an arbitrary k € w. Then 
the following lemma holds. 
LEMMA 67. For every i > k, we have: O*b; < 1 and O')+7@) 419%), = 1. 

Using ultraproducts one obtains an algebra % and an element b such that 
LEMMA 68. In B, for any k € w we have: O¥b < 1 and OM +r) +1049 = 1, 


Let A € V be such that there is a nonzero a € A with ©”a < 1 for every n € w. For 
instance the free algebra rz (1) is such an algebra, as otherwise V would satisfy O"x = 1 
for some n € w. Let a := Cg™(a,0). a is neither full nor the diagonal. As a is principal, 
a must have a lower neighbour 8 in Cg(2). 


© 


LEMMA 69. For every congruence 3 with B < a, there is an m E€ w such that: 
1. O™+la =; 0™a, and 


2. 7O™a =g O7n0"™a. 
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Proof. Let T := {0 € Cg(A): 0 > 6,0 Za}. ET = {8}, then 2/2 is si but not 
simple, which cannot be. Thus there is a 0 € I — {8}. By congruence distributivity, 
y := VT €T. Therefore, 2/y is subdirectly irreducible; hence simple. From this and 
congruence permutability it follows that ao y= A x A. Thus, (0,1) € a o y, and there 
must be a c € A with (0,c) € a and (c,1) € y; hence also (-c,0) € y. Now, (0,c) € a iff 
for some m € w we have Oa > c. Thus, -O™a < 7c and therefore (>O™a,0) € y. We 
can then assume c = Oa. By definition we have aN y = 8, that is, 0/a N 0/y = 0/2. 
Now, to prove (i), consider O™*+la A =©O™a. It belongs to 0/a N 0/7 = 0/8 and thus 
we obtain O™t!a =g O™a. Then, for (ii), consider Oa A On0™a. It too belongs to 
0/aN0/y = 0/8; therefore 5O™a =g OnO™ a. Q 


THEOREM 70. If V satisfies (52) then V satisfies O"+!x = O"x for some n €w. 


Proof. Suppose V falsifies O"t!x = ©" for all n € w. There is then an algebra B € V 
and an element b € B such that for all k € w: O*b < 1 and O'M+r(H)+1 0% = 1. 
Let a be the congruence generated by 7b, and take G and m as in Lemma 69. Then 
mO =g On0™) =; OlM+7(m) +19) = 1. Thus, Ob =, 0 and therefore b =, 0. 
It follows that 8 > a, contradicting the choice of @ as a subcover of a. QO 


4 REDUCTION TO MONOMODAL LOGIC 


For each cardinality «, there is a distinct lattice of modal consequence relations over « 
operators. Surely, it would be most advantageous if one did not have to study these 
lattices for each individual k. While results for the lattices Ext(FK,) are yet to be 
established, there exists fairly powerful theorems that reduce the study of NExt(K,,) 
for finite « to the study of NExt(K,). It turns out that the locales of logics for several 
operators are isomorphic to certain subintervals of the locale NExt(K,) and that the 
isomorphism reflects and preserves many important properties of logic. This means that 
from a general perspective it is enough to obtain results for the locale of monomodal 
logics. A theorem that asserts this is called a transfer theorem. Results on monomodal 
logics can be extended to polymodal logics, using a transfer theorem. In practice it 
has turned out to be the opposite, however. Often, a counterexample to a specific 
conjecture can be easily constructed using several operators. Using the transfer theorem 
this counterexample typically yields a counterexample for monomodal logic, and so for 
every polymodal logic. There are certain lacunae in the theory. First, although there 
is a simulation of countably many operators by one (see [38]), the induced lattice map 
is not surjective. As for uncountably many operators, I know of no results so far. The 
techniques have been applied to polyadic operators and hybrid logics, and we report the 
results below. Again, the lattice map is not surjective, making the transfer theory less 
effective. Third, as we have mentioned above, the results cover logics only; no attempt 
has been made to reduce polymodal consequence relations to monomodal ones, though I 
speculate that the results will be similar. 


4.1 Simulating Two Operators by One 


Let (F,<,<,F) be a generalized bimodal frame. For a subset B C F put Bo := {ao : 
x € B} and Be := {£e : £ E B}. Here, £o and £e are distinct copies of x, F, and F, are 
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disjoint and do not contain *. 


Fe := F UF.,U{*} 
E a UL teste) 2 49} 
U{ (Lo, te) £ E F}UL(a., £o): LEF} 
U{ (zo, x): 2 € F} 
F° := {BUC UD:B,C EF, DC {*}} 
g:= (F5,<,F°) 


(53) 


35 is a general monomodal frame. We call it the simulating frame of §. Recall that a 
general frame § is differentiated if x Æ y implies x € a and y ¢ a for some a € F; that 
3 is refined if it is differentiated and tight, that is, if x A; y then there is an a € F such 
that x € O;a but y ga. Finally, ¥ is compact if for every filter H on F: Q H # Ø. 


PROPOSITION 71. 3° is differentiated (refined, compact) iff Ẹ is. 


Proof. Notice that F», Fẹ and {x} are definable by the constant formulae yo := 9 EL, 
Ye := OT A9 HL, and yx := HL, respectively. (We shall also denote the sets defined 
by some formula by the formula itself.) Hence if ¥ is differentiated, let x,y € F° be 
different. Then if £x = *, y, is the set that contains x but not y. Otherwise if £ = uo 
and y = Ue, Yo contains x but not y. Finally, if £ = uo and y = vo then u Æ v and there 
is a set O containing x but not y. Then x € Oo, but y Z Os. Analogously if £r = ue 
and y = ve. Also, if ¥* is differentiated, clearly Ẹ is differentiated, too. We show that 
if § is refined, so is §°. Suppose that x < y does not hold. The case x = * is easily 
dealt with. Now assume x = uo. We deal with two representative cases. Case 1. y = Uo. 
Then u %4 v. Then refinedness of Ẹ gives a set O such that u € OO but v ¢ O. Then 
x E€ A(FLUf{*}UO.) but y ¢ Oo. Case 2. y= ve. Then u 4 v. Then by differentiatedness 
there is a set O containing u but not v. Then z = u» € A(Fo U {x} UO.) but y Z Oe. 
(Notice that for the transfer of tightness we needed differentiatedness as well.) Transfer 
of compactness is straightforward. Q 


The notion of simulation is then also defined for Kripke-frames. Denote by g the 
Kripke-frame underlying §. The following is true in virtue of the definitions. 


PROPOSITION 72. (3°); = (&p)5. 


Define 
(54) oX = A(y > x) e X := Aly > x) «X= Aly —> x) 
Also, put 
pi := Pi 

(>y)* := =p)? 
(55) (PAX)® = pA? 

( p): op? 

(my)? := 8. 5. Boy® 


Finally, let 3 be a valuation and set 6*(p) := G(p)o.. Then the following is shown by 
induction. 


(56) (5, 8,2) E p & (8°, 6°, 2o) E Yo > p? 
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B8,*) E Yo — vy’. Not every valuation 


Notice that (¥*, 6°, £e) E Yo > p° as well as (3°, 8°, * 
F, = 6(p)N Fo then for every x € F° 


into §* is of the form 8°. However, if y(p) N 


(57) (35, r) E Yo > p? & (35,0, 1) = Yo > P 


PROPOSITION 73. Let be a bimodal generalized frame. §° E p? iff FF g. 


For a formula x and a set A put 
(58) x>A:={x>8: EA} 


We define Sim to be the logic of all simulating frames. 


DEFINITION 74. Let L be a bimodal logic. Then L* is the logic of all §°, where § is a 
general frame for L. 


THEOREM 75. Let L be a bimodal logic. Then 


(59) AFL e Yo —> AF Frs Yo > p° 
(60) Algo © Yo — AF IFzs Yo > pê 


In particular, if L = Ko $ A, L5 = Sim @ (% > A5). 


The previous result shows that the bimodal consequence is reduced to the consequence 
relation based on the ‘white points’ of the simulating frame. 


4.2 Algebraic Properties of the Simulation 


Let p : § — 6 be a p-morphism. Define p° by p°(xzo) := p(x). and p°(£e) := p(x)e, 
and p°(x) := *. It is easy to see that p* is a p-morphism from §* to 6°. Conversely, 
let q : ¥* — G* be a p-morphism. Then q(*) = x, g[Fo] C Go and q[F] C Ge, since 
all sets are definable by constant formulae. Next, if q(£o) = yo then also q(xe) = Ye, SO 
that q is completely defined by its action on Fy. Moreover, q = p° for some p-morphism 
p: 8 — È. So, the simulation is faithful with respect to embeddings and contractions. 

Notice that (¥@6)°* is not isomorphic to ¥* @6* (the former is connected, the latter is 
not). However, the two are not so different. Basically, the latter has two points satisfying 
L, the former only one. Thus only the former can be a simulation frame. 


LEMMA 76. (cr 8i)* is a contraction of Aier 3°. The contraction is the one which 
collapses all points satisfying BL into one. 


The construction can be remodeled algebraically. Let X be a bimodal algebra. 


(61) Af := Ax Ax {0,1} 


(CaUb,@bUa,0) ifc=0 
62 ,b, c) := 
(62) 9 {a,,¢) Sera ife=1 
A: is the simulating algebra for 2. It is easy to verify that if X% is the algebra of subsets 
of ¥, 2° is the algebra of subsets of §*, and conversely. If h : 2 — B is a homomorphism, 
so is h® : AS — %B*. Moreover, if q : 2° — B: is a homomorphism, then q = pê for some 
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p:2— B. So we have an isomorphism between the category of bimodal algebras and 
the category of simulation algebras. 

We are interested in the varieties generated by simulation algebras. V(Sim) is the 
variety generated by all simulation algebras. It is easier to look at the frames. Take a 
nonempty generated subframe 6 of §*. It is easy to see that it must be of the form H5. 
Simply take H := G N F, (notice that we do allow frames to be empty). However, the 
empty subframe is not of that form. So, with the exception of the empty frame every 
subframe of §* is a simulation frame. It follows that Cg(2*) S Cg(A) + 1, where the 
latter denotes the addition of a new top element to Cg(2). 


PROPOSITION 77. X% is subdirectly irreducible iff A° is. 


Next, let p : §* — 6 be a contraction. It is easy to see that p(x.) = p(ye) cannot 
hold; also, p(x.) 4 p(*) Æ p(ae). Moreover, p(xo) < plye) iff x = y iff p(ye) < p(x); and 
if p(t.) = p(yo) then p(x) = p(ye), and conversely. So, 6 = H° for some H. It follows 
that Sub(2*) = Sub(2). Finally, we have noticed that (J [ier A) E€ S lier 2). 

Now, if Ç is a class of bimodal algebras, denote by K7 := {A* : A € K}. Also, denote 
by Ks; the class of subdirectly irreducible members of K. 


PROPOSITION 78. If V is a variety of bimodal algebras, (Vsi)? = (V7) si- 


Now let V* be the variety generated by V7. For any variety generated by simula- 
tion algebras, the subdirectly irreducible members are simulation algebras. Hence, any 
subvariety of V(Sim), with the exception of the trivial variety, is of the form V°. 


THEOREM 79. The map V — V° is an isomorphism from the lattice of varieties of 
bimodal algebras onto the lattice of nontrivial subvarieties of V(Sim). 


We now turn to the axiomatisation of the simulations. Put 


*(x) := (Ay) (a < y) 
(63) o(x) := (Ay)(a < yA *(y)) 
e(x):= 4 * (4) A70 (x) 


A monomodal frame is a simulation frame iff it satisfies the following elementary formulae 
(here, J! is short for: ‘there exists exactly one’): 


(64a) (Va)(0(x) > (Ely) (x < yA e(y))) 
(64b) (Va)(e(x) => (Ely) (x < yA o(y))) 
(64c) (a!x)(*(x)) 


(64a) and (64b) are modally definable, but (64c) is not. It turns out that the class of 
Sim-frames is the class of frames satisfying (64a) and (64b). The axiomatisation can be 
derived from the correspondence between first-order and modal formulae. Moreover, Sim 
is R-persistent. Hence, any logic containing Sim is complete with respect to simulation 
frames. 


4.38 Unsimulation 


Let ¥ be a Sim-frame. Then F° is the set of points satisfying o(x), and F° the set of 
points satisfying e(x). If x € F° let xt be the unique successor in F°, and if x € F° then 
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let z? be the unique successor in F°. Now put §, := (F,, <, <,F,), where 


Be ife 

a) Se 

a :={(zijyi):a<y,z,ye Fe} 
F, :={acF:aCF,} 


(65) 


For the following theorem notice that (t,)* always is connected, by construction. 


PROPOSITION 80. Let Nt be a monomodal connected Sim-frame, B a bimodal frame. 
Then M = (M) and B S (B*).. 


For each variable p we introduce three variables po, pe, px. We call the new set the 
extended set of variables. Think of po as ‘p is true at the region of yo worlds’; pe 
as ‘is true at the region of ye worlds’ and pẹ as ‘is true at the region of yẹ worlds’. For 
formulae y we define the formulae Xo, Xe and x, by mutual recursion (and think of them 
as interpreted in the same way as the new variables). 


(79) a = Wa a € {e,0, «} 

(PAX)a (= PaN^Xa a € {e, 0, x} 
(66) (OY)o = Pe V Pr V Oo 

(Oy) == PoV epe 

(9%). c= L 


Let 8 be a valuation on §*. Define G6, on ¥ so that for all variables p (assuming xv, = * 
and a € {0,e, *}): 


(67) (S bsx) EPa & (8°, p, Za) Fp 
Then it is established by induction on the formulae that 
(5°, b, £a) F P 
(68) & (5, bs, T) F Pa 
S (8°, 8,20) F 5 (p/Po, È ep/Pe, 9 «P/Px) 
As usual, ĝe% := e ~y and similarly for $., where He and H, are as defined in 


Equation (54). Now, every valuation on § of the extended set of variables is of the form 
Bs for some valuation 8 on §*. Thus we obtain (35, £a) F ọ iff (8x) E ga, for every 
a € {o,e,*}. Finally, this gives 


(69) F Ep & FEP Ape Nps 
Therefore, let 


(70) Ps = Po N Pe A Px 


THEOREM 81. Let L = Sim @A be consistent. Put L, := Ky @A,. Then (L,)* = L. 
Additionally, 


(71) Atry S A bi Ys and Alpe -= Aglkz, p 


PROPOSITION 82. Th $° = Sim @ (Th §)°. 
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4.4 The Main Theorem 


Let StSim be the category of differentiated monomodal Sim-frames, with +, contain- 
ing a single point. The morphisms are the p-morphisms. Let Dif be the category of 
differentiated bimodal frames with p-morphisms as maps. 


THEOREM 83. StSim and Dif2 are naturally equivalent. The map (—)s is a functor 
from StSim to Dif, (—)* a functor from Dif2 to StSim. Moreover, there is a natural 
transformation from the identity on Difs to ((—)*)s and a natural transformation from 
the identity on StSim to ((—);)°*. 


From Theorems 75 and 81 follows that L ++ L5 preserves and reflects finite and 
recursive axiomatisability. 

Next, if L = Th K then L = Th K* and conversely. It follows that completeness, 
finite model property, tabularity are preserved and reflected. 

Second, suppose that L is Df-persistent. Let Wt be a differentiated monomodal frame 
for L°. Then M, is differentiated and M = (M,)*, which is therefore differentiated. It 
follows that M, = L, so that the underlying Kripke-frame (Mt,); is an L°-frame. Since 
(Ms) = (My), we have My E L°. Similarly for R-persistence. 

Now we turn to interpolation. Using the algebraic characterisation of interpolation 
(Theorem 93) the preservation and reflection of interpolation is actually straightforward 
to show. There are also direct ways. Suppose that the bimodal logic L has interpolation. 
Now let y Frs w. Putting together Equations (56) and (68) we get that for every p, 


(72) Yo Frs p > a(ps)* 


where o : po => p, pe = Sep, px =œ Oup. So Yo > (ps) Frs Yo > (Ys), and so by 
Theorem 75, and the fact that L = (L*), we get ps Fr ws. There exists a formula y such 
that var(x) C var(ps) N var(w,) and Ys Fr x Fr Ys. Now, x is in the variables po, Pe, Px 
for p € var(y) N var(w), and this applies as well to y*. Furthermore, 


(73) Fam? (ps)? rps xË rps Ye (Ys) 
so that 
(74) Yo > P = Yo > O((¥s)*) Frs a(x?) Frs Yo > O((Hs)*) = Yo > a((Ys)°) 


Put X° := yo > o(x*). Likewise formulae y’ and x” can be found such that 


(75) Ye > Y Frs Ye > O(X*) Frs Ye —> Y 
(76) Ye > p Frs Ye > a(x”) Frs Ye —> Y 


Put x° := ye — 9.0(x’*), and y* := 7% — a(x”). Then x° A x° A x* is the desired 
interpolant. The proof works analogously for global interpolation and transfer of local 
and global Halldén-completeness. 

Now look at Sahlqvist formulae. By a theorem of [39] a modal logic is Sahlqvist iff it 
can be axiomatized by formulae of the form y — w, where w and ọ is composed from com- 
pound modalities using only A, V and diamonds. (Compound modalities are strongly 
positive formulae.) From this it follows immediately that if p — w is Sahlqvist, so is 
(y > yY) = p° — y5. (The original formulation allows a prefix of boxes but this does not 
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define a larger class of logics.) The converse is similar. We have (p —> w), = Ys > Ws, 
and the unsimulation translates boxes into boxes and diamonds into diamonds. Finally, 
note that simulation and unsimulation commute with ultraproducts. 


THEOREM 84 (Kracht & Wolter). The map L +> L® is an isomorphism from the lo- 
cale of normal bimodal logics onto the interval [Sim,Th |e] in the locale of normal 
monomodal logics. Moreover, the following properties of logics are invariant under this 
map: 


1. decidability, 
2. elementarity, Df-persistence, R-persistence, being Sahlquist, 
3. finite model property, completeness, compactness, 


4. local and global interpolation. 


Halldén-completeness is actually not preserved under simulation. For example, the logic 
D & D is Halldén-complete (being the fusion of two Halldén-complete logics). However, 
its simulation has more than two constants, so it cannot be Halldén-complete (see below, 
Theorem 99). 

In general, for k € w there is a similar isomorphism from NExt(K,,) onto an interval 
[Sim,,, Th(€h,,_,)], where Sim,, is the simulating logic for k-modal frames, and €h,,_| = 
({0,1,...,«—1}, <) i < j iff j =7+1 if the chain of «—1 many points. The underlying 
set is F x {0,1,...,« — 1} plus the points of the chain, and we put (2,7) < (y,j) iff 
(a) x = yor (b) i = and x <; y. Additionally, every point (z,i) sees the point i — 1. 
Finally, i < j iff i < j. All aforementioned properties are invariant under this simulation. 
For countable «, [38] describes an embedding of NExt K, into (not necessarily onto) an 
interval in NExt Kı. 


4.5 Simulating Polyadic and Nonstandard Operators by Monadic Opera- 
tors 


Assume that L is a complete logic. Now add two modal operators G and H, together with 
the following axioms: G3 for 5, K4.3 for O, p > Gp, p > HSpand (GpApAp) — Hp 
for every basic modality Æ. Thus, G and E are tense duals, the relation for G is a well- 
order, and if x R(Œ) y for any compound modality Œ then either x = y or x R(G) y 
or y R(G) x. Call this logic L”. The difference operator of [16, 17] and the universal 
modality are now definable on all connected frames by 


(77) [Alx = GxAN8x  lulx :=xAlAlx 


Also, [2] has introduced a logic using a special type of variables, called nominals, which 
must be interpreted by singleton sets. Logics that admit both standard variables and 
nominals are called hybrid, see Chapter 14 of this handbook. It turns out that with 
the difference modality the standard languages have the same expressive power as the 
hybrid ones. Consider a variable p. Put 


(78) n(p) := (u)(p A [A] 7p) 
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b satisfies n(p) on a Kripke-frame iff the value of p is a singleton set. (In [29] the operator 
Op := pA|¥]p is called the ‘only’ operator. It says that p is true ‘only here’.) In absence of 
the difference modality, the nominals give extra expressive power. Consider the operator 
E defined by the following axiom: 


(79) n(p) > (@p = =p) 


Then a frame satisfies this axiom iff < is the complement of < (the inaccessibility relation 
of [34]). Notice that the following holds. 


THEOREM 85 (Gargov & Goranko). A class of frames is definable using the language 
with nominals and the universal modality iff it is definable using the difference operator. 


Recall the characterisation of the first-order properties axiomatisable by means of 
Sahlqvist-formulae. Using the inaccessibility relation and the universal modality we can 
not only express unrestricted quantification (on connected frames) but also negative for- 
mulae. This means that all first-order conditions over binary relations are now expressible 
(over the logic of these structures with enough modal operators) in which an atomic for- 
mula contains at least one universally quantified variable whose quantifier is not in the 
scope of an existential. This last restriction can be circumvented through the introduc- 
tion of new modalities (to mimic the Skolem functions) on condition that the variable 
depends only on one other variable. All these codings proceed by adding more operators, 
not more points. For example, ZFC without foundation can be so axiomatized, see [38]. 
The infinity axiom can be expressed much more succinctly than in that paper. Simply 
require 


(80) (Ar)(B € x A (Yy)(y € xz > (Iz) (y € z € x))) 


The outer existential can be massaged away by introducing a constant, and the second 
existential can be dealt with using a Skolem function. Foundation of course is axiomati- 
sable using the G-axioms for >+. Even full class comprehension is axiomatisable. 

If one is interested in simulating polyadic operators then it is not enough to just add 
relations (similarly if one wants to simulate predicate logic with a signature containing 
at least ternary relations symbols). One approach was outlined in [40]. A better one is 
presented in [28]. It is enough to look at the case of a single binary modal operator V. 
Kripke-frames are pairs (F, R) where R is a ternary relation. A generalized frame 
is a triple § = (F,R,F) where F C ¢(F) is a field of sets closed under 


(81) LR(A1, A2) = {x EF: (avı € Aj) (Av2 i Ap) R(x, v1, v2)} 


Satisfaction of a formula is defined as follows. 


(82) (8, 6,2) E V(gi, ye) = there are v1, v2 such that R(x, v1, v2) 
and (8, GB, v1) = P13 (8, 6, ve) = p2 


For a triple z, let x; be the ith component of x. Given §, assume F N R = Ø and put 


F° :=FUR 
R; :=4(7,%): ZER} 
(83) S :={ (Zo: ZER} 


F° := {a U(RAU;<n 4i X bi X ci) : a, ai, bi, ci E€ F, n < w} 
Ki = (F°, S, Ro, Ri, Ro, F°) 
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3° is a general frame and F° is generated by F. The set R is definable by u := (Ro) T 
The set F in F° is called the set of base points. It too is definable. The simulation is 
now defined as follows. 


p 
(am (yı s z H 
(V(p1,%2))* = (S)((Ri)yt A (Re) 5) 


The translation (-)° preserves truth of formulae at base points. So we get 
PROPOSITION 86. FF yp Ss SF Fay p’. 


We remark that §* is differentiated (descriptive) iff ¥ is. 
Unsimulation is less straightforward. Let (M, S, Ro, R1, R2,M) be a monadic frame. 
Put 


Me := {x: x E 7p} 
(85) T := {7 : Ww : v Ro Zo, v Ri £1 and v Ro £2} 
M. := {a N Me : a E M} 


It is straightforward to check that for a ternary frame § S (3° )e. 
Now let Sim® be the logic of general frames of the form §*. The simulation map sends 
a dyadic logic L to the logic 


(86) L’ := Sim? 6 {au > p°: pe L} 


This map turns out to be a lattice homomorphism. It is injective but not surjective, 
unlike in the monadic case (in finite signature). A useful observation is this. 


PROPOSITION 87. Let L be a dyadic logic and K a class of Sim°-frames. If L° is 
complete with respect to K then L is complete with respect to Ke. 


Given an extension L of Sim’, let Le be the logic generated by all formulae valid on 
all unsimulations of descriptive L-frames. 


PROPOSITION 88. The following holds for a dyadic logic L and an extension M of 
Sim’. 


© M. = {p : >u > p° E€ M}. 
© LCM. if lL. CM. 

© (Me)? C M. 

© (L°)e = L. 


The following is shown in [28]. 


THEOREM 89 (Goguadze & Piazza & Venema). The map L +> L° is a lattice homo- 
morphism into the lattice NExt(Sim®). It preserves and reflects 


1. finite and recursive axiomatisability, 


2. completeness, finite model property, tabularity, 
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3. canonicity, 
4. first-order definability. 


It preserves Sahlqvist axiomatisability and it reflects decidability. 


5 INTERPOLATION 


This section uses some algebraic notions that are either covered at the beginning of 
this chapter or in Chapter 6. Notice also the discussion on interpolation and fusion in 
Chapter 14, as well as simulations and fusion discussed in the previous section. 


5.1 Algebraic Characterisation 


DEFINITION 90. A modal logic L has local interpolation if Fz has interpolation; it 
has global interpolation if |-; has interpolation. 


Since Fz has a deduction theorem, local interpolation can also formulated as follows: 
if p — w € L there is a x such that var(x) C var(y) N var(q) and y > x, x > Y E€ L. 
This property is also known as Craig interpolation. Notice that interpolation is a 
property of the consequence relation not of the logic. 


PROPOSITION 91. If L has local interpolation it also has global interpolation. 


Proof. Assume y lFz W. Then for some compound modality H, Hy Fr Y. By 
assumption there is a x in the joint variables such that Hy Fz x Fz w. It follows that 
Y lFz x lFr w. m) 


DEFINITION 92. A variety V of modal algebras has the amalgamation property if 
for every triple Uo, 2%, and Wz from V and embeddings t1 : Uo — Ai, t2 : Uo — Ae there 
is a B € V and embeddings £1 : 2, —> B, e : Us — B such that £1 o t41 = £2 0 t2. V has 
the superamalgamation property if in addition to the above for every a, € A, and 
a2 E€ Ag: (a) if €1(a1) < £2(a2) then there is a c € Ao such that a; < 1(c) and ta(c) < ag 
and (b) if €1(a@1) > £€2(a2) then there is a c € Ag such that a; > (c) and t2(c) > ag. 


Ai 
uA E E1 
a 
(87) Ag Pi 
A “e 
Az 


THEOREM 93 (Maksimova). Let L be a modal logic. 
1. L has local interpolation iff V(L) has the superamalgamation property. 


2. L has global interpolation iff V(L) has the amalgamation property. 
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We sketch a proof of the second claim. Suppose that L has global interpolation, and 
let Ao, A, and ly plus two embeddings be given. We define §; := Gry (Ai) and F3 := 
§tz(Ai U Ag), where Ftz(X) denotes the algebra freely generated by X in the variety 
of L-algebras. The embeddings form a commuting square as in (87). The identity map 
induces a surjective homomorphism 7; : gi > 2;. For i = 1,2 put T; := {y: mil) = 1}. 
Let T := {y: T, UT IFz x}. Then the following holds for y € Fy, w € Fy: 


(88) Tlrppyprow & (ve Fo)(poxveT and x ~ wv € To) 


For if T lk; p — w then there are finite T; C T; and a compound modality such that 
T);Al2 tr y —> y, giving T1; lk; Hro — y. There is an interpolant x € Fo, from 
which we deduce y > x € Ti and x > W € To. 

Put yOw iff T lk; p + Ww. This is a congruence on §3 and we put As := F3/O. Using 
the above property it is shown that for i = 1,2 and ọ E€ F;: pO T implies y € Tj. So, 
the natural map §; —> 23 factors through 7;, giving a map €; : A; — As with the desired 
properties. 

Conversely, assume that V(L) has the amalgamation property. Let y = y(p,7) and 
w = y(r, q) be given such that no global interpolant exists. We shall show that yr w. 
Let ¥o := $tz (7), F1 := Fez (P, r), Fo := Fez (Gr), and F3 := Frz(p,g,7). Let Oi be an 
open filter in ı containing y and Oz an open filter containing ~y and O1 N Fo. Then 
O; := O2 N Fo = Oı N Fo. Let ©; be the congruence associated with O;, A; := F:/O;. 
Then for all x, x’ € Fo, x91’ iff x 2x’. So we have embeddings t; : Ao — A;. Now 
we get an algebra B and maps €; : §; — B such that £1 0v, = €20 t2. Define v by 
v(p) := €1([p]O1) if p € var(y) and v(p) := €2([p]O2) if p € var(wW). Since y € O1, 
u(y) = 1 for all compound modalities. Since (>) # 1, px %. 

We remark here that the proof established that the category of L-algebras has pushouts 
for monomorphisms. 


THEOREM 94 (Maksimova). There are exactly seven consistent logics containing Grz 
which have interpolation. There are at most 50 consistent logics containing S4 which 
have global interpolation and at most 87 logics having interpolation. 


The first result is from [42], the second from [43]. We sketch a proof, restricting our 
attention to global interpolation. The first step is to notice that if a modal logic L 
has interpolation, then so does the intermediate logic determined by this class of frames 
(under the Gödel translation). Notice the following. For a (general) frame 3, define 
the skeleton S(¥) by reducing every cluster to size 1. If L D S4 is determined by the 
class K of general frames, then the intermediate logic associated with it is determined 
by the class {S(%) : § € AK}. It is not hard to see that if K has amalgamation then so 
does S(K). Therefore, the first step is to characterize the intermediate logics which have 
interpolation. 

It is best to use the dual characterisation in terms of frames: a necessary condition 
for a logic to have global interpolation is that if pı : ğı — Fo and pə : F2 — Fo are 
surjective p-morphisms of L-frames there is an L-frame 6 and p-morphisms qı : 6 > $1 
and q2 : 6 — §2 such that pı oq, = p2 © q2. Call 6 a fibred product of the ¥;. Now 
suppose that the logic contains only frames of depth < n, where n > 2, and that it 
contains the chain of length n, which is the frame £n = ({a; : i < n}, <) with x; < z; iff 
i < j. Now define two maps: p;(2;) = z; ifi < n—1 and pı (£n-1) = Zn—2; pozi) = Zi—1 
if į > 0, and po(0) = zo. It is easily seen that there is no fibred product 6 of depth n; 
there only is one of depth n + 1. This observation leads to the following result. 
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Table 1. Intermediate Logics with Interpolation 


Name Axiomatisation Characteristic Frames 
Int all Grz-frames 
LC (p> q) V (q> p) all linear frames 
BD, pV (p> (qV 79q)) all frames of depth 2 
KC ap V =p all confluent frames 
BD2.BW>2 | pV (p> (4V ~q)), Bo 

(p > q) V (q > p) V (p = =q) 
LC, ap V a7p,p V (p > (q V 7q)) the two element chain 
PC pV ap the one element frame 
Inc p no frames 


LEMMA 95. Let L D S4 have global interpolation. If £3 is an L-frame, then every Ln, 
n E€ w, is an L-frame. 


Notice that every frame of depth n can be mapped onto £n, so that if L contains a 
frame of depth at least 3, it has frames of any given depth. This can be generalized. Let 
Ş = (F, <) and 6 = (G, <<) be frames with F N G = Ø; then let § O 6 := (FUG, x), 
where x < y iff (a) x,y € F and z <y or (b) xe F, y €G or (c) x,y € G6 and z < y. 
Further, let o denote the one-element reflexive frame. 


LEMMA 96. Let L D S4 have global interpolation. If § 9°80 is an L-frame, then so 
is §(Go)” Go for every n € w. 


Notice that for every frame, it is possible to collapse the points of depth j into a single 
point, if one is doing that for all j < m, m given. This means that the previous theorem 
restricts the set of logics with interpolation enormously. 

Now we turn to branching. Let B, := ({x; : i < n+ 1}, <), where £o < x; for every 
i < n+ 1, and z; < xj iff i = j when i > 0. Similarly, it is established that if L has 
interpolation and contains Bs then it contains all B„. A related result is that if L has 
a frame in which a node branches into 3 immediate successors, then it has unbounded 
branching. Finally, let Rn := ({y: : i < n} U {x, z}, <), where for all i < n we have (a) 
xa, (b) x<z, (c) z <y, (d) for all i,j < n: yi <yi, (e) for alli < n: y; <z and (f) z <z; 
and no other relations hold. First consider the p-morphisms qo, qı : R2 — £3 defined by 
qo(£) # qo(y1) Z qo(Y0) = qo(2) and qı (x) # qı (y0) # qı(41) = qı (2). The fibred product 
is the frame K3. Iterating this argument gives us that all R, must be L-frames. Next 
consider the p-morphisms po, pı : Re —> L2 defined by polyo) = po(y1) = po(x) Æ po(z) 
and pi(x) Æ pi(yo) = pi(y1) = pi(z). The fibred product is a frame of depth 3 which 
has the structure o © (0 80 ®0) ©@(0 Go Go) So. This means that as soon as Rə is an 
L-frame, more and more frames can be shown to be L-frames, so that we can eventually 
conclude that L = Int. 

These results shall suffice to motivate the result that at most 7 consistent intermediate 
logics have interpolation. They are listed in Table 1. Now we turn to S4. We repeat the 
strategy with the clusters. Let €l, = ({x; : i < n}, <) with z; < x; for all i,j < n be 
the n-element cluster. It can be shown that if a logic has a frame with a final 3-element 
cluster, then it has final clusters of arbitrary size. Similarly for nonfinal clusters. Now 
let K be a class of Grz-frames that has superamalgamation. Then we can derive the 
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following nine possibilities for classes of S4-frames: (a) allow the final clusters to be 
of size 1, 2 or limitless, (b) allow the nonfinal clusters to be of size 1, 2 or limitless. 
Applied to any of the 7 consistent logics we derive a maximum of 63 combinations of 
logics that have global interpolation. Some of these combinations are meaningless (for 
example, allowing the nonfinal clusters for PC to be proper), so that the list can be 
further reduced. 

The notion of Halldén-completeness also splits into a local and a global version. 


DEFINITION 97. A modal logic L is locally Halldén-complete if |; is Halldén- 
complete; L is globally Halldén-complete if |, is Halldén-complete. 


Global Halldén-completeness is also called the pseudo relevance property. The 
following is clear: if L is locally or globally Halldén-complete, it has up to equivalence 
at most two constants. For let y be constant. p Fr, p, which by Halldén-completeness 
yields that ọ is either inconsistent or a tautology. L has at most two constants iff OT € L 
(iff L D K.D) or OL € L (iff L is inconsistent or the logic of the one point irreflexive 
frame). 


DEFINITION 98. A variety V of modal algebras has fusion if for every pair 21, Az E€ V 
there is a B € V and embeddings c1 : %, —> B, eg : As — B. VY has superfusion 
if in addition to the above for every a € A, — {0} and every b € A — {1} we have 


€1(a) £ €2(6). 
It is not hard to see that V(L) has fusion iff it has finite coproducts. 
THEOREM 99 (Maksimova). Let L be a modal logic. 


1. L is locally Halldén-complete iff V has superfusion and the zero-generated algebras 
has at most two elements. 


2. L is globally Halldén-complete iff V has fusion and the zero-generated algebras has 
at most two elements. 


The proof is essentially the same as in the case of interpolation. For the algebra ¥rz (0) 
consists of two elements. For given two algebras 2, and le, if they are nontrivial there 
are maps ti : §tz(0) > ;. Using the same proof we obtain an algebra B and embeddings 
Ei : U; — B such that £1 01, = €9 0 t2. 


5.2 Proving Interpolation 


Besides the algebraic characterisation there are at least two other methods to prove 
interpolation. The first is based on tableau calculi and is basically due to [52]. This 
method can only be used if the tableau rules meet certain structural criteria. We show 
here only the case of K. Given a tableau calculus for L we do the following. Suppose 
that y Fz Y. Then y;-w is L-inconsistent. So it has a closing tableau. We label the 
formulae in the tableau ° if they derive from the formula y, and 1 if they derive from =y. 
(If x is a subformula of both, we create two copies of x, namely x° and x°.) From the 
closing tableau we construct two closing tableaux, one for y*; (~x)°, and one for x°; 7w*. 
Moreover, x will be based on the common variables of y and w. This gives y Fz x and 
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x Fz w. Here is the calculus. 


A; A; =n 
w = cH A 
A; A;n 
A;~ 
(PE) ere 


A K-tableau is a tree C constructed according to these rules. C closes if all leaves are of 
the form L or p; =p, p a variable. Suppose C closes. The construction of the interpolant 
is bottom up. We show: If A°;, X° has a closed tableau there is a formula x such that 
A9; (~x)? and XS; x° both have a closed tableau. The proof is by induction on the length 
of a closing tableau for A®%;%°. x will be an interpolant for the sequent A F 7%, where 
a” is read disjunctively. 

There are in total six cases for the leaves. (1) p°; (~p)®, (2) p*;(-p)°, (3) (p); pS, 
(4) p°; (-p)°, (5) L° and (6) L°. In Case (1), choose x := L, and the first tableau will 
end in p*; (~p); (~L)°, the second in L*. In Case (2), choose x := p. The first tableau 
will consist in p*; (—p)°, the second in (—p)°;p*. The Cases (3) and (4) are dual to (1) 
and (2). In Case (5), let x := L, in Case (6) x := aL. Now, suppose that the last step 
has been an application of (OF). With labeling, the step is one of the following. 


(DA)*; (Q%)% (-Oy)* (DA)*; (02) (C0)? 
my) AS; X°; (sy)" í ASSES (ay) i 


We deal first with the left hand case. By inductive hypothesis there is a closing tableau 
for A7; (=y)*; (~x)° and a closing tableau for x°; 4°. The following steps are now valid. 


(OA)*; (-Oy)*; (07x): mba a el 
1) As; (99)% (0° De x" 


The desired interpolant is sO-7y. 
Now we look at the right hand case. By inductive hypothesis there is a formula y 
in the common variables and a closing tableau for °;(7w)°; x° and one for A4; (>x)°. 


Now look at the following tableaux. 


(OA)*; (00x)? (0X)*; (Ox)*; (a0y)* 
a As; (ax)° ue x5 (s~)° 


So, Ox is the desired interpolant. The other induction cases are dealt with similarly. 

For extensions of K the tableau methods have proved not so useful. The criterion of 
[52] is not so easy to apply. Here is another method. Call a function X from sets of 
formulae to sets of formulae a local reduction function from logic L to logic M if the 
following holds for all A and ¢: 


1. X(A) C L. 
2. If A is finite, so is X(A). 
3. var(X(A)) C var(A). 
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4. AFz p iff A; X(A; yy) Fy ¢. 


A global reduction function satisfies the same conditions, with Condition 4 replaced 
by 


(93) AlFz » iff A; X(A;y) lk p 


The following are global reduction functions to K. (For a correct formulation, we as- 
sume that the primitive function symbols are T, A, ~, and O. All other symbols are 
abbreviations. sf(A) denotes the set of subformulae of formulae from A.) 


) X4(A) := {Oy > OOy : Ox € sf(A)} 
) ) := {Ox > x: Ox € sf(A)} 
(96) Xp(A) := {7x > OoDy : Ox € sf(A)} 
) Xatt (A) := {70x > Onyx : Ox € sf(A)} 


It is easy to see that reduction functions always exist if M C L. For let X(A) C L. Then 
from A; X(4; y) Fm y follows A Fz y. Conversely, if A Fz y, there is a finite proof 
of y from A. It involves a set T(A;ọ) of finitely many axioms of L, all of which use 
only variables from A. (To see this, take any proof of y. If the proof contains a variable 
q not occurring in y, replace it uniformly throughout the proof by T. This transforms 
the proof into a new proof not containing g.) Let X(A) be the union of all these sets 
T(A’; p) such that A’; y = A. This is a reduction function from M to L. 

Observe that if X is a local reduction function, then it is also a global reduction func- 
tion. And if X is a global reduction function, there is a function p from sets of formulae 
to natural numbers such that Y(A) := OS?) X(A) is a local reduction function. And 
if Y is a local reduction function, X is a global reduction function. 


DEFINITION 100. A reduction function X splits if X(p —> Y) = X(y) UX(y). 


THEOREM 101 (Kracht). Suppose that there is a splitting global reduction function from 
L to M. If M has local (global) interpolation, then so does L. If M is locally (globally) 
Halldén-complete, so is L. 


Proof. Suppose that y Fz Y. Then Fz Y > wand so IFz y —> Yy. Hence X(y > Y) lF m 
y — y, and by assumption on X, X (4); X (4) lk p —> y. There is a compound modality 
such that EX (4); BX (4) Fm p > Y, from which BX(y); y Fr (ABX (4)) — y. We 
have var(H.X(y); y) = var(y) and var(HX (y) —> Y) = var(w). L has local interpolation, 
so there is a x in the joint variables of p and w such that 


(98) X); 9 hu x bu (ABX) >Y% 
From this follows y Fz x Fz Y. The proof of global interpolation is similar. Likewise for 
Halldén-completeness. m) 


The following general result holds (analogous theorems hold for the other functions 
shown in (94) — (97) with respect to transitive closure (for X4) and reflexive closure (for 
Xr)). 

THEOREM 102. Let L be a complete logic whose class of frames is closed under sym- 
metric closure. Then L.B is complete for symmetric L-frames. If L has the finite model 
property, so does L.B. If L has interpolation, so does L.B. 
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Proof. Assume that AF, vy. Put n := dp(A;y). We show that 


(99) A; 08"Xp(A;y) Fr f 


(In other words, we show that Yp(A) := OS4?(4) Xg(A) is a local reduction function 
from L.B to L.) Clearly, if (99) holds, we have A Fz g vy. Assume that it fails. Then 
there is an L-frame (F, <} and a model 


(100) (F, <, 8,2) E A; OS” Xp (A; p); 9 


Let < denote the symmetric closure of <. Then (F, <) is an L.B-frame, by assumption. 
We claim that for every x € sf(A;y) and every y accessible in at most n — dp(x) steps 
from x using < (or in fact <): 


(101) (F, a, 6,y Ex & (F,<,8,y)ExX 


The only critical step is x = Ox’. (=) is clear. (<=). Suppose that we have (F, «, 8, y) 
a0’. Then there is a z such that y « z and (F, 4,8,2) F 7x’. (1) y <z. Then the 
induction hypothesis yields (F, <, 8,2} E X’, and the claim follows. (2) y 4 z. Then 
z <y. Moreover, (F, <, 6,2) E ax’ —> O-0y’, and so (F, <, 8, y) F =20x%. 

Finite model property is easy; for interpolation just observe that the global reduction 
function is splitting. Q 


Notice that it follows that any combination of symmetry, transitivity and reflexivity is 
covered by these theorems. This can be generalized to polymodal logics. Finally, observe 
that all the reduction functions split. 


THEOREM 103 (Kracht). Let L be a polymodal logic characterized by any combination 
of reflexivity, symmetry and transitivity for any of the modal operators. Then L has the 
finite model property and interpolation. 


This covers among other K4 and S4 and fusions thereof. Similarly, passing from a 
monomodal logic to its minimal tense extension preserves interpolation if the logic is 
complete. For altı one needs to assume that L is a subframe logic. 

Using similar techniques, one can show the following. 


THEOREM 104. Let L D K4 be a subframe logic with interpolation. Then L.G and 
L.Grz are subframe logics which have interpolation. 


Finally, one can also prove the following observation. 


PROPOSITION 105 (Rautenberg). Let x be a constant formula. Then if L has local 
(global) interpolation, so does L @ x. 


5.8 Beth Properties 


As is known from predicate logic, interpolation is related to the Beth-property. However, 
in modal logic the relationship is somewhat more complex. 


DEFINITION 106. L has the local Beth-property if the following holds. Suppose 
that (p, q) is a formula and 


(102) elp); plr g) Fr por 
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Then there exists a formula x(q) such that 


(103) olp, g) Fr pe x(q) 


If (102) is satisfied, y(p, q) is called a local implicit definition of p. If x(q) satisfies 
(103), it is called the corresponding explicit definition of p. 


There is a stronger property, the local projective Beth property. Here it is required 
that if 


(104) plp, q, T1); plpa, T2) Fr pop’ 
there exists a formula x(q) such that 


(105) plp, q, Ti) Fr po x(@) 


The global notions are defined similarly. Notice that a local implicit definition is also a 
global implicit definition. Hence if L has the local Beth-property it also has the global 
Beth-property. 

THEOREM 107 (Maksimova). A classical modal logic has local interpolation iff it has 
the local Beth property. 

PROPOSITION 108 (Maksimova). Let L be a classical modal logic. If L has interpola- 
tion then it has the global Beth-property. 


The logic G.3 has the global Beth-property but fails to have global interpolation. The 
logic S4.1.2 N S5 has the global projective Beth-property but fails to have interpolation 


([44]). 


5.4 Fired Point Theorems 


A rather different property is shown by logics above G. Say that a formula w(q) is a 
fixed point of y(p, q) for p in L if 


(106) Fro) > ela), 


If a logic has fixed points for all formulae y(p, q) where p only occurs inside the scope 
of a O (or ©) then the logic is said to have the fixed point property. It is clear that 
if L C M then if ~(@) is a fixed point for y(p,q) for p in L it is one in M, too. The 
following is known as the fixed point theorem. 


THEOREM 109 (Sambin, de Jongh). Suppose that (p,q) is a formula in which every 
occurrence of p is in the scope of a box. Then (p,q) has a fixed point for p in G. 


Proof. The conditions on y(p, q) imply that on any finite G-frame, the valuation for p 
is fixed by that for g So, y(p, q) globally implicitly defines p. G has local interpolation 
and so the global Beth property, whence w(q) exists. Q 


It follows that all extensions of G have the fixed point property. 
THEOREM 110 (Maksimova). All extensions of G have the global Beth-property. 


Call a formula y g-boxed if every occurrence of a variable from ¢ is in the scope of 
some modal operator. 
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LEMMA 111. Let L be a logic containing G. Let qi, i < n, be distinct variables and p a 
variable not contained in g. For a set S Cn define xg by xs := Nies 4i ^ Nien—g 7%: 
Suppose that (p, q) is g-boxed and that for some S, 


(107) Fz xs > plp, q). 


Then already Fr (p, q). 


LEMMA 112. Let (p,q) be a formula. Then there exist -bored formulae v1(p,q), 
Y2(p, q), Xı(p, q) and x2(p, q) such that 


(108) Ke (p,q) e ((p V vi(p, 2) A Op V Y2(p, @))) 
(109) Fe plp, 7) = (pA x1(p, 2) V p A x2(p, 3))) 


Now suppose that y(p,@) is a global implicit definition of p in L, and L > G. Then 
elp, q); (r, q) l-r p| r. Using Lemma 112 we get @boxed formulae xı(p, q) and y2(p, q) 
such that 


(110) Fr (p,q) e (pA x1(p, 9) V p A x2(p, 7))) 
Write 
(111) ly := p A^ Dg 


Since we also have (by transitivity of L) that 


(112) Fz Delp, g) A By(r, g) > (por) 


we now get 


(113) Fz (Op(p, g) A Dglr, g) Ap A xX, 9) Amr A xlr, g) > (p> r) 


This formula has the form (uA p^ =r) —> (p > r), where u is ¢ boxed. This is equivalent 
to ~u V ap Vr, or (pA ar) > 7p. By use of Lemma 111 we deduce that Fz ~p, that is, 


(114) Fz Olp, g) ^ Dglr, g) > XP, 9 > x2r, 3) 

We substitute p for r and obtain 

(115) Fz Og(p, 7) > (x1(p, 4) > =x2(p, 7)) 

Now from this and (110) it follows after some boolean manipulations 
(116) Fr B¢(p,g) > Alp > x1 (p, 9) 

By the fixed point theorem for G there is a y(q) such that 

(117) Fe alp e x10.) > (p > ya) 


So we obtain 


(118) Fr aglp, d) > (p = yg) 
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which is nothing but 


(119) lp, 9) kr p e ya) 
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So (q) is an explicit definition. [1] take a slightly different approach. They show 
THEOREM 113 (Areces & Hoogland & de Jongh). Let L be a transitive logic in which 


the rule 


(120) ‘Ip > (Oq > q)/ Bp > q 


is admissible. Then L has the local Beth property iff it satisfies the fixed point theorem. 
Notice that the admissibility of (120) implies that the Löb-rule (121) is admissible. 


(121) p — p/p 


For if Oy —> ọ is a theorem, so is HT —> ( 
whence y € L. The following is folklore. 


THEOREM 114. A transitive logic contains G iff it satisfies the Löb rule. 


yp > p). By (120), HT —> ọ is a theorem, 


Proof. Suppose L > G and Oy > y € L. Then O(Oy —> ọ) € L, from which Oy € L. 
Hence, using (MP_,) we get y € L. Conversely, assume that the Lob rule is admissible. 


Put x := O(Op > p), Y := Op. We need to show that x — w is a theorem of L. 
Fra O(x > Y) > (Ox > OY) 
(122) Fra x > (Oy > Y) 
K4 X > UX 
Frka D(x > Y) > (x > 4) 
Since the Löb rule is admissible in L > K4, y> y E€ L. m) 


On the other hand, the same method can be used to show that if L D G then (120) 


is admissible. Suppose namely that Hy — (Ox —> x) is a theorem. Then so is 
(123) ly > O(Ox > x) 
From this we get 0H p — Oy with the G-axiom. But Hy > Oy E G, and so 


Jy — Oy, which together with the premiss yields Hy — x. Therefore, the coverage of 


Theorem 113 is not larger than that of Theorems 109 and 110. 


5.5 Uniform Interpolation 


L has uniform interpolation if 


© given y and variables g there exists a formula x such that var(x) C g and for all 
formulae 7 such that y Fy y and var(y) N var(W) = g we have y Fr x Fr Y% 
(uniform preinterpolation) and 


© given % and variables ¢ there exists a formula x such that var(x) C g and for all 
formulae y such that p Fz w and var(y) N var(w) = g we have y Fr x Fr % 


(uniform postinterpolation). 
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By classical logic, L has uniform preinterpolation iff it has uniform postinterpolation. 
Notice that uniform interpolation of L can be used to define second order quantification 
inside the modal language. Let LI be the extension of L by propositional quantifiers. 
Now, (Vp)p Fz ¢ is always valid. Moreover, if var(y) = var(y) — {p} and w Fz ẹ 
then also % Fra (Vp)y. So, (Vp)y is up to equivalence the uniform preinterpolant. If 
L has uniform interpolation, there is a preinterpolant x in the variables var(y) — {p}. 
Hence, (Vp)y is equivalent to x, and L4 reduces to L in expressivity. This idea has been 
one of the reasons to study uniform interpolation (see [47]). The logics K, Grz and G 
have uniform interpolation, S4 fails to have uniform interpolation (see [57] and [27]). 
Furthermore, the following is known about fusions, see [62]. 


THEOREM 115 (Wolter). If L and L’ have uniform interpolation, so does L ® L’. 
Notice that if yı Fz Y and y2 Fr Y, and if x; are interpolants for p; and w, then 

x1 V X2 is an interpolant for both: 

(124) g1 Fz X1 Fz X1 V X2 Fr Y 


So if a logic has interpolation and there are up to equivalence only finitely many formulae 
in n variables then L has uniform interpolation as well ([62]). 


THEOREM 116 (Wolter). Let L have interpolation. If V(L) is locally finite then L also 
has uniform interpolation. 


We shall sketch a proof that K has uniform interpolation. For example, we show that 
it has uniform preinterpolation. The proof uses tableau calculi again. By induction on 
the length of X we prove the following: Let ¢ be a set of variables. There is a x in the 
variables ¢ such that for any A such that var(A) Nvar(%) = q, given a closing tableau for 
A9; 5° both A”; (ax) and x°; US have a closing tableau. In other words, the interpolant 
is determined by the °-set alone (in addition to the set of shared variables). The proof of 
this fact is actually not hard. We look again at the proof sketched above. Suppose that 
the tableau closes. It closes in six possible situations. (1) p*%;(-p)*, (2) p%;(—p)°, (3) 
(ap)*; p°, (4) p°; (>p)°, (5) L° and (6) L°. In Case (5) x := L and in Case (6) x := =L 
satisfy the requirements. Consider the other cases. (A) p € g. Then only (2) and (3) can 
arise. The interpolant is completely determined by knowing =. (B) p ¢ g Then (1) or 
(4) arise. Again, the interpolant is determined solely by knowing ©. 

We consider briefly the other cases. If (w) has applied, the interpolant y for the lower 
sequent is an interpolant for the upper sequent. Clearly, it only depends on the upper 
°-set if that was true for the lower “-set. The same happens with (~E) and (AF). Next 
we look at (VE). 


AS (oly A ES 
029) BACHE AS OPE 


By inductive hypothesis there is an interpolant x depending only on N°, not on the °-set. 
Therefore we can use the same formula as follows: 
AM (APA PW) XE 
126 : : 
(120) A3; (>y)*5 x° | A% y)"; x° 
This tableau closes. Now suppose that the rule application is 


AS (Ale A H))GEE 
02) BACASE [AS COE 
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By inductive hypothesis there are interpolants y; and x2 independent of A for the left 
and right hand side. Now we get 


(x1 A x2)% (lp Ay) EP 


(128) A9; (A(x1 A X2))° (x1 A xX2)% (Ae) ES | (xa A x2); (4); ES 
A% (axa)? | AS Gx)? XE x33 (P) UP x95 x3; (W) US 
xt; (m); ue X2; (Y); uP 


Both tableaux close by assumption. The desired interpolant is yi A x2. So far the 
interpolant did not depend on what A is. 

The rule (OÆ) is the last and most complex to consider. Here we face two options: 
either it was applied to an *-formula, and then —O-y is the new interpolant, or it was 
applied to a “formula, and then the interpolant is Ox. Case (1). There is no A such 
that (GE) can be applied to an °-formula. Then the preinterpolant is ~O-y. Case 
(2). There is no A such that (OE) can be applied to a °-formula. Then Oy is the 
interpolant. Case (3). There is A; such that (OE) can be applied to an *-formula, 
and A» such that (OF) can be applied to a °-formula. Then ~O-7y V Oy is the desired 
interpolant. For by assumption, (~O-7y)%; 5° and (Oy)*;=° both close, and so does 
therefore (sO7y V Ox)"; 5°. And given A, either A%;(=0-x)° closes or A®; (Oy)°. 
However, this means that A1; (—=(=07y V Oy))°® closes. 


6 ADMISSIBLE RULES 


The study of admissible rules in modal logic has been the topic of the monograph by 
Vladimir Rybakov, [53], from which most of the results of this section are taken. Studying 
admissibility can be taken to mean the study of the consequence relations KẸ, where H7 
is the largest consequence relation whose set of tautologies is L. For in this consequence 
relation every admissible rule is derived. Thus, we may either speak of characterizing 
the consequence F7? or about the admissible rules of Fz, or, for that matter, L itself. We 
shall prefer the latter. Historically, the first breakthrough was the solution by Rybakov 
to Problem 40 of the list of 102 problems by Harvey Friedman, [22]. It asked whether 
admissibility of a rule in Int is decidable, which by way of the Gödel translation can be 
turned into a problem of Grz, see Theorem 121. Based on this, Rybakov has extended 
the results to cover large classes of extensions of K4, giving criteria of when admissibility 
of rules is decidable, and when +7" is finitely axiomatisable. 


6.1 General Theory 


We start with some general considerations. Let A = {6; : i < m}. A modal algebra 
satisfies the rule (A, ọ) iff it satisfies the Horn-formula 


(129) \ &=T>ea=T 
i<m 
Admissibility can be characterized as follows. Let L be a logic. (A, p} is admissible in L 


iff for all m 


(130) Fan) A 5 =T>y=T 


i<m 
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where rz (n) denotes the freely n-generated L-algebra. For notice that for every valua- 
tion h into Frz(n) there are formulae o;, i E€ w, such that h(p;) = ci. Hence with « the 
map induced by the identity and o : p; + ci, h(y) = K(y7). So, if h(y) = 1 in Frz(n) 
there is a substitution o for which «(y?) = 1, which means that y? € L. Equivalently 
we have 


PROPOSITION 117. Let A = {6; : i < n}. (A,y) is admissible in L iff tz (w) 
Nien Si = T >p=T. 

We shall restrict our attention to extensions of K4. The problem whether admissibility 
of a rule is decidable in intuitionistic logic can be turned into a question of modal logics. 
Let us note that each rule can be brought into the form ({x1i}, x2), also written y1/x2. 
Now, call a substitution s a unifier for x in L if Fz s(x). Then the rule x1/x2 is 
admissible in L if every unifier for xı in L is also a unifier for x2. Thus admissibility 
can be checked by inspecting the unifiers of a given formula. In a logic L, say that 
s is more general than s’, in symbols s < s’ if there is a substitution t such that 
t(s(p)) = s'(p) € L. Classical logic enjoys the property that if a formula has a unifier, it 
also has a unique most general unifier and it can effectively be found ([45]). Given that, 
admissibility can be checked in boolean logic as follows. Determine the most general 
unifier, say s, for x1. Now decide whether s(x2) is a theorem. This fails in intuitionistic 
logic for the reason that there is no single most general unifier. The strategy can however 
be generalized. Suppose for any given formula x we can compute a finite set II, of 
minimal unifiers, then we can decide admissibility if the logic is decidable. (If L is 
undecidable, admissibility is a fortiori undecidable.) 

[25] gives a proof along these lines that admissibility is decidable in intuitionistic logic. 
The methods are similar for modal logic. A formula y is called projective if there is a 
unifier s such that for all p € var(y): 


(131) xF p= s(p) 


It is possible to construct such a unifier. Let S be a subset of var(x). Define 0° by 


fpes 
(132) Op) =e 
x Ap otherwise 
This substitution satisfies (131) but is not necessarily a unifier. Define an enumeration 
Si, i < k, k := 2/00! of the subsets of var(x) so that if S; C Sj, then i < j. Next put 


(133) Oy = Oe Nad eee 030 


THEOREM 118 (Ghilardi). 6, is a unifier for x iff x is projective. 


This serves as a test for projectivity. Define c(y) to be the maximum nesting of > 
(alternatively, c(x) is the —-depth of x). There are only finitely many formulae x over a 
given finite set of variables such that c(y) < n, for any given n. (The other connectives 
are A, V and 7. Obviously, this requires showing that from a given set of formulae, there 
is a bounded number of formulae that can be built using =, V and ^.) Say that a set 
U of substitutions is complete for x in L if for every unifier t for x there is an s € U 
such that s > t. To check the admissibility of a rule y/y in L it is enough to be able 
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to determine whether a formula has a unifier and if so to be able to construct a finite 
complete set for it. For then it is enough to check the complete set for y against that for 
X- 

THEOREM 119 (Ghilardi). Every unifiable formula has a finite complete set of unifiers 
in Int. 


This set is found as follows. Let 


(134) Sy := {Y : var(w) C var(x), Y projective and c(w) < c(x)} 


This set is shown to be finite. Then {04 : Y € S,} is complete. What we really need, 
though, is a set of substitutions that is a basis, where S is a basis iff it is complete and 
for every s,t € S, if s At then t £ s. To get a basis, let II, be any subset of Sy for 
which (i) if Y1, Y2 € Il, and Y1 F Y2 then Yı = we and (ii) for every Y% € Sy there is a 
WY € IL, such that Y% H Y’. Such a set obviously exists and is easy to construct on the 
basis of Sy. The set {0y : Y € Il} is a basis for x. Now the rule y/x’ is admissible iff 
for every Y € I: Y F x’. 

Let us briefly mention some relations with modal logic. Consider the dual of rtz (n), 
the weak canonical frame Cang (n). Let €h; (n) be the subframe of all points of finite 
depth. This is also called the n-characterizing frame, while (€h; (n), K}, K : pi © Pi, 
is called the n-characterizing model. 


LEMMA 120. Assume that L D K4 has the finite model property. Then the rule 
b0;--+,0m—1/y is admissible in L iff for all n, 


(135) Ehn) A &=T>p=T 


i<m 


Recall the Gödel-translation T from intuitionistic logic to modal logic. Let L be a 
superintuitionistic logic. Put o(L) := Grz $ T(L). 


THEOREM 121. The rule ôo,...,Ôn—-1/p is admissible in L iff the translation 


is admissible in o(L). 


6.2 Frame Characterisation of Admissibility 


A logic has branching below m if whenever in some frame for L there is a cluster 
with d immediate successor clusters, then whenever we find d incomparable clusters in 
€h; (n), there is a cluster C having these clusters as its immediate successor clusters. 
The effective m-drop point property is still more cumbersome to define. To understand 
it, recall the selection procedure of Fine and Zakharyaschev (see [20] and [63]). This 
procedure extracts a finite model out of a given model St on the basis of a set X of 
formulae closed under subformulae. Denote this frame by X(t, £), and by Xm(M, £) 
the model containing both X (IN, £) and the points of depth at most m. (We are assuming 
that the model is based on finitely many generators.) Crucially, this procedure does not 
preserve the truth of all formulae, since we are taking not necessarily generated subframes, 
but it does preserve the truth of all formulae from X. For cofinal subframe logics this 
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shows that they have the finite model property. The m-drop point property says the 
following. Suppose that we have a finite n-generated L-model Mt and that it is large. 
Then it contains a submodel W D Xm(M, £) which is contractible onto an L-frame of 
no more than g(x,y) elements, where g is a recursive function and x = |S], and y the 
number of points of depth at most m in M. 


THEOREM 122 (Rybakov). Suppose that L is a logic containing K4. Suppose further 
that 


1. L has fmp, 
2. L has branching below m for some m E w, and 
3. L has the effective m-drop point property for some m € w. 


Let p be a rule with k variables. Then p is admissible in L iff it is valid in the algebra of all 
subsets of the Kripke-frame underlying the k-characterizing frame. Furthermore, suppose 
that there is an algorithm which decides for a finite frame whether it is an L-frame. Then 
there exists an algorithm deciding whether a given inference rule is admissible for L. 


The proof of this theorem uses the selection procedure. It shows that if p is refutable in 
the n-characterizing model then we can construct a model whose size we can estimate a 
priori and in which p is refuted as well. This model also has the so-called view-realizing 
property. Conversely, if such a model exists, p is refutable in the n-characterizing model. 
The proof of the latter statement is the most involved, but it seems that it can be 
simplified using the technique of homogenisation proposed in [39]. 

Let I, be an axiom saying that the frames are of width at most n (that is, have no 
antichain of length n + 1). 


COROLLARY 123. Admissibility of rules is decidable in the modal systems K4, S4, 
GL, Grz, S5, and in the logics L ® In, where L is any of the aforementioned logics. 


Ghilardi and Sacchetti apply in [26] the method of [25] and develop criteria for ex- 
tensions L of K4. Let us be given a formula x. There are infinitely many substitutions 
s such that xê is a theorem of L. Say that unification in L is filtering if for any two 
unifiers sg and sı for a formula yx there is a unifier t such that t < so,s,. Evidently, 
if unification is filtering in L then a complete set is either infinite or contains just one 
member. (If the latter is always the case, L is called unitary.) 


THEOREM 124 (Ghilardi & Sacchetti). Let L > K4. Then unification is filtering iff 
LDK49@2t = K4@07070 p> 7 -p. 


The additional axiom is similar 2 = OOp — Op, only that we use © in place of 
So, above S4 this axiom reduces to 2. The condition also has algebraic analogs. Say that 
an algebra % is projective in a variety V if there is a free algebra §t,(X) and maps 
p: &ty(X) > A and m : A — Fry(X) such that pom = lg. Say that an algebra is 
finitely presented in V if there is a finite set X and a finite set E of equations such 
that A Fry(X)/O(F), where O(E) is the smallest congruence containing E. 


THEOREM 125 (Ghilardi & Sacchetti). Unification in L is filtering iff finitely presented 
projective L-algebras are closed under binary products. 


Let §; = (F;, <) be a family of L-frames. (P,ez Fi)° and (Q;czr Fi)? are defined like 
the disjoint union, except that a root world is added, which is irreflexive in the first, and 
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reflexive in the second case. Finally, irr((®,<¢,8i)°) and irr((Q@,<, 8i)*) are obtained 
by identifying all final clusters (assuming that they are isomorphic). Now L has the 
2-glueing property if whenever L has a Kripke-frame containing an irreflexive point 
(a reflexive point) and §;, i € I, are L-frames whose final clusters are isomorphic, then 
irr((@je, 5:)°) and (irr((P;ez Fi)°)) is an L-frame. 

THEOREM 126 (Ghilardi & Sacchetti). Unification is unitary in L D K4 if L contains 
K4 9 2", has the finite model property and has the 2-glueing property. 


In particular, for every L satisfying these conditions the admissibility of inference rules 
is decidable, which implies that the logics are decidable. For clearly, if admissibility of a 
rule in L is decidable L must be decidable. But the converse need not hold. 


THEOREM 127 (Chagrov). There is a logic which is decidable, but admissibility of rules 
is undecidable. 


6.3 Axiomatizing the Admissible rules 


There also is a question whether the admissible rules can actually be axiomatized. In 
the present terms this means axiomatizing F7’. One speaks of a basis for the set of 
admissible rules. In [53], a series €n, n € w, of frames is defined. 


1. El := {x8}, z8} <0 x8. 
2. BA = BLU {a} :i < 2" +2}. oh ect iffi = 0 or i= i and j= j. 


3. Let H be the set of all antichains of Ef — Et). Ett! := Et U {af : h € H}. digi 
satisfies (a) <;+1 | Ej, = <I, (b) £}, <i+1 oy iff j = i— 1 and k € h or there is a 
xit such that p € h and tit <; x}. 


(137) En := (JE U < 


Furthermore, the following is established. 
THEOREM 128 (Rybakov). Let L D S4 be a logic with the following properties. 


© For all n: Fn F L. 
© L has the finite model property and branching below 1. 
© L has the effective m-drop point property. 


Then FẸ? cannot be axiomatized by finitely many rules. 


Similar criteria are established for superintuitionistic logics and logics containing K4. 
What is important is the following consequence. 


THEOREM 129 (Rybakov). The logics S4, S4.1 and S4.2 have no finite basis for the 


admissible rules. 


[53] also shows that the logics K4, K4.1, K4.2, and G have no finite basis for 
admissible rules. 


Modal Consequence Relations 541 


6.4 Decidability of the Admissibility of a Rule 


Lemma 120 can be strengthened. A rule is admissible in L with finite model property iff 
it is valid in €h; (n), where n is the number of variables occurring in the rule. We obtain 
the following. 


THEOREM 130 (Rybakov). Let L D K4 be finitely axiomatisable. Suppose that V(L) is 
locally finite. Then the admissibility of a given rule in L is decidable. 


6.5 Structural Completeness 


For a class K of algebras, K? denotes the least quasi-variety containing K. The following 
is a useful criterion. 


THEOREM 131 (Rybakov). A modal logic L C K4 is structurally complete iff every 
subdirectly irreducible A € V(L) is contained in (Ftz(w))?%. This is the case iff V(L) = 
(Sez (w))®. 

If L is a logic that has the finite model property then the free algebra §tz(w) is a 
subalgebra of the product of the finite subdirectly irreducible L-algebras. Under this 
condition, a logic L is structurally complete iff every finite subdirectly irreducible L- 
algebra is embeddable into the algebra Ftz(w) (or some Frz(n), n E€ w). Suppose A is 
a finite, subdirectly irreducible K4-algebra. Then 2 has an opremum w. Now, for each 
element a of X let pa be a variable and let r(2l) be the following rule: 


(138) r(A) = {Daxb > Pa * Pp : a,b E A} U {Poa © OPa : a E A} U {p1} 
Pw 


where * runs through all the basic binary connectives and o through all the basic unary 
connectives. This is the quasi-characteristic inference rule of 2. Now the following 
holds: 


THEOREM 132 (Citkin). Let 2 be a finite, subdirectly irreducible K4-algebra. Then for 
any K4-algebra B, r(A) is invalid in B iff A is isomorphically embeddable into B. 


This technique is reminiscent of the technique of splittings (see [10] and [11]). 

It is not hard to show that no K4-algebra with at least two elements is embeddable into 
$tka(w). Armed with this result one can show that there are infinitely many admissible 
rules which are independent from each other. One has to show only that there are 
infinitely many simple, finite K4-algebras. On the other hand, the set of admissible quasi- 
characteristic rules of S4 and Grz have a finite basis. In the latter case the generalized 
Mints’ rule alone forms a basis: 


(139) (p> o> vrVvu 
(> 4) >q) V ((p>4)>r)] Vu 
For S4 we need in addition to the modal translation of this rule two more, one of which 
is the quasi-characteristic rule of the two element cluster, which is equivalent to the rule 
Op; >=p/q. 
This can be brought to bear on extensions of $4.3 in the following way. 
LEMMA 133. Let L be a modal logic containing $4.3 and A a finite, subdirectly irre- 


ducible L-algebra. Then A x 2 is a subalgebra of §tz(w), where 2 is the two-element 
$4-algebra. 
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LEMMA 134. The rule Op; Onp/q is valid in A iff the algebra of the two element cluster 
is not embeddable into A. 


Now, any extension L of $4.3 is finitely axiomatisable and has the finite model prop- 
erty, by results of [7] and [18]. L has the property of branching below 1 and the effective 
m-drop point property for some m. It follows that the admissibility of inference rules is 
decidable for L. Second, if we add the rule Op; O-p/q then the resulting consequence 
relation axiomatizes the quasi-variety containing all finite L-algebras of the form 2 x 2. 
Since L is determined by such algebras, we see that this quasi-variety contains tz (w). 
Moreover, since the smallest quasi-variety containing §tz (w) must contain these algebras, 
the two are equal. 


THEOREM 135 (Rybakov). Let L D $4.3. Then +? is axiomatized over Fz by (MN) 
and Op; On7p/q. 


We derive that Grz.3 is structurally complete, since the rule Op; O-7p/q is actually 
derivable in |FGrz.3. It follows that LC is also structurally complete, since Grz.3 = 
a(LC). 

Call a logic L hereditarily structurally complete if all its extensions are struc- 
turally complete. L is structurally precomplete if it is not structurally complete, but 
all its proper extensions are. 


THEOREM 136 (Rybakov). There are exactly 20 structurally precomplete logics con- 
taining K4, and they are all tabular of the form Th(8;), i < 20. 


The Kripke-frames Ho — 919 mentioned in the theorem are known. (They are for 
example of width and depth at most 3.) We derive the following. 


COROLLARY 137. L D K4 is hereditarily structurally complete iff 


(140) L 2 K4/{%; : i < 20} 


From this, results on S4 and Int can be immediately derived (since the frames are 
explicitly known). All these logics must be of width 2. 


7 FURTHER TOPICS 


There are notions of consequence that are not included in this study that we shall mention 
here only briefly. First, a multiple conclusion rule is a pair (A, ©) of sets of formulae. 
A multiple conclusion rule is derived in + if whenever A is made true by a substitution, 
that substitution makes at least one member of O true. It is admissible in L if for every 
substitution such that A7 C L we have 6° € L for at least one 0 € ©. A case in point is 
the pair {pV q}, {p, q}). This rule is admissible in intuitionistic logic but not in classical 
logic. Its reflex in modal logic is the rule ({Op V Og}, {Op, Og}). A modal logic has the 
disjunction property if this rule is admissible. Since the disjunction property does 
not specify which of the alternatives holds, it is not characterisable in terms of single- 
conclusion rules. In [33] a modal logic is said to provide the rule of disjunction if 
all of the rules ({0 V;<n pi}, {Api : i < n}) are admissible, and it is shown that if a logic 
provides the rule of disjunction then the canonical frame is generated by a single point, 
which is the set {=0y : y ¢ L}. More on the disjunction property can be found in [9]. 
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The multiple conclusion rules are more general than ordinary rules, which we may call 
also single conclusion rules. 
There is also a strong rule of disjunction: 


(141) ({\/ Opi}. {pi : i < n}) 


i<n 


(see [58]) and the rule of margins 


(142) ({p — Op}, {p, =p}) 
(see [59]). 

Another kind of rule is presented by the irreflexivity rule. 
(143) a <P yee provided p does not occur in y 


This rule has been proposed in [23]. It is called irreflexivity rule since in tense logic 
adding that rule to a logic L gives the logic of the irreflexive frames of L. In ordinary 
modal logic this does not go through ((56]), unless one adds infinitely many of them (see 
[24]). See also the chapter on hybrid logics. The difference between this rule and the 
standard or multiple conclusion rules is the reference to variables, which we know from 
predicate logic but is quite uncommon elsewhere in propositional logic. The possibility 
of defining negative properties of frames using rules has been explored in [56]. 
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PREFACE 


This chapter is divided into two parts. The first (which consists of Sections 1-5) was 
written by Torben Braiiner, and the second (which consists of Sections 6-11) was written 
by Silvio Ghilardi. 

In the first part we give an introduction to first-order modal logic. We discuss a 
number of logics that make use of constant domain, increasing domain, and varying 
domain semantics, and also present a first-order intensional logic and a first-order version 
of hybrid logic. One criterion for selecting these logics has been the availability of sound 
and complete proof procedures for them, typically axiom systems and/or tableau systems. 
We compare the first-order modal logics discussed here to fragments of sorted first-order 
logic via appropriate versions of the standard translation. 

In the second part of the chapter, we review both positive and negative results con- 
cerning fragment decidability, Kripke completeness and axiomatizability. Modal hyper- 
doctrines are then introduced, as a unifying tool for analyzing the alternative semantics 
proposed in the literature. These alternative semantics range from specific semantics for 
non-classical logics (like metaframes), to interpretations in well-established mathematical 
frameworks (like topological spaces and toposes). Finally, the strict relationship between 
topological semantics and D. Lewis’s counterpart semantics is investigated in detail and 
an axiomatization is presented. 


1 INTRODUCTION TO PART I 


In Part I of this chapter we give an introduction to first-order modal logic. First-order 
modal logic is a big area with a great number of different logics. This has forced us to 
make a number of choices. The first choice we made was to concentrate on presenting an 
appropriate selection of logics rather than trying to be encyclopedic. This has allowed 
us to give reasonably detailed treatments of each of the selected logics. How did we 
select the logics in question? We wanted to present logics involving constant domains, 
increasing domains, and varying domains, and moreover, we wanted to present a first- 
order intensional logic as well as a first-order version of hybrid logic. 

Given these overall requirements, one criteria for selecting particular logics for pre- 
sentation has been the availability of sound and complete proof procedures, typically 
axiom systems and/or tableau systems. We have compared the first-order modal logics 
under consideration to fragments of sorted first-order logic via appropriate versions of 
the standard translation. The possibility of doing so in a straightforward and simple way 
has been another criteria for selecting a particular logic for presentation. In fact, we take 
such a simplicity as a sign of mathematical naturality. We have not included constant 
symbols in the presented logics, the reason being that constants (having a given sort of 
semantic values) from a mathematical, model-theoretic point of view are just variables 
(ranging over the same semantic values) that are not quantified over. In the interest of 
simplicity, we have not included function symbols either. Counterpart semantics, which 
can be considered an alternative to first-order intensional logics, is treated in Part II, 
Section 11 of this chapter. 

So, which logics have been chosen? In Section 2 we shall present three first-order 
modal logics which we call the basic logics. In the basic logics, variables designate 
individual objects. The three basic logics have respectively constant domains, increasing 
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domains, and varying domains. In Section 3 we present first-order intensional logic. 
Beside objectual variables, this logic involves intension variables, that is, variables that 
designate functions from worlds to individual objects. Thus, there are two different types 
of semantic values, namely objects and functions from worlds to objects. First-order 
intensional logic allows quantification over both types of semantic values and predicates 
are allowed to take both types of semantic values as arguments. The logic includes 
so-called predicate abstraction which allows the functions from worlds to objects to be 
applied to arguments, that is, worlds, whereby objects are obtained. In Section 4 we 
present first-order hybrid logic which is obtained by adding to basic first-order modal 
logic further expressive power in the form of a new sort of propositional symbol called a 
nominal, and moreover, by adding so-called satisfaction operators and binders. 


2 THE BASIC LOGICS 


The syntax of the basic logics considered in this section is simply the syntax of ordinary 
(non-modal) first-order logic with equality, extended with a modal operator. Variables 
in the basic logics designate rigidly, that is, a variable designate the same object in all 
worlds. On the other hand, a predicate might have different extensions in different worlds, 
thus, predicates are relativised to worlds. This allows us to formalise natural language 
sentences involving predicates like for example “is a citizen of the United States”. The 
fact that this predicate has different extensions in different worlds follows for example 
from the observation that Arnold Schwarzenegger is a citizen of the United States, but 
he might not have been so, for example if he had not emigrated to the United States. 
Predicates with different extensions in different worlds should be compared to predicates 
which naturally are taken to have the same extension in all worlds, one example being “is 
greater than five” since the extension of this predicate in any world naturally is taken to 
be the set of numbers greater than five. Predicates of the latter kind can be formalised 
in ordinary first-order logic. 

One choice to make is whether quantified domains might be different in different 
worlds, that is, whether quantifier domains are relativised to worlds, and if they are 
relativised to worlds, whether any restrictions are imposed on this relativisation. In 
this section we present three different first-order modal logics corresponding to three 
different choices concerning relativisation, they have respectively constant domains (no 
relativisation), increasing domains (relativisation with the restriction that the domain 
of a world is included in the domain of any accessible world), and varying domains 
(unrestricted relativisation). Note that in all three cases an object might be a member 
of the quantified domains of more than one world, in fact, in the constant domain case 
all worlds have the same quantifier domain. In Subsection 2.8 we compare constant 
and varying domains using so-called existence predicates. The choice of relativisation 
of quantifier domains is related to the famous Barcan and Converse Barcan formulas, 
which we shall return to a number of times, in particular in Subsection 2.9. 

Sound and complete proof procedures are available. In this section we give axiom 
systems for the constant, increasing, and varying domain basic logics. A tableau system 
for a version of the constant domain logic without equality can be found in Chapter 2 in 
the present handbook, and tableau systems for the constant and varying domain logics, 
including equality, can be found in the book [41]. For more on the model theory of 
first-order modal logic, see [30], [31], and [33]. 
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2.1 Syntax of the basic logics 


The three basic first-order modal logics have the same syntax, that is, the same formulas. 
The syntax is obtained by adding a modal operator O to the syntax of ordinary first-order 
logic with equality. It is assumed that a countably infinite set of first-order variables is 
given. The metavariables x, y, z,... range over variables. We do not consider function 
symbols or constants, so all terms are variables. It is also assumed that a set of predicate 
symbols is given. The metavariables P, Q, R, ... range over predicate symbols. Each 
predicate symbol comes together with a specification of its arity. Of course, 0-place 
predicate symbols correspond to propositional symbols. Formulas are defined by the 
grammar 


S = P(ax,...,%n)|er=y|SAS|AS|OS | Ves 


where P is an n-place predicate symbol, £1, ..., £n as well as x and y are variables. 
Thus, formulas are built in the usual way using the connectives of ordinary first-order 
logic together with the modal operator. We allow parentheses to be inserted in formulas 
where needed and we shall assume the usual precedence rules for our logical connectives. 
In what follows, the metavariables ¢, Y, 0,... range over formulas. Other propositional 
and first-order connectives such as T, V, L, —, +, and J are defined in the usual way. 
Also the modal operator Q is defined as usual. The notions of free and bound occurrences 
of variables are defined in the obvious way. Moreover, if ¥ is a list of distinct variables 
and 7 is a list of variables of the same length as 7, then ~[y/Z] is the formula w where the 
variables y have been simultaneously substituted for all free occurrences of the variables 
T. It is assumed that no variable x; in T occurs free in w within the scope of Vy;. 


2.2 Constant domain semantics 


We now define constant domain models and constant domain skeletons. Skeletons are 
first-order versions of the usual frames for propositional modal logics. We shall in many 
cases adopt the terminology of the books [11] and [41]. 


DEFINITION 1. A constant domain model is a tuple (W, R, D, {Vw}wew) where 
1. W is a non-empty set; 
2. Ris a binary relation on W; 
3. D is a non-empty set; and 


4. for each w, Vy is a function that to each n-place predicate symbol assigns a subset 
of D”. 


The tuple (W, R) is called a frame and the model is said to be based on this frame. The 
tuple (W, R, D) is called a constant domain skeleton and the model is said to be based 
on this constant domain skeleton. 


As usual, the elements of the set W are called worlds, the relation R is called an 
accessibility relation, the set D is called the domain of quantification, and the function 
Vw is called the valuation at the world w. 

DEFINITION 2. Given a constant domain model M = (W, R, D, {Vu}wew), an assign- 
ment is a function that to each variable assigns an element of D. Given assignments g’ 
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and g, g' ~ g means that g' agrees with g on all variables save possibly x. The relation 
M, g, w H ¢ is defined by induction, where w is a world, g is an assignment, and ¢ is a 
formula of first-order modal logic. 


M, g, w H| P(z1,...,£n) iff (g(x1),.-.,9(an)) E€ Vw(P) 
Mogwec=y iff g(x) =g(y) 
MgwkeoéoAw iff M, g, w H| ġ and M, g, w = Y 
M, g, w =o iff not M, g, w = 
M, g, w = Oo iff for any v € W where wRv, M, g,v = > 
M, g, w = Yro iff for any g' ~ g, Mg wee 


A formula ¢ is said to be true at the world w if M, g, w | @; otherwise it is said to be 
false at w. By convention M, g = ¢@ means M, g, w = ọ for every world w and M = ¢ 
means M, g H ¢ for every assignment g. A formula ¢ is valid in a frame (skeleton) if 
and only if M |= ¢ for any model M that is based on the frame (skeleton) in question. A 
formula ¢ is valid in a class of frames (skeletons) § if and only if ¢ is valid in any frame 
(skeleton) in §. A formula ¢ is valid if and only if ¢ is valid in the class of all frames (or 
equivalently, in the class of all skeletons). 


Let us take a look at a natural language sentence that can be formalised using the 
machinery introduced so far. Consider the sentence 


Arnold Schwarzenegger is a citizen of the United States. 


About Arnold Schwarzenegger, it says that he is a member of the set of persons who hap- 
pen to be citizens of the United States. If the variable x stands for “Arnold Schwarzeneg- 
ger” and the 1-place predicate symbol P stands for the predicate “is a citizen of the 
United States”, then the formula P(x) formalises the statement. Formally, P(x) is true 
at a world w if and only if the designation of x belongs to the extension of the predicate 
symbol P at w. The relativisation of P to worlds formalises that the predicate “is a 
citizen of the United States” has different extensions in different worlds. 

In ordinary (non-modal) first-order logic, the equality predicate is a designated prim- 
itive 2-place predicate symbol which is given a fixed interpretation, namely the identity 
relation on the domain of quantification. Note that the same pattern is followed in the 
case of first-order modal logic. 


2.8 An axiom system for constant domains 


In this subsection we shall give a Hilbert-style axiom system for the constant domain basic 
first-order modal logic. The axiom system is obtained as an extension of a Hilbert-style 
axiom system for the propositional modal logic K or another propositional modal logic. 
So we are actually giving a family of constant domain axiom systems, depending on a 
choice of the underlying propositional axiom system. In the definition of an axiom system 
we shall make use of formula-schemas. Informally, a formula-schema is like an ordinary 
formula except that it has metavariables for formulas instead of ordinary atomic formulas. 
Formally, a grammar for formula-schemas can be obtained from the grammar for formulas 
given in Subsection 2.1 by replacing the clauses for atomic formulas by a clause for 
metavariables. A substitution-instance of a formula-schema is a formula obtained by 
uniformly replacing all metavariables by ordinary formulas. Using this terminology, we 
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are able to talk formally about formulas having a specific common form (which is the 
form of an axiom schema). 

We first give an axiom system for the propositional modal logic K. The axioms of 
the system are all the substitution-instances of tautologies of propositional logic (where 
propositional symbols are considered as metavariables) together with all substitution- 
instances of the following axiom schema 


(K) (¢ > Y) = (O¢ > Oy) 


The rules of the system are the following 


oy ¢ 


$ 
(Modus Ponens) Er (Necessitation) 


If there exists a derivation of a formula in the axiom system given above, then we say 
that the formula in question is derivable. This axiom system is sound and complete 
with respect to the standard possible-worlds semantics for propositional modal logic, 
see Chapter 2 in the present handbook. We here make use of the usual definition of 
soundness and completeness: 


DEFINITION 3. An axiom system is sound with respect to a semantics if every derivable 
formula is valid and the axiom system is complete with respect to the semantics if every 
valid formula is derivable. 


Further axiom schemas can be added to the axiom system for K, for example 


(T) o-¢ 
(4) ¢— O¢ 
(B) $ — O0¢ 


whereby axiom systems for other propositional modal logics are obtained. If for example 
the axiom schema (T) is added, then an axiom system for the propositional modal logic 
T is obtained. Similarly, if (T) as well as (4) are added, then an axiom system for S4 
is obtained, and if all three axiom schemas above are added, the an axiom system for 
S5 is obtained. It is straightforward to show that the axiom schemas above corresponds 
to the first-order conditions reflexivity, transitivity, and symmetry on the accessibility 
relation of a frame in the sense that a frame validates all substitution-instances of an 
axiom schema if and only if the accessibility relation of the frame satisfies the first-order 
condition corresponding to the axiom schema in question (for example, a frame validates 
all substitution-instances of the axiom schema (T) if and only if the accessibility relation 
of the frame is reflexive). Moreover, any axiom system obtained by adding some or all of 
the axiom schemas above can be proven to be sound and complete with respect to the 
semantics obtained by relativising validity to the class of frames where the accessibility 
relations satisfy the first-order conditions corresponding to the added axiom schemas, 
see Chapter 2 in the present handbook. 

We are now ready to give the axiom system for the constant domain basic first-order 
modal logic. We choose K as the underlying propositional modal logic. The system is 
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obtained by extending the axiom system for propositional K with the axiom schemas 


(Reflexivity) T=g 
(Substitutivity) (x = y A 4[x/z]) > dly/z] 
(Necessary Distinctness) x +y — O(z + y) 
(Barcan) Vaellé — OYro 
(V Elimination) Vad > oly/z] 
and the rule 
p — dly/z] 


(V Introduction) 
Y > Yro 

where the rule is equipped with the side-condition that the variable y does not occur free 
in w or in Vad. This axiom system is sound and complete with respect to the constant 
domains semantics given in the previous subsection. A completeness proof can be found 
in the book [68]. See also the chapter [49] in Handbook of Philosophical Logic. This 
completeness result is essentially due to Saul Kripke, cf. the paper [75]. Soundness and 
completeness also holds for a number of other systems where further axiom schemas have 
been added and where the appropriate frame classes are considered, this is for example 
the case with the modal logics T, S4, and S5 mentioned above, cf. the book [68]. 

The axiom (Barcan) is often simply called the Barcan formula. We shall return to 
it in Subsection 2.9. Note that ¢ in the axiom (Substitutivity) can be any formula of 
first-order modal logic, also a formula that involves modal operators. Thus, we here 
allow substitution of equals for equals in modal contexts, so for example the formula 
x = y > O(a = y) is derivable. This is justified by the fact that variables here designate 
rigidly. Thus, the variables x and y designating the same object in a world w imply that 
x and y designate the same object in any world, in particular any world accessible from 
w. This gives rise to a philosophical discussion which we shall return to in Subsection 3.2. 

Note that the axiom (V Elimination) together with the rule (V Introduction) is a stan- 
dard axiomatisation of quantifiers in ordinary (non-modal) first-order logic, and simi- 
larly, the axioms (Reflexivity) and (Substitutivity) together is a standard axiomatisation 
of equality in ordinary first-order logic, so the constant domain axiom system given above 
can be seen as obtained from the axiom system for the propositional modal logic K by 
adding standard non-modal axiomatic machinery for quantifiers and equality together 
with the axioms (Necessary Distinctness) and (Barcan). This motivates the following 
definition: 


DEFINITION 4. The constant domain axiom system given above will (where such no- 
tation is needed) be denoted QK-+ND+BF. We will (again, where such notation is 
needed) use the same notation for the set of formulas derivable in the axiom system. 
The notation is adjusted as appropriate if another underlying propositional modal logic 
is chosen or if for example the axiom (Barcan) is omitted. 


In Subsection 2.5 we shall consider the system QK_+ ND without the axiom (Barcan). 
From Section 9 on in Part II of this chapter we shall treat logics along the lines of 
QK-, that is, logics with equality but without the axiom (Necessary Distinctness). In 
particular, a semantics for QK- is given in the first example of Subsection 10.1. 

Above we specified an axiom system by specifying the axiom schemas and the rules 
of the system. Given an axiom system, we could then talk about the set of formulas 
derivable in the axiom system. Sometimes we want to be more general in the sense that 
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we want talk about an arbitrary set of formulas containing all substitution instances of 
some axiom schemas and closed under some rules. To this end we need one more rule 


coast = 
olv/P@) 


where $[y/P(Z)| is the formula obtained by replacing every occurrence of P(y) in ¢ by 
~[y/Z]. It is assumed that P(g) does not occur in ¢@ within the scope of any quan- 
tifier Vz where z is a free variable of p which is not on the list z. We shall call 
oọly/P(T)] a substitution-instance of ¢. It might be instructive to consider an exam- 
ple of a substitution-instance: If ¢ is the formula Vy(P(y) A Q(y)) and w is the formula 
R(z,x) where z is distinct from x and y, then ¢[q/P(«)] is the formula Vy(R(z, y) AQ(y)). 
Thus, Vy(R(z,y) A Q(y)) is a substitution-instance of Vy(P(y) A Q(y)). Note that the 
definition of a substitution-instance of a formula is more complicated than the definition 
of a substitution-instance of a formula-schema, the reason being that an atomic formula 
P(T) has an inner structure whereas the metavariables in a formula-schema work as 
place-holders, that is, they are just indexes of places. Now, if L is a set of formulas which 
contains all substitution-instances of the axiom schemas of the axiom system QK- and 
which is closed under the rules of QK- together with the rule (Uniform Substitution), 
then the set L is called a first-order modal system. With this definition it is straightfor- 
ward that QK- is the least first-order modal system with respect to inclusion. We shall 
return to this in Section 8 in Part II of this chapter. 


(Uniform Substitution) 


2.4 Increasing domain semantics 


We now define increasing domain models and increasing domain skeletons. We do not 
repeat conventions and definitions that are the same as in the constant domain case. 


DEFINITION 5. An increasing domain model is a tuple (W, R, D, {ow }wew, {Vw }wew) 
where the tuple (W, R, D, {Vw}wew) is a constant domain model as defined in Definition 1 
and where for each w, 6, is a subset of D such that 6, C 6, whenever wRv. The tuple 
(W, R, D, {ow}wew) is called an increasing domain skeleton and the model is said to be 
based on this increasing domain skeleton. 


The set ôw is called the domain of quantification at the world w. Note that a constant 
domain model (skeleton) can be considered as an increasing domain model (skeleton) by 
letting ôw = D for any element w of W (see Definition 1). 


DEFINITION 6. Given an increasing domain model M = (W, R, D, {ow} wew, {Vw twew), 
the relation M, g, w = ¢ is defined in the same way as in the constant domain case, that 
is, Definition 2, except that the clause for the quantifier is replaced by 


M, g,w =Yxo iff for any g' ~ g where g'(x) € dy, M, g',w = ¢ 


The definition of validity is the same as in the constant domain case except that M = @ 
now means M, g, w = @ for every world w and every assignment g such that g(x) is an 
element of 6, for every variable x. 


Of course, if ôw = D for any element w of W, then the clause above for the increasing 
domain quantifier is equivalent to the clause for the constant domain quantifier (compare 
Definition 2). Note that in the increasing domain semantics, the only assignments con- 
sidered are assignments where every variable is assigned an existent, that is, an element 
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of the quantifier domain. Also, note that if an assignment at some world has the property 
that it assigns existents to all variables, then the assignment also has that property at 
any accessible world, the reason being that the domain increases. This means that worlds 
with empty quantifier domains simply are ignored. In a similar way the semantics also 
ignores elements of D that are not elements of the set Uwew ôw. 


2.5 An axiom system for increasing domains 


In this subsection we shall consider a Hilbert-style axiom system for the increasing domain 
basic first-order modal logic. The system is obtained from the axiom system for constant 
domains of Subsection 2.3 simply by omitting the Barcan formula Yro — OVax¢. This 
axiom system is sound and complete with respect to the increasing domain semantics 
given in the previous subsection, cf. the book [68]. Note that this axiom system can be 
seen as obtained from the axiom system for the propositional modal logic K by adding 
standard non-modal axiomatic machinery for quantifiers and equality together with the 
axiom (Necessary Distinctness). So in the terminology of Subsection 2.3, it is the system 
QK_+ ND. 

Now, the Barcan formula, which was taken as an axiom in the constant domain system, 
expresses interaction between first-order quantifiers and modal operators since it says 
that a quantifier and a modal operator can be permuted in one way. However, the 
Barcan formula is not taken as an axiom in the system considered here, and there are 
no other axioms or rules in the system that explicitly say that quantifiers and modal 
operators interact. It is therefore a surprise that the so-called Converse Barcan formula 
Yro — Valid is derivable in the system. In fact, the Converse Barcan formula has the 
very simple derivation 


Vro > o 
(Vad > ¢) (Vz > $) > (Ovro — Og) 
Vro = Oo 
Yro — Vellb 


in the system. We shall return to the Barcan and Converse Barcan formulas in Subsec- 
tion 2.9. 


2.6 Varying domain semantics 


We now define varying domain models and varying domain skeletons. Again, we do not 
repeat conventions and definitions that are the same as in the earlier cases. 


DEFINITION 7. A varying domain model is a tuple (W, R, D, {6w}wew, {Vw }wew) 
where the tuple (W,R,D,{Vu}wew) is a constant domain model as defined in Defi- 
nition 1 and where for each w, ôw is a subset of D. The tuple (W, R, D, {du}wew) is 
called a varying domain skeleton and the model is said to be based on this varying do- 
main skeleton. A varying domain model (skeleton) has increasing domains if and only if 
dw C dy whenever wRv, and similarly, it has decreasing domains if and only if ôw D dy 
whenever wRv. 


Note that an increasing domain model (skeleton) is a varying domain model (skeleton) 
with increasing domains and vice versa (see Definition 5). A number of choices in the 


558 Torben Bratiner and Silvio Ghilardi 


definition of a varying domain model should be noted: We do not require that a predicate 
is false of non-existents, we do not require that a quantifier domain is non-empty and we 
do not require that each individual exists in some domain. Most combinations of these 
requirements can be found in the literature. One motivation for the choices made here 
is that they make the translation into two-sorted first-order logic very straightforward, 
see Subsection 2.10. 


DEFINITION 8. Given a varying domain model M = (W, R, D, {ow} wew, {Vw wew), 
the relation M, g, w — ¢ is defined as in the increasing domain case, that is, Definition 6. 
The definition of validity is the same as in the constant domain case, that is, Definition 2. 


Note that validity is defined as in the constant domain case, not as in the increasing 
domain case. The resulting difference is that in the varying domain case all assignments 
are considered whereas in the increasing domain case the only assignments considered 
are assignments where every variable is assigned an existent. The reason why we make 
use of different definitions of validity is that straightforward and simple axiom systems 
are available with these choices. 


2.7 Axiom systems for varying domains 


In this subsection we shall give two different Hilbert-style axiom systems for the varying 
domain basic first-order modal logic. First note that the Y Elimination formula Yro — 
¢ly/z] it is not valid with respect to the varying domain semantics (if the variable y 
designates a non-existent object, then the object is not a member of the domain of 
the quantifier, so the antecedent can be true but the succedent false) but it is valid 
with respect to the constant and increasing domain semantics (in both cases the object 
designated by y is a member of the quantifier domain, so if the antecedent is true, then 
the succedent is also true). Indeed, the V Elimination formula is taken as an axiom in 
both the constant domain axiom system of Subsection 2.3 and the increasing domain 
axiom system of Subsection 2.5. Now, the V Elimination formula can straightforwardly 
be modified in two ways such that it becomes valid with respect to the varying domain 
semantics. It is these two different modified versions of V Elimination that give rise to 
the two varying domain axiom systems we shall give below. 

Before giving the first axiom system we need to give a small definition: The so-called 
existence predicate is defined by the convention that E(y) is an abbreviation for 3z(z = y) 
where z is a variable distinct from the variable y. We shall come back to the existence 
predicate in the next subsection. The first axiom system is obtained by extending the 
axiom system for the propositional modal logic K (see Subsection 2.3) with the axiom 
schemas 


Reflexivity) L=2 

Substitutivity) (x = y ^ g|z/z]) > oly/z] 
Necessary Distinctness) cA#y—->O(a Fy) 

Free Y Elimination) (Yz A E(y)) > oly/2] 


( 
( 
( 
( 
and the rule 
(y A Ely)) > oly/z] 
Y — Yro 


where the rule is equipped with the side-condition that the variable y does not occur free 
in wv or in Vx. The axiom system is sound and complete with respect to the varying 


(Free V Introduction) 


First-Order Modal Logic 559 


domains semantics given in the previous subsection, cf. [49]. (Some of the axioms and 
rules above are formulated differently in [49], but these differences are not of significance 
here.) 

Note that the axiom (Free V Elimination) above is the result of adding a “guard” 
formula E(y) to the antecedent of the V Elimination formula Yro > ¢[y/ax] such that 
the antecedent becomes false in the case where the variable y designates a non-existent. 
Note moreover that the rule (Free Y Introduction) above also makes use of such a guard 
formula. The axiomatic machinery for quantifiers in this axiom system is identical to the 
standard axiomatic machinery for quantifiers in so-called free logic which is a variant of 
ordinary first-order logic where quantifiers only range over a subset of the universe (but 
where variables might designate any member of the universe as in ordinary first-order 
logic). One original motivation for developing free logic was to avoid the assumption made 
in ordinary first-order logic that quantifier domains are non-empty as this assumption 
was found undesirable by a number of philosophers because of the associated “existential 
commitment”. See [7] for more information on free logic. 

We shall now give the second, alternative, axiom system for the varying domain basic 
first-order modal logic. This axiom system does not involve the existence predicate, in 
fact, the system is for a version of the basic logic without equality. This alternative 
system is obtained by extending the axiom system for the propositional modal logic K 
(see Subsection 2.3) with the axiom schemas 


Vacuous V) Vad = o 

V Distributivity) Vu(o > Y) = (Vad > Vaw) 
Y Permutation) VyVzo — Yzy 

Restricted V Elimination) Vy(Vro = oly/2]) 


Se 


and the rule 


$ 


— (V Generalisation) 

Yro 
where the axiom (Vacuous V) is equipped with the side-condition that the variable x 
does not occur free in the formula ¢. The axiom system is sound and complete with 
respect to the varying domains semantics given in Subsection 2.6, cf. the book [68]. (In 
the axiom system of [68], the formula VyVz(Vr¢d — ¢[y/z]) is taken as an axiom instead 
of the axioms (V Permutation) and (Restricted V Elimination) above, but this difference 
is not of significance here.) One might ask whether the axiom (V Permutation) really is 
needed. This turns out to be the case which was pointed out in [34]. See the discussions 
of this issue in [68] and [41]. 

Note the way in which the V Elimination formula Vz — ¢[y/a] has been modified in 

the system above: The variable y has been quantified over such that it only designates 
existents. The history of systems in line with this system goes back to [75]. 


2.8 Existence and quantification 


In connection with varying domain models, the existence predicate is defined by the 
convention that E(y) is an abbreviation for 3z(z = y) where z is a variable distinct from 
the variable y. With this definition it is straightforward to check that for any varying 
domain model M, any world w, and any assignment g, the relationship M, g, w = E(x) 
holds if and only if g(x) € ôw. Thus, the existence predicate is true of the individual 
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designated by some variable if and only if the individual in question exists. So with this 
definition the existence predicate behaves as desired. But if the definition is adopted 
in connection with constant domain models, then the existence predicate is true of all 
individuals as expected. 

However, in connection with constant domain models, the existence predicate is usually 
taken to be primitive, rather than defined. This brings us to an important definition. 


DEFINITION 9. Given a varying domain model M = (W, R, D, {ôw wew, {Vw }wew), 
a constant domain model M* = (W, R, D, {Vă wew) for the language extended with a 
l-place predicate symbol E is defined by letting Vý be the extension of V,, such that 
Vu(E) = bw. 


Clearly, the map (-)* which maps Mt to M* is bijective. Thus, from a mathematical 
point of view, giving a varying domain model is the same as extending the language with 
a l-place predicate symbol F and then giving a constant domain model. 

This observation is exploited in the translation below which translates any formula 
in the original language (that is, the language without the predicate symbol E) into a 
formula in the language extended with E. 


A A ee 
E 
(0¢)7 = O9* 

(Vz) = Va(E(x) > $”) 


The translation gives rise to the following result. 


PROPOSITION 10. LetM be a varying domain model. For any first-order modal-logical 
formula ¢, any world w, and any assignment g, M, g, w & ¢ if and only if W*, g, w = Që. 


Proof. Induction in the structure of ¢. m) 


See [68] and [41] for a more detailed discussion of the existence predicate. 

The interpretation of a quantifier in a constant domain model is called possibilist quan- 
tification since the quantifier ranges over individuals that possibly exist (this terminology 
is a bit inaccurate if existence is formalised by extending the constant domain semantics 
with a primitive existence predicate as described above, the reason being that the quan- 
tifier then ranges over all individuals, not only those that possibly exist, that is, exist at 
some world, but we ignore this inaccuracy). On the other hand, the interpretation of a 
quantifier in a varying domain model is called actualist quantification since the quantifier 
in this case ranges over individuals that actually exist, that is, individuals that exist in 
the actual world. 

The difference between actualist and possibilist quantification is very clear when the 
modal operator is given a temporal interpretation, that is, when worlds are taken to be 
instants and the modal operator is interpreted using the earlier-later relation on instants. 
In that case actualist quantification corresponds to quantifying over things that now 
exist whereas possibilist quantification corresponds to quantifying over things that exist 
at some time. This distinction was discussed already by Arthur Prior who rejected the 
temporal version of possibilist quantification: 
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even if it be true that whatever exists at any time exists at all times, 
there is surely no inconsistency in denying it, and a logic of time-distinctions 
ought to be able to proceed without assuming it. ([98], p. 30) 


Prior equated the statement “x exist” with “there are facts about x” and he found that 
facts can only be about whatever now exists. This view has the consequence that facts 
cannot be about things which have ceased to exist. Prior was uncomfortable about this 
consequence, but he found it unavoidable. Of course, the view also has the consequence 
that facts cannot be about things which do not yet exist, but Prior considered this less 
disputable. Since Prior, possibilist and actualist quantification has given rise to much 
philosophical discussion, see the book [41] for an account. See also the contributions to 
the discussion given in the papers [97] and [69]. 


2.9 The Barcan and Converse Barcan formulas 


It is straightforward to show that the Barcan formula Vzoé — OV<¢ is valid in any 
decreasing domain skeleton, and moreover, it can also be shown straightforwardly that if 
the Barcan formula is valid in a varying domain skeleton, then the skeleton in question 
has decreasing domains. Thus, the class of varying domain skeletons that validates the 
Barcan formula is exactly the class of decreasing domain skeletons. Prior rejected the 
Barcan formula for the same reasons as he rejected possibilist quantification, see the 
previous section. It can also be shown straightforwardly that the class of varying domain 
skeletons that validates the Converse Barcan formula AVx¢ — Val¢ is exactly the class 
of increasing domain skeletons. Indeed, as we saw in Subsection 2.5, the Converse Barcan 
formula is derivable in the axiom system for increasing domains. 

First-order modal logics can be seen as combinations of two distinct logics, namely 
propositional modal logic and ordinary first-order logic. The two logics, propositional 
modal logic and ordinary first-order logic, are combined in different ways in the constant, 
increasing, and varying domain logics. The interaction between modality and quantifi- 
cation is stronger in the constant domain logic than in the varying domain logic in the 
sense that the Barcan and Converse Barcan formulas (which together say that the or- 
der of quantifiers and modal operators does not matter) both are valid in the constant 
domain semantics but none of them are valid in the varying domain semantics. The Bar- 
can formula is not valid in the increasing domain semantics, but the Converse Barcan 
formula is, so the increasing domain logic has a “medium” interaction between modality 
and quantification. 

The semantical import of the Barcan and Converse Barcan formulas stems from the 
distinction between the semantics of the formulas VzO¢ and OVa2¢. This distinction is 
an example of the so-called de re/de dicto distinction. In Latin de re means “about 
the thing” and de dicto means “about the proposition”. To explain this difference, we 
instantiate the formula ¢ to P(x). The formula OYxP(x) says that 


it is necessary that each existing thing is P. 


This is a de dicto interpretation since it says something about a proposition, namely the 
proposition that each existing thing is P. What it says about this proposition is that it 
is necessary. On the other hand, the formula YzrOP(x) says that 


each existing thing is necessarily P. 
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This is a de re interpretation since it says something about things, namely the things 
that exist. What it says about these things is that each of them is necessarily P. Se the 
book [41] for a much more thorough discussion of de re and de dicto. We shall return to 
the de re/de dicto distinction in Subsection 3.3 where we consider predicate abstraction. 
The history of formulas like the Barcan and Converse Barcan formulas goes back to the 


paper [6]. 


2.10 Translation into two-sorted first-order logic 


The basic first-order modal logics can be translated into two-sorted first-order logic with 
equality. There is one sort for worlds and one sort for individuals. We consider two 
different translations, one which is truth-preserving with respect to the constant domain 
semantics and one which is truth-preserving with respect to the varying domain seman- 
tics. There is not much literature available on translations of first-order modal logic into 
sorted first-order logic. The translations we consider in this subsection are variations of 
a translation given in [127] and they are also considered in the chapter [91] in Handbook 
of Automated Reasoning which moreover considers a range of other non-classical logics. 
In [127] a semantic characterisation is given of the formulas of two-sorted first-order logic 
which have the same expressive power as formulas of a variant of the varying domain 
logic. The papers [63] and [65] consider a number of formulas in two-sorted first-order 
logic that express properties of models which are not expressible in first-order modal 
logic. The latter paper concentrates on a first-order version of the modal logic S5. A 
recent example of work in this area is the paper [123] which also concerns the expressive 
power of a first-order version of S5. See also that paper for an overview of the area. 

We first consider the constant domain case. The two-sorted first-order language under 
consideration here is defined as follows. It is assumed that a countably infinite set of 
first-order variables for worlds and a countably infinite set of first-order variables for 
individuals are given. The sets are assumed to be disjoint. The metavariables a, b, 
c,... range over first-order variables for worlds and the metavariables x, y, z,... range 
over first-order variables for individuals. There are no function symbols or constants. 
Formulas of the two-sorted first-order language are defined by the grammar 


S x= P*(a,£%1,...,£n)| R(a,b)|c=y|SAS|AS|VaS | VaS 


where P is an n-place predicate symbol of first-order modal logic, a and b are variables 
for worlds, and z1, ..., Zn aS well as x and y are variables for individuals. Note that 
according to the grammar above, for each n-place predicate symbol P of the first-order 
modal language there is a corresponding (n + 1)-place predicate symbol P* in the two- 
sorted first-order language. The two-sorted (n + 1)-place predicate symbol P* will be 
interpreted such that it relativises the interpretation of the corresponding modal n-place 
predicate symbol P to worlds. In the grammar above R is a designated predicate symbol 
which will be interpreted using the accessibility relation (with the same name). In what 
follows, we shall identify first-order variables for individuals with first-order variables of 
modal logic. Note that the language contains two quantifiers, a quantifier for each sort, 
but the language only contains one equality predicate, namely an equality predicate for 
individuals. 

We now give the translation. Given two new first-order variables for worlds, a and 
b, the translations ST, and ST, are defined by mutual induction. We just give the 
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translation ST 4. 


ST,(P(#1,.--,%n)) = P*(a,21,...,2n) 
STy(@=y) = z=y 
STa(@AY) = ST a(o) A STa(w) 
STal `) = -~ST.(¢) 
ST,(O¢) = Vb(R(a,b) > ST»(¢)) 
ST,(Vzd) = VaST,(¢) 


The definition of ST, is obtained by exchanging a and b. What has been done is that the 
semantics of first-order modal logic has been formalised in terms of two-sorted first-order 
logic, note how each clause in the translation formalizes a clause in the definition of 
the semantics, Definition 2. The translation is an extension of the well-known standard 
translation from modal logic into first-order logic, see [127]. See Chapter 11 in the present 
handbook for a temporal version of the translation above. 

To state formally that the translation given above is truth-preserving with respect to 
the constant domain semantics, we make use of the observation that a constant domain 
model for first-order modal logic can be considered as a model for two-sorted first-order 
logic and vice versa. 


DEFINITION 11. Given a constant domain model M = (W, R, D, {Vu }wew) for first- 
order modal logic, a model M* = (W, D, V*) for two-sorted first-order logic is defined by 
letting 


e V*(R) = Rand 
e (w,d1,...,dn) E€ V*(P*) if and only if (di,...,dn) E Va (P). 


It is straightforward to see that the map (-)* which maps M to M* is bijective. Moreover, 
if an assignment in the sense of first-order modal logic is extended such that it assigns a 
world to each first-order variable for worlds, then it can be considered an assignment as 
appropriate for two-sorted first-order logic and vice versa. See Chapter 11 in the present 
handbook for a temporal version of the above construction of a two-sorted first-order 
model from a modal model. 

Given a model M for two-sorted first-order logic, the relation M, g = ¢ is defined by 
induction in the standard way, where g is an assignment for two-sorted first-order logic 
and ¢ is a two-sorted first-order formula. The formula ¢ is said to be true if WM, g = @; 
otherwise it is said to be false. By convention Jt = ġo means M, g H @ for every 
assignment g. A formula ¢ is valid if and only if M | ¢ for any model M. 

We are now ready to state formally that the translation is truth-preserving. 


PROPOSITION 12. Let a constant domain model M be given. For any first-order modal- 
logical formula @ and any assignment g for M, it is the case that M,g,g*(a) = ¢ if and 
only if M*,g* | ST a(d) where g* is any assignment extending g such that it assigns a 
world to each first-order variable for worlds (and the same for STe). 


Proof. Induction in the structure of ¢. m) 


Thus, first-order modal logic, considered a language for talking about constant domain 
models, has the same expressive power as the fragment of two-sorted first-order logic 
obtained by taking the image of first-order modal logic under the translation STa. 
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We now briefly consider the translation which is truth-preserving with respect to the 
varying domain semantics. The two-sorted first-order language under consideration is the 
same as in the constant domain case except that the grammar for formulas is extended 
with a clause E(a, x) for a new predicate symbol where a is a variable for worlds and x 
is a variable for individuals. Intuitively, the predicate symbol EF is interpreted such that 
it relates a world to individuals existing at that world. 

The translation is the same except that the clause for quantifiers is replaced by 


ST,(Vzd) = Va(E(a,x) > STal)) 


It is straightforward to modify Definition 11 to the varying domain case and it is also 
straightforward to check that Proposition 12 still holds. 

Note that the correspondence between varying domain first-order modal models and 
two-sorted first-order models is very straightforward and simple due to the choices made 
in Subsection 2.6: We did not require predicates to be false of non-existents, we did not 
require quantifier domains to be non-empty, and we did not require that each individual 
exists in some domain. 


3 FIRST-ORDER INTENSIONAL LOGIC 


The logic we shall consider in this section is more complicated than the basic first- 
order modal logics we have considered in the previous section. Recall that variables 
in the basic logics designate rigidly, that is, a variable designates the same object in 
all worlds. So the assignment of objects to such variables is not relative to worlds. 
Compared to this, one new piece of machinery of first-order intensional logic is intension 
variables which are variables that designate intensions, that is, functions from worlds to 
objects. Thus, intension variables designate non-rigidly in the sense that intensions might 
map different worlds to different objects. Intensions are also called individual concepts. 
Intension variables can be motivated in a number of different ways. One very instructive 
motivation is that intension variables allow us to formalise natural language sentences 
involving non-rigidly designating terms like for example “the number of planets” and 
“the world champion in marathon running”. The first example term designates non- 
rigidly as it designates the number nine (since there are nine planets in our world), but 
it might have designated another number (since there might have been another number 
of planets if natural history had been different). Similarly, the designation of the second 
example term is the winner of the world championship in marathon running, and the 
identity of the winning person is obviously also a contingent matter. Intension variables 
can be used for many different purposes, one example is that they can be used to give 
a solution to a famous philosophical problem, namely a modal version of Frege’s puzzle 
about the morning star and the evening star. We shall return to this in Subsection 3.2. 
To sum up, in the previous section we took objects as semantic values, but in the present 
section we moreover take functions from worlds to objects as semantic values. In fact, 
first-order intensional logic allows quantification over both objects and intensions as 
well as predication of both objects and intensions. Thus, predicates are typed, that is, 
it is specified whether an argument-place is for an object term or an intension term. 
First-order intensional logic also includes so-called predicate abstraction which allows 
the function which is the interpretation of an intension variable to be applied to an 
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argument, that is, a world, whereby an object is obtained. Thus, predicate abstraction 
can be considered the “interface” between intensions and objects. We shall come back 
to the motivation for predicate abstraction in Subsection 3.3. 

A number of versions of first-order intensional logic can be found in the literature. 
The version we give here is from the paper [40] where also a tableau system can be found 
which is sound and complete with respect to the semantics. See the book [68], the chapter 
[49] in Handbook of Philosophical Logic, and the papers [108] and [96] for other versions. 
See also [39] for a treatment of higher-order intensional logic. The history of first-order 
intensional logic goes back to the work of Richard Montague and Daniel Gallin, see [87] 
and [48]. See Chapter 21 in the present handbook for a historical account of intensional 
logic. 


3.1 Syntax and semantics of first-order intensional logic 


We now extend the formal syntax and semantics of the constant domain basic logic with 
first-order intensional machinery. Note that constant domains are just as general as 
varying domains in the sense that the varying domain semantics can be simulated by the 
constant domain semantics if a primitive existence predicate is added, cf. Subsection 2.8. 
Conventions and definitions that are the same as in the basic case are not repeated. 

First the syntax. It is assumed that a countably infinite set of intension variables is 
given. The metavariables 7, j, k, ... range over intension variables. It is assumed that 
the set of intension variables is disjoint from the set of ordinary variables for objects. 
A term is either an ordinary object variable or an intension variable. At this stage 
function symbols could have been included, but in the interest of simplicity we shall 
not do so. Predicate symbols are typed, that is, it is not only specified which arity a 
predicate symbol has, it is also specified which type each argument place has. Following 
the paper [40], the types of an n-place predicate symbol are specified by a list Ti, ..., Tn 
where T; € {O,1} for each T; (the letter O stands for object and the letter J stands for 
intension). The syntax also includes predicate abstraction as mentioned above. Formulas 
are defined by the grammar 


S =  P(ty,...,tn)|e=y|SAS|AS|OS | Ves | vis | (AvS)(2) 
where P is an n-place predicate symbol and t1, ..., tn are terms of the respective types 
Ti, ..-; In specified for P, x and y are object variables, and 7 is an intension variable. 


The free variable occurrences in the predicate abstraction (Ard) (7) are the free variable 
occurrences in the formula ¢, except for occurrences of x, together with the variable 
occurrence i. Thus, all occurrences of x in ¢ are bound. Of course, the definition of 
substitution is modified in accordance with this extension of the language. We allow 
intension variables to occur in argument places for object variables in the sense that we 
abbreviate (AvP(...,2,...))(é) as P(...,%,...), etc. This also applies to the equality 
predicate, so i = j is an abbreviation for (Ay(Ax(x = y))(i)) (j). Now the semantics. 


DEFINITION 13. A tuple (W, R, Do, Dr, {Vw}wew) where 
1. W is a non-empty set; 
2. Ris a binary relation on W; 


3. Do is a non-empty set; 
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4. Dy; is a non-empty set of functions from W to Do; and 


5. for each w, Vi, is a function that to each n-place predicate symbol P assigns a 
subset of Dr, x... x Dr, where T4, ..., Ta are the types specified for P. 


is a constant domain intensional model. The tuple (W, R, Do, Dr) is called a constant 
domain intensional skeleton and the model is said to be based on this constant domain 
intensional skeleton. 


Note that both the domain of objects Do and the domain of intensions D; are taken 
to be constant. A version of first-order intensional logic with varying intension domains 
can be found in [49] (that version also differs in other respects from the version presented 
here, however). 


DEFINITION 14. Let M = (W, R, Do, Dr, {Va}wew) be a constant domain intensional 
model. An assignment is a function that to each object variable assigns an element of 
Do and to each intension variable assigns an element of Dr. The relation M, g, w = @ 
is defined in the same way as in the basic constant domain case, that is, Definition 2, 
except that the clause for ordinary predicates is replaced by 


M, g, w FE P(ti,...,tr) iff (g(t),...,9(tn)) E Vu(P) 


and the following clauses 


M, g, w H Vio iff for any g' Šg, M, g', w H o 
M, g,w H (Arg) (i) if M,g',w fẹ where g' ~ g and g'(x) = g(i)(w) 


for intensional quantification and predicate abstraction are added. Also the definition of 
validity is the same as in the basic constant domain case. 


It is instructive to take a look at a couple of natural language sentences that can be 
formalised using intension variables. The examples involve the term ”the President of 
the United States” which clearly designates non-rigidly. Consider the sentence 


The President of the United States is a Republican. 


It says something about the person who is the President of the United States, namely 
that the person in question is a Republican. If the intension variable 7 stands for “the 
President of the United States” and the objectual 1-place predicate symbol Q stands for 
the predicate “is a Republican”, then the formula Q(i) formalises the statement (where 
Q(i) is an abbreviation for (A£Q(x))(i)). Formally, Q(i) is true at a world w if and only if 
the designation of i at w belongs to the extension of the predicate Q at w, that is, if and 
only if the extension of Q at w contains the object obtained by applying the intension 
designated by 7 to w. On the other hand, consider the sentence 


The President of the United States is an important concept in politics. 


This sentence is not about the person who happens to be the President of the United 
States, rather it is about the concept of the President of the United States. What the 
sentence says about this concept, is that it is politically important. If the intensional 
l-place predicate symbol R stands for the predicate “is a politically important concept”, 
then the formula R(i) formalises the statement in question. Formally, R(i) is true at 
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a world w if and only if the extension of R at w contains the intension, that is, the 
function, designated by i. Clearly, the statement is true, but if “the President of the 
United States” is replaced by for example “the world champion in marathon running”, 
then it becomes false. 


According to the clause above for predicate abstraction, the formula (Ax@)(z) is true 
at a world w if and only ¢ is true at w when the variable x is assigned the object 
obtained by applying the intension designated by i to w. Note that from a mathematical 
point of view, an intension is just a relation between the sets W and Do of a particular 
kind, namely what we usually call the graph of a function, and given such a relation 
together with an element of W, predicate abstraction is the only built-in machinery in 
the logic that allows us to perform the mathematical operation we usually call applying 
a function to an argument, thereby obtaining an element of Do. Incidentally, in [68] 
a result is proved according to which a formula in the language of the basic first-order 
modal logic (see Subsection 2.1) is valid in the basic constant domain semantics (see 
Subsection 2.2) if and only if the formula is valid in a variant of the intensional semantics 
given above where all variables designate intensions and all predicates (including the 
equality predicate) are intensional. The point here is that in such an intensional logic 
there is no machinery to apply intensions to worlds, that is, there is no machinery that 
can detect that arguments to predicates have a paarticular inner structure, thus, from a 
mathematical point of view it does not matter whether the intensional semantics or the 
basic constant domain semantics is chosen (although the choice of semantics may be of 
philosophical or metaphysical significance, as pointed out in [68]). 

Note that the intensional quantifiers in the semantics above range over elements of 
the set D; which is an arbitrary non-empty subset of the set of all functions from W to 
Do. An alternative semantics can be obtained by letting Dy be the set of all functions 
from W to Dg. Contrary to the original semantics, this alternative semantics validates 
the formula DAxz P(x) — SiO P(i) (note that the 1-place predicate symbol P is objectual, 
so P(i) is an abbreviation for (AxP(x))(i)). Roughly, this formula says that if an object 
is associated with each accessible world, then there exists an intension which maps each 
accessible world to the object associated with it. A criticism often raised against this 
property of being able to make an intension out of any association of objects with worlds is 
that the choices of objects in such an intension need not in any sense be coherent, contrary 
to what is intuitively expected. In general, logics along the lines of the alternative 
logic are unaxiomatisable (although it should be mentioned that no proof is available of 
unaxiomatisability of the alternative logic described here). See [68] and [49] for proofs of 
unaxiomatisability of other such logics. 


It can be remarked that predicate abstraction plays a role in the modal version of 
Herbrand’s theorem given in the paper [37]. The logic under consideration there is es- 
sentially the increasing domain logic of Subsection 2.4 extended with non-rigid constant 
and function symbols as well as predicate abstraction. The role of predicate abstraction is 
to enable appropriate Skolemisation of formulas involving modal operators, for example, 
the formula O3xP(x) is in the terminology of first-order intensional logic Skolemised as 
(AxP(x))(i) (abbreviated OP(i)). In the case of ordinary first-order logic, Herbrand’s 
theorem gives rise to a semi-decision procedure by a reduction to the search for a tautol- 
ogy in a countably infinite set of propositional formulas. A similar result can be proved 
in the modal case, see [37] and also [38]. We shall come back to predicate abstraction in 
Subsection 3.3. 
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38.2 Equality and intensions 


Equality in first-order modal logic has given rise to a heated philosophical debate. This 
debate was initiated by a series of papers where W.V.O. Quine criticised quantified modal 
logic, see for example [101]. See also Chapter 21 in the present handbook for an account 
of Quine’s criticism. Central in the debate initiated by Quine’s papers is the issue of 
substitution of equals for equals in modal contexts. This is not the place to enter into 
a detailed philosophical discussion of the problem involved in substitution of equals for 
equals, so we only give a brief sketch of the problem, and we also only give a brief sketch 
of how a solution to the problem can be given using intensional variables. See the book 
[41] for a detailed account of the discussion. Now, consider the statement 


If the morning star is identical to the evening star, then it is necessary that 
the morning star is identical to the evening star. 


which is a modal version of Frege’s famous puzzle. This statement is naturally taken to 
be false (the morning star is the same celestial body as the evening star but this is a 
contingent fact). How can this statement be formalised in the basic first-order modal logic 
given in the previous section? An obvious candidate is the formula z = y > O(a = y) 
where the variables x and y respectively stand for the terms “the morning star” and “the 
evening star”. But this does not work since this formula is valid (whether we take the 
basic varying domain semantics or the basic constant domain semantics). 

Given that the equality predicate is objectual, the diagnosis of the problem is that 
the variables x and y designate rigidly whereas the terms “the morning star” and “the 
evening star” designate non-rigidly. Therefore the solution to the problem is to replace 
the object variables x and y by intension variables i and j since intension variables 
designate non-rigidly. The resulting formula i = j — O(i = J) is not valid, as 7 and j 
designating the same object at a world w does not imply that 7 and j designate the same 
object in any world accessible from w. Thus, the significant difference is that object 
variables designate rigidly whereas intension variables designate non-rigidly. 

The fact that the formula i = j — O(i = j) is not valid shows that we cannot 
substitute equals for equals in modal contexts as far as intension variables are concerned. 
In fact, the failure of substitution of equals for equals in modal contexts is often taken 
as a criteria for identifying intensional terms. However, note that the formula is valid if 
objectual equality is replaced by intensional equality, also called synonymy, which takes 
two intensions to be equal if and only if they have the same graph. 

To sum up, the formula x = y — O(a = y) is valid as it is, but it is invalid if the 
rigidly designating object variables x and y are replaced by the non-rigidly designating 
intension variables ¿ and j. Thereby a solution can be given to the problem of formalizing 
the modal version of Frege’s puzzle. Another solution is to keep the language as it is, but 
instead generalise the models for the basic first-order modal logic to encompass so-called 
counterpart relations. This also makes the formula invalid. The history of counterpart 
relations goes back to the papers [79] and [80] by David Lewis. After the publication of 
these papers, a number of generalised versions of Lewis’ counterpart semantics have been 
introduced, one example being the semantics given in the paper [72]. See the discussion 
in the paper [40] where first-order intensional logic is compared to Lewis’ counterpart 
semantics as well as to a variation of the semantics given in [72]. Another formalization 
of Lewis’s counterpart semantics is the semantics considered in Section 11 of Part II of 
this chapter. 
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3.8 Predicate abstraction 


The motivation for predicate abstraction is closely related to the de re/de dicto distinc- 
tion described in Subsection 2.9. The history of predicate abstraction goes back to the 
papers [122] and [126]. See also the paper [35]. See [41] for a recent treatment of predicate 
abstraction. Many natural language sentences are ambiguous as they can be given two 
distinct readings, a de re reading and a de dicto reading. Predicate abstraction can be 
used to distinguish formally between such readings. Consider for example the sentence 


The number of planets is necessarily greater than five. 
which is taken from Quine’s paper [101]. On one reading, this sentence says that 
it is necessary that the number of planets is greater than five. 


This is the de dicto reading since it says something about a proposition, namely the 
proposition that the number of planets is greater than five. It says about this proposition 
that it is necessary. However, on another reading, the sentence says that 


the number designated by the term “the number of planets” is necessarily 
greater than five. 


This is the de re reading since it says something about a thing, namely a number. It says 
about this number that it is necessarily greater than five. Note that the de re reading 
of Quine’s example sentence is naturally taken to be true (since there are nine planets 
and the number nine is necessarily greater than five) whereas the de dicto reading is 
naturally taken to be false (since there might have been five planets or fewer if natural 
history had been different). The point here is that the term “the number of planets” 
designates non-rigidly. 

In what follows, the intension variable 7 stands for “the number of planets” and the 
objectual 1-place predicate symbol P stands for the predicate “is greater than five”. 
(The term “the number of planets” is actually a so-called definite description. We ignore 
this additional structure since it is not of significance for the discussion here, but we 
remark that the term alternatively could have been formalised by a definite description 
operator, see [41].) The formula OP(i) (which is an abbreviation for O(AxP(x))(2) since 
P is objectual) then formalises the de dicto reading of Quine’s sentence since this formula 
expresses that 


it is necessary that the thing designated by 7 is P. 


That is, it says something about the proposition that the thing designated by 7 is P, 
namely that this proposition is necessary. Formally, OP(i) is true at a world w if and 
only if for each world v accessible from w, the designation of i at v belongs to the 
extension of the predicate P at v. Thus, in the de dicto case the predicate P and its 
argument, the variable i, are interpreted at the same world, namely the new world v. 
How about the de re reading of Quine’s sentence? We want a formula which expresses 
that 


the thing designated by 7 is necessarily P. 


That is, we want a formula which says something about the thing that i designates, 
namely that it is necessarily P. So, formally we want the variable 7 to be interpreted 
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at the original world w, not at the new world v where the predicate P is interpreted. 
It is straightforward that the formula (Av P(x))(z) does the job since it is true at the 
world w exactly under the condition we want, namely under the condition that the 
designation of į at the world w belongs to the extension of the predicate P at each world 
v accessible from w. We have used predicate abstraction to indicate that the variable i 
has to be interpreted at w, not v (note that this is a formally significant difference exactly 
because we allow non-rigid designation, that is, the interpretations of i at the worlds w 
and v might not be the same). Thus, predicate abstraction enables us to separate the 
interpretation of a predicate from the interpretation of its arguments. 


3.4 Translation of first-order intensional logic 


In Subsection 2.10 it was shown that the basic constant domain logic can be translated 
into two-sorted first-order logic. In a similar way first-order intensional logic can be 
translated into three-sorted first-order logic with equality. There is one sort for worlds, 
one sort for objects, and one sort for intensions. It should be mentioned that the material 
presented in this subsection has not been presented elsewhere. 

The three-sorted first-order language under consideration here is defined as follows. 
It is assumed that countably infinite sets of first-order variables for respectively worlds, 
objects, and intensions are given. The three sets are assumed to be pairwise disjoint. As 
in Subsection 2.10, the metavariables a, b, c, ... range over variables for worlds, and 
£, Y, Z, ... range over variables for objects. The metavariables i, j, k,... range over 
variables for intensions. There is only one function symbol, namely the 2-place function 
symbol £ which is of type objects and whose argument places are of types intensions 
and worlds respectively. Thus, a term for worlds is a variable, a term for intensions is 
a variable, and a term for objects is either a variable or of the form &(i,a) where i is 
a variable for intensions and a is a variable for worlds. Formulas of the three-sorted 
first-order language are defined by the grammar 


S x=  P*(a,t,...,tn)| R(a,bd)|t=uli=z7|SAS|AS|VaS' | Vrs | Vis 
where P is an n-place predicate symbol of first-order intensional logic and t1, ..., tn are 
terms of the respective types Ti, ..., Tn specified for P, a and b are variables for worlds, 


t and u are terms for objects, 7 and j are variables for intensions, and x is a variable for 
objects. As in Subsection 2.10, we identify first-order variables for objects with object 
variables of modal logic. Similarly, we identify first-order variables for intensions with 
intension variables of modal logic. 

We now give the translation. The translation is obtained by modifying the constant 
domain version of ST, given in Subsection 2.10 by replacing the clause for ordinary 
predicates by 


ST4(P(ti,...,tn)) = P*(a,ti,...,tn) 


and by adding the clauses 


ST,(Vid) = ViSTal®) 
ST al (Axo) (i)) ST 4(¢)[E(é, a) /2] 


for intensional quantification and predicate abstraction. The translation ST, is modified 
in the same way. 


II 
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In Subsection 2.10 we had a bijective correspondence between models for first-order 
modal logic and models for two-sorted first-order logic. We do not have a bijective 
correspondence between models for first-order intensional logic and models for three- 
sorted first-order logic in general, but we do have a bijective correspondence if a very 
natural class of models for three-sorted first-order logic is considered instead of the class 
of all such models. Below we shall make this more precise. 


DEFINITION 15. Let M = (W, R, Do, Dr, {Vu }wew) be a constant domain intensional 
model. A three-sorted first-order model M* = (W, Do, Dr, V*) is defined by letting 


e V*(R) =R, 
e (w,di,...,dn) € V*(P*) if and only if (d1,..., dn) € Vu(P), and 
© V*(O(F,w) = Flw). 


Thus, the construction of a three-sorted first-order model is straightforward: We use the 
recipe from Definition 11, and besides that, we take the domain of intensions Dy as it 
is and we interpret the function symbol £Z as the application function. Clearly, the map 
(-)* is injective. 

DEFINITION 16. Let M = (W, Do, Dr, V} be a three-sorted first-order model which 
satisfies the condition that M = VWiVj(Va(l(i, a) = L(j,a)) > i = j). A function o from 
Dy to the set of functions from W to Do is defined by letting o(d)(w) = V (4) (d, w) (note 
that ø is injective and therefore has an inverse o™t on the image o(Dr) of Dr under o). 
A constant domain intensional model MË = (W, RË, Do, D}, {Vë wew) is defined by 
letting 


e R'=V(R), 
e DË = o(Dr), and 
e (d1,...,dn) € VË(P) if and only if (w, di, ..., d) € V(P*). 


where in the last item d; = d; if T; = O and d; = o™!(d;) if T; = I (recall that Ti, ..., 
Tn are the types specified for P). Moreover, given an assignment g for M, an assignment 
g? for MË is defined by letting g(x) = g(x) for any object variable x and by letting 
gi(i) = o(g(i)) for any intension variable i (note that the values of the assignment g on 
world variables are ignored). 


So the construction of a constant domain intensional model is also straightforward: 
We define RË in the obvious way and we take the domain of intensions DË to contain 
any function f from worlds to objects that is “encoded” by some element d of D; in the 
sense that f is identical to the function that maps a world w to V (4) (d, w). Moreover, we 
use the bijection o to move forwards and backwards between D; and DË. The condition 
M H Vivj(Va(l(i, a) = L(j,a)) —> i = j) ensures that different elements of Dr encode 
different functions from worlds to objects, so the code of an encoded function is uniquely 
determined. Also, note that DË is non-empty since D; is non-empty. The map (-)Ë is 
not injective since there is no restriction on the way in which an element of Dr encodes a 
function from worlds to objects, in particular, an element of D; need not be identical to 
the function from worlds to objects that it encodes. However, if D; is a set of functions 
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from W to Do and each such function encodes itself, that is, V (2) is the application 
function, then (-)* clearly is injective. 

The mapping 22* of any constant domain intensional model M satisfies the condition 
of Definition 16, and moreover, it is straightforward that (M*)# = M. It follows that 
((INt*)#)* = M*. So if the map (-)* is restricted to the image of the class of all first-order 
intensional models under the map (-)*, which of course is the class of all models where 
Dy, is a set of functions from W to Do and V(£) is the application function, then the 
maps (-)* and (-)* are each others’ inverses. 

Now, given a model M for three-sorted first-order logic, the relation M, g = ¢ is 
defined by induction in the standard way, where g is an assignment for three-sorted first- 
order logic and ¢ is a three-sorted first-order formula. This leads to two propositions. 
The first concerns the map (-)*. 


PROPOSITION 17. Let W be a constant domain intensional model. For any for- 
mula ġ of first-order intensional logic and any assignment g for IN, it is the case that 
M,g,g*(a) =| ¢ if and only if Wt, g* | ST.(d) where g* is any assignment extending 
g such that it assigns a world to each first-order variable for worlds (and the same for 
ST»). 


Proof. Induction in the structure of ¢. m) 


The second proposition concerns the map (-)*. 


PROPOSITION 18. Let M be a three-sorted first-order model having the property that 
M H Vivi (Va(l(i,a) = L(j,a)) > i = j). For any formula ¢ of first-order intensional 
logic and any assignment g for IN, it is the case that MË, gë, g(a) | ¢ if and only if 
M, g | ST .() (and the same for ST»). 


Proof. Induction in the structure of ¢. QO 


We are now ready to prove that validity in first-order intensional logic can be simulated 
by validity in three-sorted first-order logic. 


THEOREM 19. Any formula ¢ of first-order intensional logic is valid if and only if the 
formula 


viv (Va(E(i, a) = €(j,a)) > i = j) > STa(d) 


of three-sorted first-order logic is valid. 


Proof. By Proposition 17 and Proposition 18. m) 


4 FIRST-ORDER HYBRID LOGIC 


First-order hybrid logic is obtained by adding to first-order modal logic further expressive 
power in the form of a new sort of propositional symbol called a nominal, and moreover, 
by adding so-called satisfaction operators. It is stipulated that a nominal is true at exactly 
one world, so in this sense a nominal refers to a world. If a is a nominal and ¢ is an 
arbitrary formula, then a new formula a : ¢ called a satisfaction statement can be formed. 
The part a: of the satisfaction statement a: ¢ is called a satisfaction operator. The 
satisfaction statement a: ¢ expresses that the formula ¢ is true at one particular world, 
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namely the world at which the nominal a is true. Furthermore, the so-called binders V 
and | might be added. The two binders bind nominals to worlds in two different ways: 
The binder | binds a nominal to the actual world whereas the binder V quantifies over 
worlds (but it is not to be confused with the first-order quantifier V that has been used 
earlier in the chapter). The | binder is definable in terms of Y. Here we shall concentrate 
on the | binder. 

The history of hybrid logic goes back to Prior’s work, more precisely, it goes back to 
what he called four grades of tense-logical involvement. They were presented in the book 
[100], Chapter XI (also Chapter XI in the new edition [62]). See also [99] Chapter V.6 
and Appendix B.3-4. The stages progress from what can be regarded as pure first-order 
earlier-later logic to what can be regarded as pure tense logic; the goal being to be able 
to consider the tense logic of the fourth stage as encompassing the earlier-later logic of 
the first stage. In other words, the goal was to be able to translate the first-order logic of 
the earlier-later relation into tense logic. With this in mind, Prior introduced so-called 
instant-propositions: 


What I shall call the third grade of tense-logical involvement consists in treat- 
ing the instant-variables a, b, c, etc. as also representing propositions. ({100], 
p. 122-123) 


In the context of modal logic, Prior called such propositions possible-world-propositions. 
Of course, this is what we here call nominals. Prior also introduced the binder V and 
what we here call satisfaction operators. See the paper [92] and the handbook chapter 
[93] for accounts of Prior’s work. Moreover, see the very recent paper [10] as well as the 
book [21]. 

It is notable that hybridisation of propositional as well as first-order modal logics 
enables the formulation of uniform proof-rules for wide classes of logics. See the papers 
[9] and [12] for tableau systems and see the papers [16] and [17] for natural deduction 
systems. The classes of logics considered in [17] correspond to first-order conditions on the 
accessibility relations and quantifier domains expressed by so-called geometric theories. 
Natural deduction systems corresponding to different geometric theories are obtained 
in a uniform way simply by adding inference rules as appropriate. It is also notable 
that first-order hybrid logic offers precisely the features needed to prove interpolation 
theorems: While interpolation fails in a number of well-known first-order modal logics, 
see [32], their hybridised counterparts have this property, see the papers [3] and [13]. See 
Chapter 14 of the present handbook for a detailed introduction to hybrid logic. 


4.1 Syntax and semantics of first-order hybrid logic 


We now extend the formal syntax and semantics of first-order modal logic with hybrid 
machinery. We hybridise the varying domain basic logic given in Section 2.6 since proof 
procedures are available for this logic, namely the tableau and natural deduction systems 
of respectively [12] and [17] mentioned above. Moreover, an axiom system is available 
which we shall cover in Section 4.2. 

First the syntax. It is assumed that a countably infinite set of nominals is given. The 
metavariables a, b, c,... range over nominals. Note that nominals are the only sort of 
propositional symbols, since ordinary propositional symbols are represented by 0-place 
predicate symbols. We also add satisfaction operators and the binder | as mentioned 
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above. We furthermore assume that a set of non-rigid constant symbols is given, and we 
follow [12] in overloading the notation for the satisfaction operator by defining a term to 
be either a first-order variable or an expression of the form a: f where a is a nominal 
and f is a non-rigid constant symbol. Of course, the term a: f denotes the value of f 
at the world where a is true. Such terms are called grounded definite descriptions. The 
formulas of first-order hybrid logic are defined by the grammar 


S :=  P(ti,...,tn)|t=ula|SAS|AS|OS|a:S|VaS| las 


where P is an n-place predicate symbol, t1, ..., tn as well as t and u are terms, a is 
a nominal, and x is an ordinary first-order variable. The free nominal occurrences in 
the formula a : @¢ is the occurrence of a together with the free nominal occurrences 
in ¢. The free nominal occurrences in | ag are the free nominal occurrences in ¢, 
except for occurrences of a. Substitution of nominals for nominals is defined accordingly. 
Substitution of terms for first-order variables is modified to take into account that terms 
might contain nominals (that can be bound). Now the semantics. 


DEFINITION 20. A varying domain hybrid model is a varying domain model as defined 
in Definition 7, that is, a tuple, (W, R, D, {ow }wew,{Vw}wew), where for each w, the 
valuation Vw is extended such that to each non-rigid constant symbol it assigns an element 
of D. 


Thus, hybridisation does not change the notion of a varying domain model except that 
interpretations of the non-rigid constants are added. 


DEFINITION 21. Given a model M = (W, R, D, {ow} wew, {Vw }wew), an assignment is 
a function that to each first-order variable assigns an element of D and to each nominal 
assigns an element of W. Given an assignment g, each term t is assigned an element t-9 
of D as follows: If t is of the form a: f, then t™9 = Va(a)(f), otherwise t is a variable, 
in which case t™-9 = g(t). The relation M, g, w = ¢ is defined in the same way as in the 
basic varying domain case, that is, Definition 8, except that the clauses for predicates 
are replaced by 


M,g,w H P(t,...,tn) if (¢7>9,...,42%9) © VolP) 
Mgwet=u iff I= ys 


and clauses 
M,g,w Ha iff w= gla) 
M, gw Ha: if Mgga) Ro 
M, g,w Hap if M,g',w Ko where g' ~ g and g'(a) = w 


for hybrid machinery are added. Also the definition of validity is the same as in the basic 
varying domain case. 


Propositional hybrid logic has a number of notable features: We can express that a 
formula ¢ is true at a world a (by the formula a: ¢), that a world a is identical to a 
world c (by the formula a : c), and that a world a is R-related to a world c (by the 
formula a: c). In the first-order case we can moreover express that an individual t 
exists at a world a (by the formula a: E(t)). These features are exactly what enable the 
formulation of uniform natural deduction rules for the class of first-order hybrid logics 
corresponding to conditions expressed by geometric theories, cf. the paper [17]. 
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Grounded definite descriptions can be motivated by the fact that they give an alter- 
native way to formalise the two distinct readings of Quine’s example sentence considered 
in Subsection 3.3. Recall that the de dicto reading of the sentence in question was for- 
malised as the formula O(AxP(x))(i) in first-order intensional logic whereas the de re 
reading was formalised as (AvDP(x))(i). If the non-rigid designator f is considered in- 
stead of the intension variable 7, then the two readings can be formalised in first-order 
hybrid logic as respectively O |aP(a: f) and | aOP(a: f). This is no coincidence: If 
first-order intensional logic is extended with the hybrid-logical machinery of this section 
and non-rigid designators are replaced by intension variables, then predicate abstractions 
are eliminable since a formula (Azọ)(i) is equivalent to | ada: i/x] where the nominal a 
is new. 


4.2 Axioms for first-order hybrid logic 


In this subsection we give a Hilbert-style axiom system for first-order hybrid logic. The 
axioms of the system are all substitution-instances of tautologies of propositional logic 
together with all substitution-instances of the following axiom schemas 


(: Distributivity) a:(@ov)e(a: doa: p) 
(Falsum) a:l—L 
(Scope) a:b:¢eb:6¢ 
(Reflexivity 1) a:a 
(Reflexivity 2) t=t 
(Transfer) a: (t=u)—>c:(t=u) 
(: Introduction) (aA ¢)>a:¢ 
(Nominal) a:c—>(a:q)=(c:q) 
(Substitutivity) (t = u ^ g[t/z]) — lu/zx] 
(O Elimination) (O¢A %e) ~e:¢ 
(Free Y Elimination) (Vad A E(t)) > [t/a] 
(| Elimination) (lbo A e) > e: dfe/d] 
The rules of the system are the following 
at a (Modus Ponens) ? (: Necessitation) 
Y a:o 
a:@ : (PAQc) -e:¢ 
Namin —————- (O Introduction 
= (Naming) a ) 
ABW) PRU (Free V Introduction) Whom ees (| Introduction) 
Y > Vad Y | bo 


where the rule (Naming) is equipped with the side-condition that the nominal a does not 
occur in the formula ¢, the rule (Free V Introduction) is equipped with the side-condition 
that y does not occur free in Vr@ or y, the rule (O Introduction) is equipped with the 
side-condition that c does not occur free in ¢ or y, and the rule (| Introduction) is 
equipped with the side-condition that c does not occur free in | bọ or w. The axiom 
system is sound and complete with respect to the semantics given in Subsection 4.1. A 
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completeness proof can be found in the paper [17]. The axiom system can be extended 
with rules corresponding to geometric theories, again see [17]. The system is an extension 
of an axiom system for propositional hybrid logic given in the paper [18] where also further 
references on axiom systems for hybrid logic can be found. 

Note that the axiom (Free V Elimination) and the rule (Free V Introduction) above are 
the same as the axiom and the rule for quantifiers of Subsection 2.7. It is instructive to 
compare these rules to the axiom (O Elimination) and the rule (O Introduction) for the 
modal operator. As described in Subsection 2.7, the idea in the rule (Free V Introduction) 
is that the guard formula E(y) in the antecedent ensures that the antecedent is false in 
the case where the variable y refers to an individual outside the range of the quantifier. 
This is analogous to the idea in the rule (O Introduction) for hybrid logic which is that 
the guard formula Ôc in the antecedent ensures that the antecedent is false in the case 
where the nominal c refers a world that is not accessible. A similar remark applies in 
connection with the pair of rules (Free Y Elimination) and (O Elimination). In fact, such 
analogies can be found in connection with all pairs of Elimination rules and all pairs of 
Introduction rules. 


4.8 Translation of first-order hybrid logic 


First-order hybrid logic can be translated into two-sorted first-order logic by an extension 
of the varying domain version of the translation of Subsection 2.10. 

The two-sorted first-order language under consideration here is a straightforward mod- 
ification of the varying domain version of the language of Subsection 2.10. A term for 
worlds is still a variable but now a term for individuals is either a variable or of the form 
f(a) where f is a constant symbol of first-order hybrid logic. Formulas of the language 
are defined by the grammar 


S =  P*(a,ti,...,tn) | R(a,b) |a=b|t=u| E(a,t)|SAS| AS | VaS | Vacs 


where P is an n-place predicate symbol of first-order modal logic, a and b are variables for 
worlds, and t1, ..., tn as well as t and u are terms for individuals. Note that the clause 
a = b has been added. We shall identify first-order variables for worlds with nominals 
in the same way as we have identified first-order variables for individuals with first-order 
variables of modal logic. 

A term t of first-order hybrid logic is translated by the translation ST defined as 
follows: If t is of the form a: f, then ST(t) = f(a), otherwise t is a variable, in which 
case ST(t) = t. Note that the translation ST of terms is not relative to a variable 
for worlds. A formula is translated by a translation obtained by modifying the varying 
domain version of ST, given in Subsection 2.10 by replacing the clauses for predicates 
by 

ST 4(P(ti,..-,tn)) P*(a, ST (t1),..., ST (tn)) 
STalt=u) = ST(t)=ST(u) 


and by adding the clauses 


ST,(c) = a=c 
STalc: $) = ST4(¢)[c/a] 
STa(led) = ST.(¢)[a/d 
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The translation ST, is modified in the same way. A similar translation can be found in 
the paper [3]. 

It is straightforward to adapt the varying domain version of Definition 11 to the 
hybrid-logical case by extending it to encompass non-rigid constant symbols, so we still 
have a bijective correspondence between models for first-order hybrid logic and models 
for the two-sorted first-order logic under consideration here. Moreover, the notions of 
assignments are the same. Given this, it is also straightforward to adapt the varying 
domain version of Proposition 12 to the hybrid-logical case. 

It turns out that a fragment of two-sorted first-order logic can be translated back into 
first-order hybrid logic. This fragment is defined by the grammar 


S ::=  P*(a,ti,...,tn) | R(a,c) | E(a,t)|a=clt=u|SAS|-=S| 
Yb(R(a, b) > S) | Vz(E(a, x£) > S) 


where the variables a and b are distinct. A term t of two-sorted first-order logic is 
translated back into first-order hybrid logic by the translation HT defined as follows: 
If t is of the form f(a), then HT(t) = a : f, otherwise t is a variable, in which case 
HT (t) = t. So HT and the translation ST given above are simply inverses to each other. 
A formula is translated by the translation given below. 


HT (P*(a,ti,.--,tn)) = a: P(HT(ti),..., HT (tn)) 
HT(R(a,c)) = a:%c 
HT(E(a,t)) = a: E(HT(t)) 
HT(a=c) = a:c 
HT(t=u) = HAT(t) = HAT(u) 
HT($AY) = HT(d)A HT) 
HTH) = -HT(8) 
HT(¥b(R(a,b) > 6)) = a:0 |bHT(¢) 
AT (V2(E(a,x) > ¢)) = a:V«HT(é) 


The propositional version of this translation was originally given in [2] where the asso- 
ciated fragment of ordinary one-sorted first-order logic is called the bounded fragment. 
In [2] a number of independent semantic characterisations of the bounded fragment are 
given. See also [3]. 

The translation HT is truth-preserving as is shown by the proposition below (where 
M* is the model for two sorted first-order logic defined in the hybrid-logical version of 
Definition 11). 


PROPOSITION 22. Let a varying domain hybrid model M be given. For any formula ġ 
of the two-sorted version of the bounded fragment and any assignment g for WM, it is the 
case that M*, g = ¢ if and only if M, g = HT(¢). 


Proof. Induction in the structure of ¢. QO 


Thus, in the sense of the proposition above and the hybrid-logical version of Proposi- 
tion 12, first-order hybrid logic has the same expressive power as the two-sorted version 
of the bounded fragment (note that for any formula ¢ of first-order hybrid logic, the 
formula ST,(¢) is in this fragment). 
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5 OTHER SURVEY ARTICLES AND BOOKS 


Below we point out a number of survey articles and books that contain material on 
first-order modal logic not covered by the present handbook chapter. First the survey 
articles. 


Philosophical perspectives on quantification in tense and modal logic, N.B. Coc- 
chiarella [20], in Handbook of Philosophical Logic. Discusses a range of philosophical 
issues. 


Basic modal logic, M. Fitting [36], in Handbook of Logic in Artificial Intelligence 
and Logic Programming. Contains a condensed introduction to first-order modal 
logic including tableau systems. 


Quantification in modal logic, J.W. Garson [49], in Handbook of Philosophical Logic. 
An introduction to first-order modal logic that gives a good overview of the whole 
area. Contains a detailed discussion of completeness and incompleteness. 


Correspondence theory, J. van Benthem [129], in Handbook of Philosophical Logic. 
Contains a section on correspondence theory for first-order modal logic. 


Below is the list of books. 


First-Order Modal Logic, M. Fitting and R. Mendelsohn [41]. A detailed introduc- 
tion to first-order modal logic that covers technical as well as philosophical issues. 
Includes tableau systems. 


Temporal Logic: Mathematical Foundations and Computational Aspects (Volume 
1), D. Gabbay and I. Hodkinson and M. Reynolds [43]. Contains a chapter on 
first-order temporal logic. 


Quantification in Nonclassical Logic, D. Gabbay and V. Shehtman and D. Skvortsov 
[44]. A detailed mathematical treatment of first-order modal logic and other first- 
order non-classical logics. 


Modal Logics and Philosophy, R. Girle [58]. Gives an introduction to first-order 
modal logic from a philosophical point of view. 


The Logics of Time and Computation, R. Goldblatt [59]. Has some material on 
first-order dynamic logic. 


Dynamic Logic, D. Harel, D. Kozen, and J. Tiuryn [61]. Gives a detailed introduc- 
tion to first-order dynamic logic. 


A New Introduction to Modal Logic, G.E. Hughes and M.J. Cresswell [68]. Con- 
tains an introduction to first-order modal logic that covers a broad range of topics. 
Compares intensions and counterparts. A follow-up to the books [67] and [66] by 
the same authors. 


Modal Logic and Classical Logic, J. van Benthem [127]. Contains a chapter on 
first-order modal logic which includes translational issues. 
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6 INTRODUCTION TO PART II 


In this second part of the chapter, we first deal with more specific topics concerning 
decision, completeness and aziomatizability issues. We shall see in Section 7 that the 
extension to modal languages of a number of well-known decidability results for frag- 
ments of classical logic is hopeless; however, less naive extensions (limiting the kind of 
subformulas occurring within the scope of modal operators) still keep decidability over 
classical fragments. This is a remarkable fact, because the expressivity of such combined 
fragments is indeed quite rich, thanks to the contribution of the modal operators. 

Completeness analysis of normal systems over QS4 will reveal in Section 8 the intrinsic 
limits of Kripke semantics; in addition, rather natural classes of frames will turn out to 
be non-axiomatizable. However, unlike undecidability and non-axiomatizability results, 
incompleteness results cannot properly be seen as negative results: on the contrary, they 
seem to indicate that modal logic cannot be reduced to possible worlds semantics and that 
extra motivations for it can be found elsewhere, in alternative (non-Kripkean) semantics. 

Such alternative semantics will be investigated in the remaining sections, using the 
hyperdoctrinal point of view as a unifying tool. Modalities arising from geometric mor- 
phisms of toposes will be studied in Subsection 10.1 and in Subsection 10.2 we shall 
exploit the isomorphism between counterpart frames and preordered topological bundles 
in order to find the relevant hints for the axiomatization of counterpart semantics. The 
axiomatization of counterpart semantics is presented in Section 11 (this section is inde- 
pendent from the rest of the chapter, the reader can have direct access to it after reading 
only Subsection 9.1). 

We summarize here basic syntactic and semantic ingredients, just to fix notation (for 
more information, consult Section 2 in the First Part of this chapter). We fix a first-order 
language £ (without identity, functions and constant symbols, for simplicity) containing 
infinitely many predicate symbols for each arity n > 0 (a special 0-ary predicate symbol 
L denoting syntactic falsehood is included in £). Formulas are built up using countably 
many variables, propositional implication —, the quantifier Y and the modal connective 
(the other operators T,A,V,7,<,4,0 are defined in the usual way). Notations like 
(@1,---,%n) (or, for short, ¢(2)) means that ¢ contain free variables only among the 
tuple of distinct variables x := 71,..., £n- 

A first-order modal system S is a set of formulas closed under necessitation, modus 
ponens, universal generalization and uniform substitution rules (for the definition of 
uniform substitution in the predicate case, consult Subsection 2.3 of Part I); since we 
deal only with normal extensions of QK, we assume also that S contains, in addition 
to all classically valid formulas, also the formulas K, namely the formulas of the kind 
(ġ w) (O¢é w). If L is a propositional modal logic (i.e., a set of propo- 
sitional formulas closed under modus ponens, necessitation, uniform substitution and 
containing all classical tautologies and the formulas K), we denote by QL the minimum 
first-order modal system containing L; by BF.L we mean the minimum first order modal 
system containing both L and BF, where BF is the Barcan schema Vy¢ — OYyġ of 
Subsection 2.9. 

We briefly review Kripke semantics (with increasing and with constant domains). A 
Kripke frame § = (W, R) is a graph, that is a set W endowed with a binary relation R. A 


1Languages containing identity, functions and constant symbols will be considered only from Section 
9 on. 
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Kripke §-domain (or simply a Kripke domain) D based on the Kripke frame ¥ = (W, R) is 
a collection of (non empty) sets D = {D,, | w € W} such that D, C Duy holds whenever 
vRw (i.e., whenever w is ‘accessible’ from v). The Kripke domain D is constant iff we 
have D, = Dy for all v,w € W; for a constant Kripke domain D, the indexes v,w,... 
in Dy, Dw,... are usually suppressed. A Kripke skeleton is a pair (¥, D) (written also as 
(W, R, D)), where § = (W, R) is a frame and D is a Kripke §-domain. 

A Kripke model M = (g, D,T) is a triple given by a Kripke frame § = (W, R), a 
Kripke -domain D and an interpretation (or valuation) function Z mapping every n-ary 
predicate symbol P to a collection of subsets T(P) = {Z(P), C D} |w € W}. Forn = 0, 
by D? we mean a singleton Kripke 3-domain (that is, D}, contains just the empty tuple 
of elements from Dwu); we assume that in a Kripke model, Z(L) is always the collection 
of the empty subsets {@ C D?, | w € W}. The Kripke model M = (F, D,Z) is said to be 
a constant domain model iff D is constant as a Kripke domain. 

Given a Kripke model M = (¥,D,Z), a world w € W, a w-assignment g (that is a 
map from the set of variables to D,,) and a formula ¢, the forcing relation M, g, w = @ 
(written from now on as g 7 ¢) is defined as in in Part I, Subsection 2.4. We say 
that @ is valid in M,w (written = ¢) iff g /% ¢ holds for all g and we say that 
@ is valid in M (written K™ ¢) iff E™ @ holds for all w. We also use the notation 
KL O(a1,...,an) to mean g K™ ¢(z£1,..., £n), where g is any assignment such that 
g(@1) = a1,..-, g(Xn) = an. 

A formula ¢ is valid in a Kripke skeleton (§, D) iff it is valid in any Kripke model of 
the kind M = (F, D,T). For instance, for a given (§,D), we have that BF is valid in 
(5, D) iff D is constant as a Kripke domain. A modal system S is valid in (%, D) iff all 
@ € S are valid in (¥, D). The set of formulas valid in a Kripke skeleton (¥, D) is actually 
a modal system that is denoted S(§, D). We finally recall from Part I that QK (resp. 
BF.K) coincides with the set of formulas which are valid in all Kripke skeletons (resp. 
in all constant domain Kripke skeletons). 


7 DECISION PROBLEMS 


Although classical first-order logic is known to be undecidable, there are interesting 
fragments which are actually decidable: among them, we have the fragment containing 
only monadic predicate symbols [81], the fragment with two individual variables [107], 
[88], [109], the guarded and the packed guarded fragments [1], [60], [86]. The border 
between decidability and undecidability is, however, quite subtle: three variables and 
binary predicate letters are sufficient, for instance, to cross the border and consequently 
to get an undecidable fragment [124] (a great deal of information on the subject can be 
found in the monograph [15] and in [29]). 

As the notion of ‘one-more dimension’ is implicit in modal formalisms, there is no 
surprise in the fact that full modal extensions of classically decidable fragments are 
usually no longer decidable. We first give an account of such negative results, but in the 
second part of this section we also investigate remarkable positive results coming from 
recent literature. 

Recall that we already fixed a modal language £ containing infinitely many predicate 
symbols of any arity, but no identity nor function or constant symbols. A fragment of 
L£ is a set F of £-formulas; for instance, the classical fragment Lo of £L consists of the 
-free £-formulas. If a modal system S and a fragment F are given, by the F-fragment 
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of S we mean the set SM F of formulas which belong to both S and F. Notice that this 
definition leaves aside interesting questions concerning the axiomatizability of SM F in 
terms of axiom schemata and inference rules operating only on formulas belonging to F. 

A Kripke skeleton (W, R, D) is said to be countably large iff (i) D is constant and 
countable; (ii) for some w € W, the set of possible worlds R(w) := {v | wRv} is infinite. 

The first fragment we consider is the monadic fragment Fm formed by the formulas 
of £ containing only unary predicate symbols. The following negative result is due to 
Kripke [73]: 


THEOREM 23. Let & C Fm be a set of sentences such that: 


(i) © contains all formulas p such that Y E€ Fm and w is a substitution instance of a 
classically valid formula of Lo; 


(ii) E C S(W, R, D) for a countably large Kripke skeleton (W, R, D). 
Then & is undecidable. 


Proof. A formula %4 € Lc is said to be dyadic iff it contains only the binary relation 
symbol S. Classically valid dyadic formulas form an undecidable class, so our strategy 
consists of reducing the decision problem for classically valid dyadic formulas to the 
decision problem for £. For dyadic a, let w* be the formula obtained from w by replacing 
the atomic subformulas S(x, y) by O(P(2)AQ(y)), where P, Q are distinct unary predicate 
letters (clearly =’ € Fm). We show that a dyadic sentence ¢ is classically valid iff œ € X. 
One direction is just by the assumption (i); for the other side, suppose that ¢ is not 
classically valid. By standard model theory, there is a countable classical first-order 
structure S = (D,J) such that S  ¢ (here D is the countable domain of S and I is 
the related interpretation function). Let w € W be such that R(w) is infinite and let 
p: R(w) — D be any surjection. We define a Kripke model M = (W, R, D,T) in the 
following way: for v g R(w), we let Z(P), := Z(Q)y := Ú and for v € R(w), we let 
T(P), := {p(v)} and Z,(Q) = {b € D | S H S(p(v),b)}. Now it is sufficient to show by 
induction that for every dyadic formula w(x) and a € D, we have = yt (a) iff S H yla) 
(in particular, $° fails in IN and hence cannot belong to © by assumption (ii)). The proof 
is easy: for the atomic formulas case, we have =t O(P(a1) A Q(az2)) iff there is v € R(w) 
s.t. H? P(a1) A Q(az) iff there is v € R(w) s.t. p(v) = a1 & S H S(p(v), a2) iff there is 
v € R(w) s.t. p(v) = a, & S — S(az, a2) iff (p being surjective) S = S(aj, a2). a 


In particular, Theorem 23 means that any subsystem of QS5 has an undecidable 
monadic fragment. The second fragment we consider is the two-variable fragment Fz: 
this is formed by the formulas of £ containing at most two (bound or free) variables. The 
following negative result was obtained quite recently [71] (it generalizes previous results 
in [46] for systems with the Barcan formula): 


THEOREM 24. Let & C F> be a set of sentences such that 
for a countably large Kripke skeleton (W, R, D). Then % is undecidable. 


Proof. We sketch the argument of [71], which uses a reduction of an undecidable tiling 
problem [8]. The problem is the following: we are given a finite set T, whose members 
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t = (u(t), d(t), r(t), l(t)) are 4-tuple of ‘colours’, and we are asked about the existence of 
a N x N-tiling function, i.e., of a function 7 : N x N —> T such that for all i,j € N we 
have: 


u(t(t,7)) =d(r(i,j+1)) and r(r(t,7) =Ur +1,7)). 


Given a finite T, let yr be the F-sentence obtained as a conjunction of (1)-(8) below: 


Vat Vier (Pr(x) A Nez =Py(£x)), (1) 
Væ Vy (succ (x,y) > Arzian 7@(Pe(2) A Pry), (2) 
Var Wy (sucey(2, 9) > Nuc aaren ~Pe(2) A Poly), (3) 
Va Jy succy (x, y) A Vx Jy succy (x,y), (4) 
Va Vy (succy (x,y) > Osuccr (x, y)) A Va Vy (succy (xz, y) > Usuccy(2,y)), (5) 
Va Vy (Osuccy (x,y) —> succy (x, y)), (6) 
Va Vy [succy (x, y) A da(Q(x) A succy(y, 2)) > 
Vy(succy (x, y) > Va(Q(x) — succy (y, x)))}. (8) 


We show that there is a tiling function 7: N x N — T if and only if axr ¢ X. 

Suppose in fact that there is such a tiling 7; let w € W be a world such that R(w) is 
infinite and let p: R(w) — N x N be any surjective function. Since D is countable, we 
can identify it with N x N and define a Kripke model M = (W, R, D,T) as follows: 


- T(Q)» = {plv)} if v € Rw) and Z(Q), = 0 if v ¢ Rw); 
- L(Pi)v = (4,9) | TG 5) = t); 


- Z(succy)y = {((t1, j), (42, 9)) | i2 = i1 + 1} and Z(succy)y = {((i, j1), (i, 32)) | j2 = 
poe ly. 


Since it is easy to check that =? yr, we have that ayr ¢ S(W, R, D), i.e., axr ¢ X. 
Conversely, suppose that ay7 Z ®©: this means that ay; ¢ QK, i.e., that xr is 

satisfiable in a world v of a certain Kripke model Jt. Now the conjunction of the two- 

variable formulas (4)-(8) is easily seen to imply in QK the (three-variable) formula 


(9) VaVyVz[succy(a,y) A succy (a, z) > Iz (succy(z,x) A succy (y, £))]. 


Thus (9) is also true at v in the model M. The truth of (9) and of (4) implies that for 
every i,j € N there are individuals a;; living in v, such that oe succy (Qij, Qi+1,j) and 


Ho" succy(a;;,4;,;41). From the fact that formulas (1)-(3) hold in v, it is easily seen 
that the function defined by 


mg) ab iff H? Beles) 


tiles N x N. m 


Since one-variable fragments of standard quantified modal systems are usually decid- 
able [110], one may suspect that the source of undecidability is the application of modal 
operators to formulas with two free variables. A modal formula ¢ is said to be monodic 
iff all subformulas of whose main connective is C contain at most one free variable. 
Roughly speaking, we shall prove that the decision problem for validity in the fragment 
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Fmon formed by the monodic formulas can be reduced to the decision problem for va- 
lidity in the classical fragment Lç; the proof of such a result will entail that validity 
in fragments like Fm O Fmon, F2 O Fmon is decidable. More generally, classically decid- 
able well-behaved fragments do not loose decidability if they are extended to the modal 
monodic fragment (for a recent precise formulation of this fact in a general combination 
context, see [57]). 

For simplicity, we restrict our attention to the monodic fragment over BF.QK, that 
is we deal with the problem of deciding whether a monodic formula is valid in all Kripke 
models with constant domains. It should be noticed that there are various unnecessary 
restrictions in this approach: (a) results can be extended to models with increasing do- 
mains and to standard systems based on T, S4, K4,... (instead of K); (b) the addition 
of rigid designator constants is harmless; (c) more complicated modal operators (like 
reflexive-transitive closures in PDL-style, binary temporal operators like ‘since’ and ‘un- 
til’ for some standard temporal flows semantics) can be considered, without affecting the 
results to be illustrated in this subsection. In some cases (like (a)-(b)), rather trivial 
modifications in the proofs below are required, in some other cases (like those in (c)) the 
extension is not straightforward at all, however the method is basically the same. The 
interested reader is referred to [47] for an almost complete picture of the existing results. 

Let us fix for the remaining part of this subsection a monodic sentence ¢. Let sub(¢) 
be the set of the subformulas of ¢ together with their negations: this set is finite, provided 
we ‘define’ =7y to be y. By sub.(¢) (where z is a variable not occurring in ¢) we mean 
{y(z/x) | w(x) € sub(¢), for some variable x}.? 

For any subformula Dy of ¢ containing at most one free variable, let Poy be a predicate 
symbol not occurring in ¢: the arity of Phy is 1 if x contains a free variable, it is 0 (i-e., 
Phy is a propositional letter) otherwise. Ph, is called the surrogate of Oy. For any 
subformula % of ¢, let w be the result of replacing the outermost subformulas of y whose 
main connective is O, by their surrogates. Clearly ù% € Lo. 


DEFINITION 25. A 1-type t is any subset of sub.(@) such that {4 | y € t} is maximal 
consistent. A world-candidate for ¢ is any non empty set T of 1-types; a world-candidate 
is realizable iff the formula 


(ar) Na Ae \AV2( (V NY 


tET yp(z)Et tET y(x)Et 


is classically consistent. 

Notice that all types belonging to the same realizable world candidate must contain 
the same sentences (i.e., the same subformulas of ¢ not containing free variables), by 
the maximality request on the definition of a 1-type. Any world w in a Kripke model 
M = (7, D,T) gives rise to a realizable world-candidate, by taking the set of 1-types 
that are realized in it (where t is said to be realized in w iff there is a € D such that 


=a Awwyet v(a)). 


DEFINITION 26. Let § = (W, R) be a Kripke frame. A domain-candidate is a function 
6 associating with every w € W a realizable world-candidate ôw. A run in a domain- 
candidate ô, is a map r associating with every w € W a 1-type r(w) € dy, satisfying the 


?Recall that we use the notation y(x) to express the fact that in ~ at most the variable zx is free (thus 
the notation (x) does not prevent w from being a sentence). 


584 Torben Braiiner and Silvio Ghilardi 


following condition for every Oy € sub.(¢): 


wer(w) iff Vu(wRv > wer(v)). 


Finally, a quasi-model is a domain-candidate 6 such that for every w € W and t € ôw 
there is a run r such that r(w) = t. 


We say that ¢ is satisfied in a quasi-model (W, R, ô) iff for some w € W and t € ôw, we 
have that ¢ € t. This notion turns out to coincide with standard satisfiability in Kripke 
models: 


PROPOSITION 27. ¢ is satisfied in a constant domain Kripke model M = (W, R, D,T) 
iff it is satisfied in a quasi-model (W, R,6), based on the same Kripke frame (W, R). 


Proof. One direction is trivial: if ¢ is satisfied in M = (W, R, D,T), then it is satisfied 
in the quasi-model (W, R, 6), where ôw is the function associating with w € W the set of 
l-types that are realized in w. 

Conversely, suppose that ¢ is satisfied in (W, R,6). For every w € W, let Sw bea 
classical first-order structure which is a model of the formula (a 5(,,)) from Definition 25; 
by standard classical model theory (since we are considering languages without identity), 
we can raise the cardinality of the support of Sw to any chosen infinite cardinal. Better, 
we may freely suppose that the support of all the Sw is constantly equal to D := k x R, 
where R is the set of all runs in (W, R,6) and « is any infinite cardinal bigger than the 
cardinality of R. Notice that any a € D is in this way a pair (a”,a‘), where a” is a run 
in (W, R,6) and a < «. Also, we can raise in Sw the cardinality of the set of elements 
satisfying each 1-type of ôw to k and freely suppose that, for a € D, we have 


(1) Sw va) if Yh) Ea (w) 


for all y(z) € sub- (¢ġ). 

Now we can define the desired Kripke model IN = (W, R, D, T), by taking, for every 
n-ary predicate letter, Tu (P) := {(a1,...,an) | Sw = P(ai,...,@n)}. It is now suffi- 
cient to show, by induction, that for every subformula Y%(x1,..., £n) of ọ and for every 
@1,.--,;@y, E D, we have 


(2) mh W(a1,---,@n) iff Sw = ylar., an). 


We just show the O-case: since œ is monodic, we can suppose n = 1.3 Hence we have: 


Sy = Oyla) & Ov(z) € al(w) & Vuo(wRv => yz) € a w)) © 
& Vu(wRv > S, = Yyla)) & Vo(wRv >=% V(a1)) & H? Oyla). 


(1) and (2) show, in particular, that ¢ is satisfiable in M, being satisfiable in (W, R, ô). 
Q 


The next step is to represent quasi-models satisfying ¢ as structures repeating a finite 
set of special patterns, called blocks. We denote by n = (Wn, Rn) the finite Kripke 
frame given by W,, := {0,1,...,n}, Rn := {(0,7) | 1 <i < n} (this is a finite rooted tree 
containing only the root 0 and the leaves 1,...,7). 


3For n = 0, take an arbitrary a; € D (if w is a sentence, both relations E™ w(a1) and Sw = (a1) 
are not influenced by the choice of a1). 
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DEFINITION 28. Let (n, ô) be a domain candidate based on n. A root-pseudo-run 
in it is a map r associating with every w € W, a 1-type r(w) satisfying the following 
condition for every Oy € sub, (¢): 


y er(0) if Wwe Wn (ORv => y € r(v)). 


We say that (n, ô) is a block iff for every w E€ Wn and t € 6, there is a root-pseudo-run 
r such that r(w) = t. 


Again, we say that ¢ is satisfied in a block (Wn, Rn, ô) iff for some w € Wn and t € ôw, 
we have that ¢ € t. 


DEFINITION 29. A set B of blocks is a satisfying set for ọ iff B contains a satisfying 
block for and moreover for every world w in a block (n, ô) belonging to B, there is a 
block (¥n’, 6’), again in B, such that ô(w) = 6’(0). 


THEOREM 30. ¢ is satisfiable in a Kripke model (with constant domains) iff there a 
satisfying set for @ whose blocks contain at most 2k -2€ worlds, where k is the cardinality 


of subz(¢). 


Proof. If there is a satisfying set for ¢, it is not difficult to ‘glue’ together the various 
blocks in it, thus forming a satisfying quasi-model for ¢ based on an intransitive tree:4 
then Proposition 27 applies. 

Conversely, if ¢ is satisfied in a Kripke model with constant domains, then (by standard 
modal techniques, like unravelling, or directly by the subordination frame technique of 
[67]) ¢ is satisfied in a model based on an intransitive tree ¥ = (W, R). By Proposition 
27, ¢ is satisfied in a quasi-model (%,6) based on §. By ‘duplicating’ some worlds, if 
needed, we can also suppose that if wRv holds in §, then there is a ‘twin’ of v, namely a 
world v’ Æ v such that wRv'’ and 6, = ôy. We now extract from (%, ô) a satisfying set for 
ġ: this is done by associating with any w € W a suitable block, matching the required 
cardinality conditions. For every 1-type t € ôw and for every Oy € sub,(¢) with Ow ¢ t, 
select twin worlds v1, vg such that wRv;,wRv2 and a 1-type t’ € ôv, = Ôv, such that: (i) 
w g t and (ii) for all Oy € sub,(¢), if Oy € t, then x € t (this is possible for instance 
by considering any run r in (¥,6) such that r(w) = t and by taking vı := v, v2 := a twin 
of vı and t’ := r(v), where v is any world such that wRv and w ¢ r(v), see the definition 
of a run in a quasi-model). 

Consider now the subframe Şu = (Wu, R) of ¥ formed by w and by the worlds so 
selected: as § is an intransitive tree, this is isomorphic to a frame of the kind n for 
n < 2k-2*. If we show that this subframe $, is a block B, (with respect to the 
restriction of ô), the theorem is proved (the required satisfying set for ¢ is formed by 
the various blocks B,,, varying w € W). Take a type t € 6, for a possible world v in 
By = (Ww, R, 6); let r be a run in (%,6) such that r(v) = t. Consider now the 1-type 
r(w): by the above construction of W,,, for each Ow € sub,(¢) with Ow ¢ r(w), there 
is a possible world vy € Wu with wRvy and a 1-type ty € dy, such that: (i) Y ¢ ty and 
(ii) for all Ox € sub.(¢), if Ox € r(w), then x € ty. As in fact there are such twin vys to 
choose between, we can assume that vy 4 v for every ~. Define now the root-pseudo-run 
s by letting s(u) := ty if u = vy for some Y, s(u) := r(u), otherwise. Since v is not 
among the v,,’s, this implies s(v) = r(v) = t, as required. a 


“A Kripke frame (W, R) is said to be an intransitive tree iff there is a world wọ € W such that for 
every v € W, there is exactly one path wo RwiR---Rwn =v (n > 0) from wo to v. 
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COROLLARY 31. Let F C Fmon be a subfragment of the monodic fragment; suppose 
that for a sentence ġ E€ F there is an algorithm that decides whether a world-candidate 
for @ is realizable or not. Then the set of sentences in FO BF.K is decidable. 


Thus, in particular, Fm N Fmon OBE.K and F N Fmon OBF.K are decidable, because 
for o E€ Fm N Fmon (resp. & E Fə N Fon), the formulas of the kind (ay) are still in 
Fm N Fmon (resp. in Fə N Fon). Corollary 31 applies also to the monodic guarded 
fragment (see [47]). It should be noticed that, although the monodic fragment of BF.K 
has the finite frame property [130] (i.e., a monodic satisfiable formula can be satisfied 
in a Kripke model based on a finite frame), the same does not apply e.g. to BF.S4: for 
this system it is impossible to extract a finite transitive model from the construction of 
Theorem 30, because e.g. the formula (3) from Section 8 requires infinitely many worlds 
to be falsified. Notice also that, for more sophisticated systems, most (although not all) of 
the proofs of the incompleteness results of next section apply already to the one-variable 
fragment. 


8 COMPLETENESS, INCOMPLETENESS AND NON-AXIOMATIZABILITY 


A first-order modal system S is complete with respect to a class K of Kripke skeletons iff 
S is valid in every Kripke skeleton belonging to K and, moreover, every formula ¢ ¢ S 
fails in a Kripke model M = (F, D,T) such that (¥,D) belongs to K. S is said to be 
K (ripke)-complete iff it is complete with respect to some class K of Kripke skeletons. 

Basic quantified systems like QK, QT, QK4, QS4, QS5, etc., as well as their variants 
with the Barcan formula, are all Kripke complete (see [25], [68] or Chapter 2 of this 
Handbook). However, despite the simplicity of the definition of a K-complete modal 
system, we shall show that K-completeness (contrary to the propositional case) is not as 
frequent as one might expect. 

We first mention a couple of examples of K-complete systems, whose completeness 
proofs are not immediate (and which were open problems till the late eighties). Recall 
that S4 is obtained from K by adding it the axiom schemata Oo — ¢, Ud —> Q; 
from the semantic side, S4 is valid and complete with respect to Kripke frames (W, <) 
in which the accessibility relation < is a preorder, i.e., it is reflexive and transitive (when 
the letter < is used for the accessibility relation of a frame, it is implicitly assumed 
that such an accessibility relation is a preorder). Recall also that S4.2 is the extension 
of S4 axiomatized by the schema 0o — OO¢ and that $4.3 is the extension of S4 
axiomatized by the schema O(O¢ > w) VO(Ow — @).° 


THEOREM 32. The systems QS4.2 and QS4.3 are both K-complete. 


In the case of QS4.2 the completeness proof is obtained in [24] by adapting the sub- 
ordination frame technique from [67], whereas in the case of QS4.3, one needs more 
sophisticated methods, like Fine’s diagrams [22] (but see also [118]). However, the fol- 
lowing theorem seems to suggest that K-incompleteness is the rule for many systems 
extending QS4: 


THEOREM 33. [52] Let L D S4 be a propositional logic such that L £85 and such that 
QL is K-complete. Then L C 84.3 and, if L 4 $4.3, then L is an unbounded width logic 


5See Chapter 7 for more information about the propositional systems we mention here. 
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(that is, for every n, there is a rooted frame® for L containing n mutually incomparable 
states). 


The proof of Theorem 33 requires some powerful alternative semantics, like presheaf 
semantics (over an arbitrary category). The latter is analyzed in more detail in the 
topos-theoretic context of Subsection 10.1, here we use a simple formulation in terms of 
functional frames. Following [128], we call functional frame a pair (W,R), where W is 
a family {Du | w E€ W} of individual domains and œR is a family of maps between such 
domains. Since we want S4-axioms to be valid,” we ask for R to contain identities and 
to be closed under compositions. A functional frame (W, R) becomes a functional model 
M = (7, D,T) upon addition of an interpretation function Z, mapping n-ary predicates 
P to families of subsets Z,,(P) C D?. Truth of a formula ¢ in the model Mt at a world 
w under the w-assignment g (in symbols g = @) is defined in the expected way:8 for 
instance, g = O@ holds iff f og H7 ¢ holds for all f € R having domain Duy and 
codomain D,. Thus functional models and frames differ from the corresponding Kripke 
models and frames because, given two possible worlds w and v, there are many different 
ways of making a transition from w to v: the difference with Kripke semantics is sensible, 
both from a philosophical and from a mathematical point of view. 

For space reasons, we cannot report here the full proof of Theorem 33, however we can 
illustrate the method by sketching in some detail the proof a weaker (but still informative) 
result. The key idea is to use an indirect kind of reduction of functional frames to ordinary 
Kripke frames. Let us call frame representation §(W,R) of a functional frame (W, R) 
the frame having the f € R as states and as accessibility relation the divisibility relation 
(namely fi < fo holds in §(W, R) iff we have f2 = ho fı, for some domain and codomain 
matching function h € R). 


LEMMA 34. Let a functional frame (W,R) be given; if 3(W,R) = Y holds for some 
modal propositional formula Y, then every predicate-logical substitution instance o(p) of 
w is valid in all the functional models based on (W, R). 


Proof. We argue by contraposition: suppose that we have g 42" o(~) for some w, g ina 


model M based on (W, R). Define a propositional valuation V on §(W, R) by setting (for 
every propositional variable p) V(p) := {f : Dy — D, | fog =? o(p)}. By induction, 
it is easy to see that, for all f € R having domain D,, and for all propositional modal 
formula x, we have that x is true at f in the propositional Kripke model (¥(W, R), V) 
iff fog H? a(x) holds (here D, is the codomain of f). In particular, we get that y fails 


at idu in (Ẹ(W, R), V). Q 


Let L D S4 be a propositional logic such that L J S5 and such that QL is K-complete: 
we shall prove that L C 84.3.Grz (equivalently, that every finite chain is a frame for L). 
Bearing this aim in mind, consider the following formula ¢ 


(3) Ova(P(x) > OP(2)) > OVa(OP(a) > P(2)). 


Now, if QL Y ¢, by the Kripke completeness for QL, it is clear that there exists a Kripke 
skeleton (%,D) (based on a Kripke frame ¥ for L) containing a generated subframe 


6A preordered set (W, <) is rooted iff for some p € W, we have p < v for all v. 

’This is a simplified analysis, in fact correspondence theory for functional frames still needs full 
investigation (for some subtleties arising here, see [128] again). 

8In particular, quantification at w ranges over the domain Dw only. 
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that can be p-morphically mapped onto any finite linear chain,? which means that L C 
S4.3.Grz, as claimed. Thus, it is sufficient to show that QL F ¢ implies L > S5: here 
functional models comes into the picture. 

Consider the following functional frame (W,R): W contains just one world w, the 
unique individual domain is D,, := {1,2} and the functions in R are the identity function 
and the constant function with value 2. The formula ¢ is not valid in a functional model 
M based on (W, R) (take Z.,(P) := {2}); since we supposed QL + ¢ and functional 
models semantics is obviously valid, some predicate-logical substitution instance of an 
axiom of L fails in IN. By Lemma 34, we must conclude that §(W, R) is not a frame for 
L. However, $(W, R) is the two-element chain and consequently L > S5, as claimed. 

The full statement of Theorem 33 is obtained by repeating again and again the above 
schema (find a formula that functional models prove to be independent through Lemma 
34 and identify some necessary condition for it to be false in a Kripke skeleton). Addi- 
tional incompleteness results can be found in [111]; we mention just one of them: the 
system axiomatized by adding to QS4 the modal translation of the ‘constant domain’ 
superintuitionistic axiom schema Vy (w(y, x£) V ¢(x)) — (Vy v(y,z)) V ọ(x) is unable to 
prove the Barcan formula and hence it is not K-complete. 

For constant domain semantics, a general completeness/incompleteness theorem is 
available, by combining the results from [125] and [113]: 


THEOREM 35. If L D S4 is a subframe logic, then BF.L is K-complete iff L has the 
finite embedding property.° 


However, it seems to be problematic to get positive results beyond the subframe logics 
case: the system BF.S4.2 is not K-complete [111], [50] and BF.S4.1 (namely BF.S4 
plus 00¢ — ©O¢) is incomplete as well [68]. 

K-completeness can be re-gained by axiomatizing Kripke completions: the Kripke 
completion of a modal system S is the modal system Sx containing the formulas which 
are valid in all the Kripke skeletons in which S is valid. Some work has been done for the 
axiomatization of Kripke completions within the related field of Kripke semantics for in- 
termediate predicate logics: for instance, an axiomatization of the intuitionistic first-order 
formulas which are valid in Kripke models based on posets not exceeding a preassigned 
bounded height is given in [131], where the insufficient propositional axioms are suitably 
strengthened. If one restricts to the intuitionistic first-order formulas which are valid in 
Kripke models based on a given single finite poset, then general reasons (which apply to 
any first-order axiomatizable class of Kripke skeletons) guarantee recursive enumerabil- 
ity, whereas nothing can be said about existence of a finite axiomatization: the latter 
exists for the constant domain case (where it can be shown that propositional axioms 
suffice [112]), but not always for the nested domain case, see [95], [115], [116], [117] for 
existing results on the subject. 

The problem of axiomatizing an (even quite natural) given class of Kripke skeletons 
might be a tremendous task, as exemplified by the case of constant domain skeletons 
based on (N, <):1" 


*Starting from any world w falsifying ¢, we can in fact find an infinite strictly ascending chain of 
worlds over w, thus p-morphisms from the w-upper cone onto finite linear chains easily obtain. 

10See Chapter 7 for the definition of a subframe logic. L is said to have the finite embedding property 
iff every frame in which L is not valid contains a finite subframe in which L is not valid as well. 

11Theorem 36 comes from unpublished work by D. Scott. Scott’s method is outlined in [45] (here we 
give a similar, but simplified argument). 
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THEOREM 36. The set of modal formulas which are valid in constant domain models 
based on the frame (N,<) is not arithmetical (hence, a fortiori, not recursively enumer- 
able). 


Proof. We reduce true arithmetic to validity in constant domain models based on (N, <). 
For the purposes of this proof only, let us assume for simplicity that our language £ 
contains equality, constant and function symbols’? (these are treated rigidly in models, 
contrary to the extensions of predicates which are allowed to vary). Let Lr be the 
sublanguage of £ containing equality, a constant 0, a unary function symbol s and binary 
function symbols +,-; Lr can be used in order to introduce Robinson’s arithmetic (see 
e.g. [90]): this is the first-order theory obtained from Peano’s arithmetic by replacing 
the induction schema by the formula Yz(x = 0 V Jy(x = s(y))). Robinson arithmetic 
is a finitely axiomatized theory (let p be the conjunction of the related axioms), in 
which recursive functions and predicates are formally representable. In particular, for all 
n,m € N, we have (we use | for provability in classical logic): 


nm > Fp>n#m; (4) 
Fo>n+m=n+}m; (5) 
Fo>n-m=n m. (6) 


Moreover, if we define x < y as dz(z+ x = y), it is well-known (and easily proved by 
metatheoretical induction over m) that we have: 


(7) Fp—> Yr (x <me (x=0V- -Vr =m)). 


Let N be a unary predicate (not in Lpr) and let r be the conjunction of the following 
three formulas 


Vavy(y < z = O(N (z) > N(y))), VzO(N (£) > ON(x)), VeON(a). 


For every (L-free) sentence ¢ in Lr, we show that ¢ is true in the standard model N of 
arithmetic iff p ATA ¢ is satisfiable in a constant domain model based on (N, <) (hence, 
a¢ is a true arithmetical statement iff =(p A 7 A ¢) is valid in our semantics). One 
direction is easy: if ¢ is a true arithmetical sentence, let us define D := N and Z,(N) := 
{0,1,...,n} (obviously, Z,,(0), Zn(s), Zn(+), Zn(-) are number 0, successor, sum and 
product, respectively). For this M = (N, <, D,Z), we clearly have that -?? p ATA @. 
Conversely, assume p AT A ¢@ is satisfied in a constant domain model M = (N, <, D,Z) 
(without loss of generality, we may suppose that 3? p At A). Then (D,Zo) is a 
classical first-order structure which is a model of Robinson arithmetic. Because of that, 
the map associating Zo(7) with n is an injective homomorphism of the standard model 
N into (D, To) (see (4)-(6)). Thus, to show that ¢ is indeed a true arithmetical sentence, 
we only need to check that D does not contain non-standard elements, i.e., that for any 
b € D there is n such that b = Zo(7). Here we use the fact that H8 r holds. Notice first 
that, because of this, we have D = Unen Zn (N) and moreover Z;,(N) C Zm(N), whenever 
n <m. Also, K%" r forces, in the world 0, the relation x > y to be O(N(x) — N(y)) 


12This assumption makes the arguments below more transparent, but it is not essential: one can use 
n + 1-ary predicate symbols instead of n-ary function symbols, select a binary predicate symbol % in 
L and let it play the role of equality (this means that suitable rigidity, congruence and functionality 
axioms for the symbols of Lpr w.r.t. ~% are included in the conjuncts of the formula p below). 
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(that is, the relation x > y holds iff x is added to the extension of the predicate N at 
the same time or after y is added). 

Let now ko be the minimum ko € N such that Zk (N) is not empty: from c € Tko (N), 
we get that c is the <-smallest element in D, hence in particular = e < 0, i.e., c = 
To(0) by (7). Then, let kı > ko be the minimum number such that Zp, (N) is a proper 
superset of Zp (N): here just Zo(1) is the new element entering into Zp, (N), because 
from c € Ty, (N), we get that c is <-smaller than every element of D different from Z,(0), 
hence in particular —2”" c < T, i.e., c = Zo(0) or c = Zo(1), by (7) again. If we proceed in 
this way, we identify an infinite sequence of natural numbers kp < kı < kg--- such that 
for all n 


Ti, (N) = Dien ti(N) = +++ = Teny- (N) = {Z0(0),---Zo(7)}. 


Let now b € D: from 2" ON (b), it follows that b = Zo(7), for some n. a 


Theorem 36 is just an example of a non-axiomatizable natural class of Kripke models: 
for non-axiomatizability of Kripke models based on finite frames, see [5], [4], [26]. Further 
very strong results have been reached in [119], [120], where it is shown in particular that 
for any infinite family Y of finite rooted posets, the set of valid formulas in models 
based on members of Y (both with constant and with nested domains) is not recursively 
enumerable. For non recursive enumerability of valid formulas on every noetherian frame 
(both with increasing and constant domains), see [105], [106]. 

The reader might have the impression that incompleteness and non-axiomatizability 
arise only in rather specific situations and that common standard semantic classes are 
on the contrary nicely behaved. This is not the case: so far, we examined only unary 
monomodal systems, but if we drop such a restriction, negative results arise even more 
easily. The following sample illustrates what happens to quantified extensions of PDL- 
like propositional systems. Let us consider the bimodal language £* obtained from £ by 
adding it an extra box operator L*. At the semantical level, we do not need to modify the 
definitions of a frame, of a skeleton and of a model we gave in Section 6 for monomodal 
systems over QK, we simply add the truth-clause 


n-1 
g *o iff Yn > 0,Vwi,-..;Un (Å wiRwiyi > g H ), 
i=0 


saying that L* is interpreted by using the reflexive-transitive closure of R. Here not only 
the standard propositional axioms (those listed e.g. in Chapter 12) are insufficient, but 
once again incompleteness cannot be repaired: 


THEOREM 37. The set of L*-formulas which are valid in the above semantics (both 
with increasing and with constant domains) is not recursively enumerable. 


The proof of this theorem is obtained in [130] by reduction of the N x N-recurrent tiling 
problem. Actually, Theorem 37 applies to the two-variable monadic fragment, but not to 
the monodic fragment. The latter is nicely axiomatizable: to this end, it is sufficient [47] 
to join a propositionally complete set of axiom schemata with the standard quantifier 
laws (proofs in the resulting system are restricted to formulas belonging to the monodic 
fragment). 
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9 TOWARDS MORE POWERFUL SEMANTICS 


In this section, we begin our investigation of alternative semantics, starting from an 
appropriate algebraic framework, namely hyperdoctrines (traditional algebraic seman- 
tics [102] is inadequate because, contrary to the propositional case, it is not complete 
[94]). From hyperdoctrines, we derive the most powerful existing semantics for modal 
first-order logic, namely metaframes; we postpone to Section 10 the analysis of suitable 
mathematical frameworks giving rise to further very natural extended semantics. Finally, 
in Section 11, we analyze counterpart semantics. 


9.1 Typed Languages and Systems 


Types are commonly used in higher order formalisms, where they are needed to deal with 
constructors like exponentiation and powerset, see e.g. [76]. The reason why we introduce 
them in a first order framework is different. It is well-known that a first-order formula 
$, once interpreted in a model M, defines a subset [¢]™ of a suitable cartesian power 
of the domain (of the domains, in the many-sorted case). What exactly this cartesian 
power is, however, is not specifically indicated in the formula itself: if ọ contains n 
free variables, then [¢]*" can be seen as a subset of any m-th cartesian power of the 
domain, where m > n. Thus, varying m, [x = 0]°" may denote in analytic geometry a 
point, a straight line, a plane, and so forth: logicians usually argue that this confusion is 
harmless, because infinitary assignments (not finitary assignments) are commonly used 
in the inductive definition of truth of a formula in a model. There is however something 
artificial in this choice of leaving the ‘dimension’ unspecified: in fact, there is an implicit 
notion of dimension even in contexts which are far from mathematics (for instance, 
dimension seems to naturally arise in linguistics, in relation to indexicals [19], see also 
Section 11 below). Although ordinary untyped languages are more manageable from a 
proof-theoretic point of view, we shall adopt typed languages from now on, because using 
such languages it is easter to interpret first-order formulas in the extended semantics that 
have been proposed in the literature. Typed languages will also be indispensable for the 
counterpart semantics of Section 11. We formally introduce the notion of a typed formula 
(i.e., of a ‘formula-with-dimension’). 

For simplicity, we shall give the definition of a typed language in the one-sorted case 
only: extensions to the many-sorted case [51] are important, but straightforward and 
will be left to the experienced reader. Given that only one sort is allowed, types (i.e., 
‘dimensions’) are formal cartesian products of that unique sort and can hence be identified 
with natural numbers greater or equal to 0. 

We suppose that a first-order language £ is given, where a language is now a set of 
functions and of predicate symbols, both endowed with a specified arity. We assume that 
£ always contains a 0-ary predicate symbol L (the ‘falsehood’) and a 2-ary predicate 
symbol = (the ‘equality predicate’). 

Terms are built up in the customary way, using countably many variables 71, 72,.... 
A term of type n (briefly an n-term) is a term t in which at most the variables 71,...,2n 
occur; we write t : n to mean that t is an n-term. Ift: n is an n-term and if vı : 
M,...,;Un : M are m-terms, t[v1,...,Un] : M is the m-term resulting from t by replacing 
x; by v; (@=1,...,n). 


DEFINITION 38. The notion of a formula of type n (briefly an n-formula) ¢ : n is so 
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defined: 
(i) if P is a predicate symbol of arity k and if tı : n,...,t, : n are n-terms, then 
P(ti,... tk): mis an (atomic) n-formula; 


(ii if @: n and w: n are n-formulas, so is (¢ > w) : n; 


(iii) if @:n+1 is an n+1-formula, then (Vrn41¢) : n is an n-formula; 


(iv) if @: n is an n-formula, then (Oẹ¢) : n is an n-formula. 


Thus quantification is allowed only with respect to the maximum index variable (this 
limitation does not cause any loss of expressivity, only alphabetic variants are lost). The 
inductive definition of an n-formula in the -case will be modified in Section 11 in order 
to make it suitable for counterpart semantics. The remaining logical operators (namely 
T,A,V,7,<,4,) are defined in the usual way. We formally introduce substitutions: 


DEFINITION 39. If 6: n is an n-formula and if v : m is an n-tuple of m-terms, the 
m-formula ¢[v] : m is so defined, by induction on ¢: n: 


(a 


) if ọ : nis the atomic formula P(t1,...,t,) : n, then ¢[v] : m is P(ti[v],..., te[v]) : m; 
(b) if ġ: nis pı > Y2 : n, then gly] : m is (Yilv]) > (p2lv]) : m; 

(c) if 6: n is Yzn41Ņ : n, then glu] : m is Yzm+1 (Yv, @m4i]) : M; 

( 


d) if @: nis Oy : n, then ¢[v] : m is O(wlv]) : m. 


Thus bound variables are systematically renamed in substitutions (observe also that 
Definition 39(c) is correct, because if the v’s are m-terms, then they are also m+ 1- 
terms).‘3 The following compatibility condition between substitutions into terms and 
substitutions into formulas can be easily proved by induction: 


(olti... tko]: m = d[tyfvl,...,tx[v]] sm. 


We can emphasize the fact that a given n+1-formula does not contain occurrences of a 
variable, say £n+1, by writing it in the form ¢[21,...,2,] : n+1, for a suitable n-formula 
@:n. Notice also that in order to take the implication of @: n and Y : n+1, one must 
e.g. use |£1,..., £n] > Y : n+1 (the n + l-formula ¢[71,...,@n] : Ħn+1 differs from 
the n-formula ¢ : n because the bound variables x;, for i > n, are suitably renamed). 
In order to make notation easier, we shall also make the following convention: by x we 
indicate a list of variables like 21,...,2, (for some n > 0) and, whenever the notation x 
is used, y stands for 7,41, whereas 21, zg stand for 7,41, n42, etc. 

We shall make use of modal systems formulated within typed languages; from now 
on, we shall also consider only systems on a propositional S4 basis. The latter choice 
is due to simplicity and uniformity reasons: mathematical ‘topological-like’ semantics 
require S4-axioms to be valid and certain arguments would look unnatural and distorted 
if ‘topological-like’ conditions would systematically be weakened in the style of neigh- 
borhood semantics for propositional modal logic. On the other hand, we shall explicitly 


13In order to make clearer the comparison with the Beck-Chevalley property below, notice 
that the right-most formula Vam+41 (#~[v,%m+i]) : m of Definition 39(c) can also be written as 
Vim+1(p[vlri,...,2m],@m-41]) : Mm, because v|z1,..., £m] = v. 
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alert the reader whenever the adaptation of the semantics we introduce to systems weaker 
than S4 is non trivial or problematic. 


The quantified (typed) deductive system QS4 is explained in Table 1. The instan- 
tiation rule (Inst) can be avoided by closing under instantiation the axiom schemata 
(V-Ex), (Refl), (Repl) (that is, one may use e.g. the schema Yyo —> ọ|x, t] : n instead of 
(V-Ex)), however we prefer to keep rule (Inst) in order to make next subsections proofs 
smoother. 


If we need to consider modal first-order systems S stronger than QS4, we simply add 
to Table 1 a set of formulas ® closed under uniform substitution as extra S-axioms.!4 In 
particular, if ® is the set of first-order instances of the formulas provable in a propositional 
modal logic L > S4, we get the system QL (this is the typed version with equality of 
the system QL of Section 6). 


Typed systems and untyped ordinary systems are equivalent formalisms: since untyped 
formulas have alphabetic variants that can be typed, we have syntactic translations in 
both directions which reduce to identity (up to provability) in case they are sequentially 
applied. This result is not difficult to prove (see [51] for the details); notice however that 
in order to get it, the extra single axiom Jxı T : 0 must be added to Table 1, in case 
the language does not contain any constant symbol (this is because the calculus of Table 
1 is sound with respect to empty domain models and consequently it cannot prove any 
theorem of the kind Jzı¢ : 0 if no constant is available). 


Table 1. 
Axiom Schemata 
opin (Taut) 
(provided ¢ is an instance of a propositional S4-valid formula) 
(Vy ¢)[2] > 6: n+1 (V-Ex) 
zı=x:l1 (Refl) 
z1 = 22 > (¢[z, z1] > ¢lļz, z2]) : n+2 (Repl) 
Inference Rules 
p:n p—o:n 
pin (M 
pin 
saree (Nec) 
olz] > yY: n+l 
E rer (v-In) 
pin 
“$k (Inst) 
(where t is an n-tuple of k-terms). 


14The definition of uniform substitution ¢[2/P] from Subsection 2.3 of Part I can be easily adapted 
to typed languages. 
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9.2 Cartesian and Lex Categories 


We shall use hyperdoctrines in order to introduce all the alternative semantics from 
a unitary point of view: this will greatly simplify proofs and will be useful to explain 
appropriately the main phenomena arising from the interplay of modalities, substitutions, 
quantifiers and equality. Since we do not assume from the reader previous knowledge 
about basic category-theoretic concepts, we shall briefly introduce them in this subsection 
(more examples and motivations can be found in textbooks like [83], [14]). 

A category T consists of two classes Ty and 7), the class of the objects and the class 
of the arrows of T, respectively. To each arrow f € Tı, two objects d(f) and c(f) are 


assigned (we write f e Hom(Y,X) or f: Y — X or Y -ĜL X to mean that d(f) =Y 
and c(f) = X). Moreover for each object X an arrow idx of domain and codomain X 
is given and finally to each pair of arrows g, f such that c(g) = d(f) an arrow f og of 
domain d(g) and codomain c(f) is assigned, as schematized in the following picture: 


CGA = Gee 
The following associativity and unity requirements must be satisfied by the above data: 
(fog)oh = fo(goh), idxof = f = foidy 


for W—Z-LY -b X. The typical example of a category is the category Set of sets 
and functions; notice however that also a single monoid is a category (in fact monoids 
can be identified with categories having just one object) and that a single preordered set 
is a category (preordered sets can be identified with categories in which, for given objects 
X,Y, there is at most one arrow f € Hom(Y,X)). 

Objects in a category are abstract entities, hence they ‘do not have elements’; however 
we show how the formalism of elements can be re-gained, so that it is possible up to a 
certain extent to work in an arbitrary category T as if T were just Set. For given objects 
U,X of T, an U-element of X is, by definition, an arrow x : U — X.'° To emphasize 
that x : U — X is a ‘generalized element of X’, we may write x € X; for f : X — Y, 
the notation f(x) may be used to indicate the U-element xo f € Y. 

The product of a pair of objects X,Y in T is a further object X xY endowed with two 
arrows 7x : X XY —> X and my : X x Y —~ Y, such that for every pair of U-elements 
x: U — X, y: U — Y, there exists a unique U-element (x,y) : U — X xY such 
that mx((x,y)) = x and my((az,y)) = y. Thus this definition is a way of saying that 
‘X xY is formed by the set of ordered pairs of elements from X and Y’, like a honest 
set-theoretic cartesian product. Similarly, a terminal object 1 in T is any object having 
just one U-element (for every U). By a cartesian category, we mean a category with 
products of pairs of objects and a terminal object. In a cartesian category, by iteration, 
it is possible to define the product of X1 x- --X Xn of n objects X1,..., Xn. For n = 0, 
X1,X---x Xn is the terminal object 1 and, whenever X, =--- = Xn := X, the product 
XıX---X Xn is noted as X” and called the n-th cartesian power of X. 

Given arrows Yı REND OEA Y2, the pullback P of fı, fo is ‘formed by the pairs’ of 
U-elements yı € Y1, y2 € Yə such that fi(yi) = fe(ye). This means that we have a 
commutative square 


15The technique of generalized elements is common folklore in the category-theoretic community; we 
nevertheless wish to thank A. Carboni for pointing out the opportunity of introducing it at a very early 
stage. 
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Pı 


P Yı 
h 
aS 


such that, for all U-elements yı € Yi, y2 € Yo, if fı(yı) = f2(y2), then there is a unique 
y : U — P such that pi(y) = yı and poly) = y2. A left exact (or just lex) category 
is a category with pullbacks, terminal object and products (actually, requiring products 
turns out to be redundant). 

As happens with all category-theoretic notions, products, terminal objects, pullbacks, 
etc. are uniquely determined only up to isomorphism (where an isomorphism among 
objects X,Y is a pair of arrows f : X — Y,g: Y — X such that fog = idy and 
go f =idx). 

An arrow m : A — X is mono iff ‘it is injective’, i.e., iff f(a1) = f(a2) implies a1 = a2, 
for every pair of U-elements of A. If x is a U-element of X and m : A — X is mono, we 
say that x €x A iff'® there is a: U — A such that m(a) = x. We can compare monos 
A, => X, Ap — X by defining a suitable ‘inclusion’: formally, 4; < Ag holds iff for 
every U, for every U-element x € X (a Ex Ai => x Ex Ag). Moreover A; ~ Ag holds iff 
we have both A; < Ag and Ag < Aj; a subobject of X is then defined as an equivalence 
class (under ~) of monos of codomain X. The relation < gives the set of subobjects of X 
a partial order structure (Sub(X),<): in fact, reflexivity, transitivity and antisymmetry 
of < are immediately checked through generalized elements. 

It is easily seen that in a pullback diagram 


ck 
Y X 


f 


the left vertical arrow is mono in case the right vertical arrow is mono. Notice that 
f(A), as a subobject of Y, is precisely inverse image, in the sense that we have Vy € 
Y(y €y f-1(A) & f(y) €x A). Relations like 


A<B=> f(A) <f(B), id (A)=A (fog) (A) =g (FA) 


for A,B € Sub(X) and Z = Y +. X can be easily established by using U-elements 
again. Such relations say that, for a given category T, the correspondence associating 
with X the partial order (Sub(X), <) and with f : Y —> X the order-preserving map 
f! : (Sub(Y), <) — (Sub(X), <) is in fact a contravariant functor (see below) from T 
to the category of partial orders and order-preserving maps. This functor is called the 
subobject functor and plays a central role in the categorical analysis of logic. 

If T is lex, it is easily seen that the subobject functor takes values into the category of 
semilattices and related morphisms (the meet of Ay — X, A > X is their pullback). For 
rich T, subobjects have further structure: for instance, in Set, subobjects are Boolean 


16Tt is customary, by abuse, to name a mono m : A => X by A instead of by m (often m is not even 
mentioned). 
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algebras, moreover not only inverse but also direct image of a subobject (=subset) along 
an arrow (=function) can be defined. Understanding these richer structures is the goal 
of categorical logic and can be achieved mainly in two ways. The first (even from a 
historical point of view) approach is perhaps more empirical, but more flexible: this is 
the hyperdoctrinal method which tries to abstractly axiomatize the desired properties of 
the pair (category T, subobject functor). The second approach, the logical categories 
approach, is exemplified in the book [85] and tries to understand what conditions on T 
itself lead precisely the subobject functor (not just an abstract ‘subobject-like’ functor) 
to have the desired structure. The philosophical effect of the logical categories program, 
if accomplished, is that of explaining all the logical constructors in terms of properties 
of the notion of composition of two arrows in a category. In the sequel, we take the 
hyperdoctrinal point of view, but we report also the achievements [84] of the logical 
categories analysis of modal logic. 

We conclude this section by giving the definition of a functor F : Tı — Tz between 
categories Tı and T2: this is a correspondence associating with every object X in Tı an 
object F(X) in T2 and with every arrow f : Y — X in Ty an arrow F(f): F(Y) — 
F(X) in T2. Identity and composition should be preserved, in the sense that we must 
have: 


F(idx) = idpx), F(fog) =F(f) o F(g), 


for Z-Y 4.x in T,. The functor F is said to preserve products, terminal objects, 
pullbacks iff it sends a product, terminal object, pullback diagram to a product, terminal 
object, pullback diagram, respectively. A cartesian functor is a functor among cartesian 
categories preserving products and terminal object, whereas a left exact (or just lex) 
functor is a cartesian functor among lex categories preserving also pullbacks. Notice that, 
since an arrow m is mono iff the pullback of m with itself is the identity, a lex functor 
preserves monos (and also the partial order among subobjects). Finally, a contravariant 
functor from Tı to T2 is a functor F : Ty — T3?, where T3 (the opposite category 
of T2) is the category obtained from T2 by ‘reversing arrow directions’. 


9.8  Hyperdoctrines 


Hyperdoctrines were introduced by F.W. Lawvere in [78]; they were adapted to the 
counterpart semantics of Section 11 in [55], [56] and to standard first-order non classical 
logics in [114]. Recall that interior algebras are the algebraic models of propositional S4: 
an interior algebra is a Boolean algebra (B,A,V,1,1,—) endowed with an operator 
satisfying the equations O(a A b) = Oa A Ob, OT = a = Oa, Ua < a (recall that 
inequations like c < d are defined as cA d = c in lattices]: Interior algebras and the 
appropriate morphisms form the category Int. 


DEFINITION 40. A modal hyperdoctrine, based on the cartesian category T, is a con- 
travariant functor A: T — Int” satisfying the following two requirements. 


(i) For any arrow f : Y — X in T, the ‘inverse image’ morphism A( f) : A(X) — A(Y) 
has a left adjoint (the ‘direct image along f’) 3p : A(Y) — A(X) and a right 
adjoint (the ‘dual image along f’) Yp : A(Y) —> A(X).!7 This means that the 


17 As we are in a Boolean context, these adjoints are interdefinable, e.g. we have 4 (A) = =Y (74A). 
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following conditions must be satisfied for all A € A(Y) and B € A(X) (we write 
f! instead of A(f)): 


B < f7'(A) > 4;(B) < A, B < f~+(3;(B)) 
) 


(ii) The Beck-Chevalley condition holds; this means that for every term/projection pull- 
back, i.e., for every pullback of the kind'® 


id 
A E E 
rv | [ax 
Y X 
f 


the following two identities are satisfied for all A € A(X x Z): 


F rx (4) = Sry (f xidz) (4), F Wax (A) = Yny (f x idz)™*(A)). 


The meaning of Definition 40 is better explained through the corresponding Linden- 
baum construction: given a language £, we take as Ts the category whose objects are 
natural numbers n > 0 and whose arrows n —> m are m-tuples of n-terms (composi- 
tion is substitution). For a given modal first-order system S, let As(n) be the set of 
equivalence classes of n-formulas (equivalence is meant with respect to provability of bi- 
implication in S). For an m-tuple of n-terms t = (t1,...,tm) : n — m, the inverse image 
interior algebras morphism A(t) maps the equivalence class of w : m to the equivalence 
class of Y%|t] : n. Moreover 3; is ‘syntactic direct image’, that is the operation of taking 
the equivalence class of a formula ¢ : n to the equivalence class of the formula (let z; be 


Lm-+i) 
m 
Az +++ dzn(@[21,.--,2n] A VAN tj[z1,---,2n] = Zi): m. 
i=l 
Thus, when n = m+1 and t= z1,..., £m, J34 applied to ¢: m+1 is just the equivalence 


class of J£m+1¢% : m. Beck-Chevalley conditions hold because of Definition 39(c), hence 
it is easily seen that Ag is a modal hyperdoctrine over Ts (called the ‘Lindenbaum 
hyperdoctrine’ of S). 

In fact, there is a sense in which every (small) modal hyperdoctrine is equivalent to 
a Lindenbaum hyperdoctrine (of a multi-sorted theory, rather than of a system). Thus 
(small) modal hyperdoctrines may be seen as syntactic, rather than semantic frameworks. 
This is why the following definition of a hyperdoctrinal model becomes really significant 
only after the next subsections introduction of suitable special ‘semantic’ modal hyper- 
doctrines. 


DEFINITION 41. Let a language £ be given; a hyperdoctrinal model M = (T, A, D,T) 
consists of the following data: 


- a modal hyperdoctrine A over the cartesian category T; 


18The arrow f Xidz is defined as (f o my, mz). 
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- an object D of T (the domain of M); 


- an interpretation J mapping every function symbol f to an arrow Z(f) : D” — D of 
T and every predicate symbol P to an element Z(P) € A(D”) (here n is the arity 
of f, P). 


In Definition 41, it is assumed also that Z(L) := L and that Z(=) := Jap (T), where Ap 
is the diagonal map (idp, idp) : D — D?. 

DEFINITION 42. Given a hyperdoctrinal model M = (T, A, D,T) and an n-term t:n, 
the term [ft] : D” — D is so defined by induction: 


- if t= x; (i=1,...,n), then [¢]™ is the i-th projection 7; : D” — D; 


- if t= f(t,...,t,), then [t]? is given by the composition 


g a 2, A) 


DEFINITION 43. Given a hyperdoctrinal model M = (T,A,D,Z) and an n-formula 
$: n, we define [¢]” € A(D”) as follows, by induction: 


(i) if 6: nis P(ty,...,t,), then [4] := ((HJ™,..., lta] T(P); 


(ii) if 6: n is d1 > da: n, then [¢]™ := [¢1]™ — [¢2]™ (this is the Boolean relative 
complement operation in A(D”)); 


(iii) if 6: n is Yyy : n, then [¢]™ := V(x,,....x,)([¥]”) (this is the dual image along the 
n-tuple of the first n projections of domain D’™* and of codomain D); 


(iv) if 6: nis Ow: n, then [¢]™ := Ow] (this is the Box operator in the interior 
algebra A(D”)). 


An n-formula ¢ : n is valid in M iff [6] = T. 


We can now prove that the system QS4 of Table 1 is sound with respect to hyperdoc- 
trinal models. The proof is indeed simple (it would be much more tedious for untyped 
systems); we first need an instantiation lemma, which is immediate by Definition 39, by 
the fact that inverse image in a modal hyperdoctrine is an interior algebra morphism and 
by Beck-Chevalley condition: 


LEMMA 44. In every modal hyperdoctrinal IN, we have 


plti- tll” = (Dead, -o Deal) C), 


for every k-formula ġ : k and for every k-tuple of n-terms tı :n,...,th in. 


THEOREM 45. (Validity) If the n-formula ¢ : n is provable in QS4, then it is valid in 
every hyperdoctrinal model WM. 


Proof. The S4-propositional tautologies and the rules (MP) and (Nec) are valid by 
interior algebras axioms; the instantiation rule (Inst) is valid by Lemma 44. The rule 
(v-In) and the axiom schemata (V-Fx) are just logical translations of the adjointness 
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conditions. Take for instance the case of (V-Ex): by Lemma 44, we have [(Vy ¢)[z}]" = 
(llel) (fvye]™"), which is equal to (m1, ..., nn) (Yim... nn) ([9]")); this is less or 
qual to [¢]™ by adjointness. 

We finally justify the validity of the equality axiom schemata. Now [zı = x2]™ is 
Ja p(T), hence [xı = 21]™ is equal to A5'(Ja,(T)), i.e., to T by adjointness. Similarly, 
the axiom schemata (Rep) is equivalent (using the remaining rules and axioms of Table 
1) to 


or) 


£1 = £2 > Var3-+-VEn42($[21, 3,---,)Fn42] > lt2, £3,- - , En+2]) : 2. 


Now, by adjointness, we can move da,, in the antecedent of the implication to AZ = 
(v1), [z1]°")—! in the consequent, apply instantiation Lemma 44, Definition 39(c) and 
get a tautology. Q 


Let K be a class of modal hyperdoctrines (e.g. the class of modal hyperdoctrines arising 
from metaframes, presheaves, etc., see next subsections). We say that a modal system S 
is complete with respect to K-semantics (or simply with respect to K) iff every formula 
which is not provable in S fails in a hyperdoctrinal model M = (T, A, D,Z), such that: 
(i) (T, A) € K; (ii) all formulas provable from S are valid not only in M, but also in 
every model of the kind M = (T, A, D,Z’) (varying Z’).'° 

Thus, for instance, every modal system S is complete with respect to the class K 
formed by all the modal hyperdoctrines [114]: to prove it, it is sufficient to work in the 
Lindenbaum hyperdoctrine of S. 

However, given an arbitrary hyperdoctrine (T, A) and an object D from T, it is not al- 
ways the case that the set of formulas valid in all the models of the kind IN = (T, A, D,T) 
isa modal system. This set of formulas is closed only under modus ponens, generalization, 
necessitation and exact uniform substitutions.2° This phenomenon is common to most 
of the extended semantics proposed in the literature (such as Kripke bundles, presheaves 
or metaframes): thus, in order to define the modal system of (T, A, D), one should take 
the set of formulas whose substitution instances are all valid in the models of the kind 
(T,A,D,T). 


9.4 Metaframes 


Metaframes [121] can be easily introduced (and understood) through the hyperdoctrinal 
approach [114]. Notice first that preordered sets and open maps form a category F. Here 
a map f : (W,<) — (W’,<’) is said to be open iff it is order-preserving and moreover 
satisfies the condition f(w) <w > du(w<v& f(v) = w’), for all w € W,w' € W”. 
For a given preordered set § = (W, <), the powerset Boolean algebra P(W) can be turned 
into an interior algebra by defining, for S C W, OS = {w € W | Yv (w < v > ve S)}. 
Similarly, taking inverse image along an open map f : (W, <) —> (W’, <’) is an interior 
algebras morphism P(f) := f~t : P(W’) — P(W). In this way, we actually defined a 
contravariant functor P : F — Int”. 

Given a cartesian category T, a T-metaframe is a functor M : T — F such that the 


composite functor Am : T 2, F Z Int”? is a modal hyperdoctrine over T. 


19A stronger (yet unexplored) variant of this definition would allow also D to vary. 
20 An exact uniform substitution [121] of ¢ : n is a formula of the kind ¢[q/P] : n, where w : k is a 
k-formula replacing the predicate symbol P of arity k. 
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This definition can be equivalently stated directly in terms of the functor M : T — F 
as follows. Notice that set-theoretic inverse image along f always has both adjoints 
(namely, direct image and dual image), so in order for M to be a T-metaframe, only the 
Beck-Chevalley condition has to be considered. However, in this setting, f~!, 3 f and 
Vy can be conveniently treated as modal (two-sorted) operators and, as Beck-Chevalley 
condition is in Sahlqvist form, standard correspondence machinery applies. Thus it is not 
difficult to see that M is a T-metaframe iff for the term-projections pullbacks of Definition 
AO(ii), the following ‘lifting’ condition is satisfied, for alla € M(X x Z),b € M(Y): 


M(rx)(a) = M(f)(b) > Ace M(Y xZ) (M(f xid)(c) =a & M(ry)(c) = b). 


If M is a T-metaframe, a metaframe model on M can be defined as a hyperdoctrinal 
model over (T, Am), so that all the semantic definitions of the previous subsection 
apply to metaframes as special cases. Metaframes define a powerful semantics, as is 
shown by the following result: 


THEOREM 46. [121] Let L be a canonical propositional modal logic. Then: 
(i) QL is complete in metaframes semantics; 


(ii) BF.QL is complete in metaframes semantics. 


The proof essentially uses the composition of the Lindenbaum functor Aq, with the 
‘canonical frame functor’: notice, in fact, that propositional axioms transfer to canonical 
frames by assumption and that both Beck-Chevalley condition and the Barcan formula 
are ‘in Sahlqvist form’, so they transfer too. 

The distinguishing feature of modal metaframes semantics is that ‘products are not 
preserved’, i.e., for a T-metaframe M, we have that M(X xY) is not even a subset of 
M(X)x M(Y): this has the consequence that a, say binary, predicate symbol is not 
interpreted as a set of pairs of individuals, but just as a set of ‘abstract pairs’. 

One may wonder whether Theorem 46 holds for other (‘product-preserving’) semantics: 
by applying saturated model-theory techniques, [53] proves Theorem 46(i) for presheaf 
semantics?” in the case of intermediate logics. The related extension to S4-modal logics 
holds, provided L is assumed to be not only canonical, but also closed under a ‘cluster- 
expansion’ semantic condition (see [53] for details) 


10 MATHEMATICAL MODELS FOR MODALITIES 
The aim of this section is to show that modalities naturally arise in well-established math- 


ematical frameworks. The related analysis will give us new insight for the axiomatization 
of D. Lewis’ counterpart semantics. 


21 Taking into consideration the special case in which the language does not contain constant or function 
symbols, T is (equivalent to) the opposite of the category of finite sets and the domain of the model is a 
singleton set, this substantially agrees with the definition of [121] (but our interpretation of the equality 
predicate in a metaframe model is different). 

22This is the semantics explained in the Example 4 of Subsection 10.1 below. 
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10.1 Geometric Morphisms and Modal Logic 


An (elementary) topos E is a lex cartesian closed category with subobject classifier. In 
the sequel, we shall directly mention the relevant consequences that can be drawn from 
this definition that matter for our purpose of interpreting first-order systems in a topos. 
For the moment, let us just mention a couple of examples of toposes that are used in 
intensional semantics. 


Example 1. Kripke-like universes: fix a preordered Kripke frame § = (W,<). A 
presheaf on ¥ is a contravariant functor into the category Set of sets. That is, D 
associates with w € W a set Dy (the set of ‘individuals’ living in it) and, whenever 
the relation v < w holds, Dyw is a function D,, —> Dy; such data should satisfy the 
requirements Dww = id and Dyw o Dwz = Dyz. These presheaves on preordered sets 
(investigated also in some textbooks on intuitionistic logic like [27]) are sometimes called 
Kripke frames with equality: they differ from the standard Kripke §-domains of Section 
6 because the inclusion D,, C D, is replaced by an arbitrary function (we also reversed 
the direction of such a function in accordance with current topos-theoretic literature).?3 

A natural transformation f : D — D’ among our presheaves is a collection of func- 
tions {fw : Dw — Di, | w E€ W} such that for v < w the square 


Da 2% Di, 


Dow | | Doo 
uae 1 
D, a Di, 
commutes.?4 Presheaves and natural transformations are the ‘Kripkean’ topos Set?” 
The generalization to the case in which is a category (and not simply a preordered 
set) is straightforward: if § is a category, a presheaf on it is a contravariant functor 
from § to Set, a morphism among such presheaves is a natural transformation (=family 
of maps indexed by the objects of ¥ making the obvious squares to commute), these 
presheaves and natural transformations are a category which is a topos, the latter is 
called Set®°” again. Usually, in the literature, when people deal with presheaf semantics, 
they actually refer to presheaves over an arbitrary category. Notice also that functional 
frames of Section 8 can be easily turned into presheaves on a category. 


Example 2. Etale spaces: fix a topological space S. A local homeomorphism e : E —> 
S (or etale space, or sheaf over S) is a continuous map among topological spaces such 
that for every a € E there are open neighborhoods N of a and M of e(a) such that e 
restricts to a homeomorphism ejy : N — M. A map among etale spaces e : E — S 
and e’ : E’ — S$ is a continuous map f : E — E’ such that e'o f = e. Etale spaces 
and related maps are the topos Sh(S). 


Recall the subobject functor Sub from Subsection 9.2: this functor associates with an 
object X in a topos E the equivalence classes of monos A <> X; moreover, for every 
arrow f : Y — X in E, Sub(f) = fT! : Sub(X) —> Sub(Y) takes pullback. As 


23 As pointed out in [111], Kripke frames with equality are semantically stronger than standard Kripke 
§-domains, even for systems without equality. 

24Tn case D = 1 is the one-point terminal presheaf, the commutativity of the square just expresses a 
kind of ‘rigid designator’ condition for the global constant f : 1 — D’. 
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the categorical structure of a topos is quite rich, we have the following lemma (see any 
textbook like [83], [70] for the proof): 


LEMMA 47. Every topos E is a Heyting category, meaning that the subobject functor 
Sub: E — Heyt” 


endows E with an intuitionistic hyperdoctrinal structure. 


The notion of an intuitionistic (resp. classical) hyperdoctrine, is obtained from Defi- 
nition 40 by replacing in it the category Int by the category Heyt of Heyting algebras 
(resp. by the category Bool of Boolean algebras). Whenever the intuitionistic hyperdoc- 
trinal structure mentioned in Lemma 47 is in fact a classical hyperdoctrinal structure, 
the topos E is said to be Boolean. 

In order to extend the above analysis from intuitionistic to modal logic, we must first 
understand in a general topos-theoretic context an evident anomaly that characterizes 
Kripke semantics for first-order modal logic (when compared with the corresponding 
semantics for intuitionistic logic). In first-order Kripke semantics for modal logic, sorts 
are interpreted as presheaves and terms are interpreted as natural transformations (at 
least in the rigid designators case). What is peculiar is the interpretation of predicates: in 
fact a, say unary, predicate P is interpreted as a collection of subsets {Pu C Dy | w E W} 
which is not a subpresheaf (i.e., it is not a subobject of D in the topos Set”). Thus, 
the categorical structure of a topos seems to be unable to give a full account of modal 
logic. There is however a quite simple and beautiful solution to this problem for our S4 
systems: we only need to consider two toposes and a geometric morphism connecting 
them.?° 

The most obvious notion of a morphism F : E} —> Ez among toposes is the so- 
called ‘logical’ notion: F is taken to be a functor that preserves the topos structure 
(i.e., finite limits, exponentials and subobject classifier). However, geometry suggests 
another notion, which is the good one for modal logic too. In fact, a continuous map 
f: S — T among topological spaces, induces two functors Fẹ : Sh(S) — Sh(T) and 
F* : Sh(T) — Sh(S) such that (i) F* is left adjoint to F,;?° (ii) F* is left exact. Thus, 
let us define a geometric morphism E; —> Ez among toposes Ej, E2 as a pair of functors 
F, : Ey — Eg and F* : Ey — E; such that F™ is left exact left adjoint to F. 


Example 3. This definition gives what we are looking for in the Kripkean case. Let 
f : © — § be an order-preserving maps among preordered sets (again the generalization 
to the case in which §, 6 are categories and f is a functor, is straightforward). Such an f 
induces a functor F* : Set5°” — Set®°”, just by ‘taking composition with f’. It is well- 
known (from the theory of Kan extensions [82]) that F* has both a right adjoint F, and a 
left adjoint Fi, hence the pair (F,, F*) defines a geometric morphism Set®”” — Set?” 
For Kripke semantics, the relevant special case is the case in which 6 is the discrete poset 


25This idea seems to be due to F. W. Lawvere and was developed in a series of papers by G. E. Reyes 
and other people [103], [77], [104], [84] (we substantially follow [84] in our exposition). Topos-theoretic 
semantics always validates S4 axioms (see Lemma 48(i)), hence it is unsuitable for weaker systems; 
in contrast to all the other semantics that are introduced in this chapter, there is no evident way of 
generalizing the mechanism of topos-theoretic semantics so that it can be adapted to weaker normal 
systems. 

26 Adjointness means that there is a natural bijection (called transposition) among the hom-sets 
Hom(F*(X),Y) ~ Hom(X, F.(Y)), for every object X in the domain category of F* and for every 
object Y in the domain category of Fy. 
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(W, =) formed by the set of possible words of § = (W, <). In this case, if f : (W, =) — § 
is the identity map, F* : Set” — Set”) is the functor associating with the presheaf 
D, the same D seen as the collection of sets {Dy | w € W} indexed by the possible worlds 
(otherwise said, the maps Dyw are forgotten). Subobjects of F*(D) in the topos Set ™=) 
are consequently what is needed in order to interpret predicates in ordinary modal Kripke 
semantics. 


How to recover modal operators from a geometric morphism (F,, F*) : BE; — Ee in 
the general case? This is done as follows: take an object D from Ey and a subobject 
Ao F*(D). We apply F, (which preserves monos, being a right adjoint) and get first 
F(A) => F,(F*(D)). Now consider the unity np : D — F,(F*(D)) of the adjunction 
(this is the transpose of the identity map on F*(D)) and take the pullback 


b(A) D 


nD 
F,(A)— F, (F*(D)) 


Applying F* again (this functor preserves monos, as it is left exact) we finally get a 
subobject F*(b(A)) = F*(D), which we call OA. Thus we defined operators 


b: Sub(F*(D)) — Sub(D) and : Sub(F*(D)) — Sub(F*(D)), 


whose relevant properties are summarized in the following lemma (we omit proofs, that 
can be easily obtained by unravelling the definitions): 


LEMMA 48. 
(i) For A,B € Sub(F*(D)), we have 


A<A, A = ODA, 


that is, Sub(F*(D)) is an (intuitionistic) interior algebra. 
(ii) For every h: D' — D in Eg and for every A € Sub(F*(D)), we have 


(F*(A)) (A) = (F*(h)) ~+ (0A), 


that is, (F*(h))~+ is an interior algebra morphism. 


(iii) b is the right adjoint to the operator Sub(D) —> Sub(F*(D)) taking A => D to 
F*(A)— F*(D). This means that we have 
F*(B) < A> B < b(A), F*((A)) <A, 


for all B € Sub(D), A E€ Sub(F*(D)). 


Conditions (i)-(ii) are the needed ingredients for the proof of next theorem, whereas 
condition (iii) makes easier the calculation of the D-operator in the relevant examples. 
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THEOREM 49. Let (F*, F,) : Ey — Ez be a geometric morphism. Assume also that 
E; is a Boolean topos.” Then the functor Subo F* : Ey —» Int” gives a modal 
hyperdoctrine over Ep. 


Proof. Immediate by Lemmas 47 and 48(i)-(ii). Q) 


Thus we can define a topos-theoretic model of L as a hyperdoctrinal model of £ into a 
hyperdoctrine of the kind mentioned in Theorem 49. 


Example 3 (continued). In the Kripke framework of Example 3, we can recover, from 
the definition of a topos-theoretic model, the standard Kripke forcing conditions for first- 
order modal logic in the following way. Given a presheaf D and a subobject A C F*(D) 
(that is, a collection of subsets {Aw C Dy | w € W}), we do not need to know the 
complicated construction of F, in order to compute b(A) C D: Lemma 48(iii) is sufficient 
for that. In fact, the adjointness conditions uniquely determine b(A) (and hence also the 
collection of subsets F*(bA) = OA) as the subpresheaf )(A),, = {a € Dy | Vu (w < 
w => Dyw(a) E€ A,)}. Now, given a topos-theoretic model Jt in the present Kripkean 
framework, for an n-formula ¢ : n and fe an n-tuple a € D}, write a =? @ for 
a € ([¢]™).. Definition 43(iv) now reads?’ 


w 


(where D,w(a@) means the componentwise application of the function Duw to the tuple 
a). Similarly, Definition 43(i)-(ii)-(iii) gives the standard forcing conditions for atomic 
formulas, for — and for V, respectively. 


Example 4. If we allow § to be a category in Example 3, we get full presheaf semantics, 
i.e., the semantics used in [52], [50] in order to prove some of the incompleteness results 
mentioned in Section 8. Forcing conditions for truth of modal formulas in full presheaf 
semantics (where presheaves are taken on a category) are derived in complete analogy 
to the Kripkean case of Example 3.29 For powerful completeness results with respect to 
this semantics, see the final remark of Subsection 9.4. 


Example 5. In a completely analogous way, forcing conditions can be derived in the 
etale case, thus establishing a suitable topological semantics for first-order modal logic. In 
fact, let S be a topological space and let |S| be the discretization of S (points are the same 
as for S, but now every subset is open). The identity map f : |S| — S is continuous 
and hence it induces a geometric morphism (F,, F*) : Sh(|S|) — Sh(S). The ‘inverse 
image part’ F* of this morphism associates with the etale space e : D — S the discrete 
space |e| : |D| — |S]. Using Lemma 48(iii), the operator b is easily seen to take a subset 
to its interior; notice also that (according to the characterization of products in the topos 
Sh(S)) D” is now the fibered product of D with itself n-times.°° Hence, given p € S, 


27This assumption is needed because we are studying (for simplicity) S4-systems on a classical basis; 
for modal systems on an intuitionistic basis this restriction is obviously dropped. 

28Notice that here the n-tuple a plays the role of a finitary assignment to the variables 11,...,@n. 

29Tf functional frames are seen as presheaves, we get precisely the truth forcing conditions of Section 
8 for functional models. 

30This means that D” is the subspace of the n-th cartesian power of D formed by the tuples (a1,..., an) 
living on the same fiber (i.e., such that e(a1) = --- = e(an)); the topology on D” is the relativization of 
the product topology. 
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@1,...,@n € e '(p), if we write (a1,..., an) ae ġ for (a1,...,an) € [¢], we get from 
Definition 43(iv) the following topological forcing condition: 


(T) (a1... an) = Oy iff 3 neighborhoods J,I1,...,In of p, 


G1,---,@n, respectively, s.t. Yq € J, 
Vb1,.--50n & (G Ke X In) Ne`!(q) 
we have that (b1,...,bn) TA p. 


When the topology in S is preordered (i.e., when there is a preorder relation on S such 
that open subsets are just the upward closed subsets), it is not difficult to see that we 
get again the Kripke frames with equality of Example 3 as a special case. 

Validity of QS4 with respect to topos-theoretic semantics follows from the general 
validity Theorem 45. Completeness of QS4 can be proved as well: this however already 
follows from completeness with respect to Kripke frames with equality (a direct proof, 
based on the elegant Joyal construction for presheaf completeness of intuitionistic logic, 
is given in [84]). 


10.2 The Need for the Continuity Axiom 


We now briefly sketch some further semantic investigations into mathematically moti- 
vated models, raising new problems, whose solution requires a better understanding of 
the types mechanism (mainly in connection to substitution). 

A geometric morphism (F,, F*) : Ey — Eg is called essential in case F* has a further 
left adjoint Fi : E} — Eg (as we saw in Example 3 from Subsection 10.1, this is always 
the case in Kripke-like frameworks). For essential geometric morphisms, we can define 
diamond operators >, : Sub(£*(D)) — Sub(F*(D)) by a mechanism similar to the 
mechanism we used for the -operators of Lemma 48. Given a subobject A => F*(D), 
we apply Fi, compose with the counity of the adjointness 


F(A) — K(F"(D)) — D 


and then take epi/mono factorization (which is available in any topos); in this way we 
get a subobject of D, which we turn into a subobject (S) of F*(D) by applying F* 
once again. This operator 0, : Sub(F*(D)) —> Sub(F*(D)) is not interdefinable (via 
negation) with the C-operator introduced in Subsection 10.1, rather it is left adjoint to 
it, meaning that the pair of operators (Qp, O) jointly satisfy the axioms for tense logic 
(that is, Op is a ‘past possibility’ operator, whereas L is a ‘future necessity’ operator). 
There is one point that goes wrong here, however: we fail to get a ‘tense hyperdoctrine’, 
because the statement of Lemma 48(ii) for >, is not true, we only have: 


(COp) Op(F*(h))~*(A) < (F*(h))“" (Op). 


As a consequence, the proof of the instantiation Lemma 44 for the calculus of Table 1 
extended with the tense operators does not work. In fact, this extended calculus is not 
sound: remember that it derives the Barcan formula and the necessity of the difference, 
which are easily seen to be invalid (already in the case of Kripke semantics). As we shall 
see in Table 2 of next subsection, the semantic failure of such logical principles is tightly 
related (in fact, it is equivalent to) the failure of the converse of (C'O,). 
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We come across a very similar problem if we try to extend topological semantics beyond 
the etale spaces case [56], [51]. Fix a topological space S. A bundle over S (or, simply, 
a bundle, leaving S as understood) is a topological space D endowed with a continuous 
map d: D — S; a map among bundles d : D — S and d’ : D! —> S is a continuous 
map f : D — D' such that d'o f = d. Let Top/S be the category of bundles and related 
maps; this category has products (which are fibered products over S). Moreover, for every 
bundle D, the powerset P(D) of D carries an interior algebra structure. Thus, we can 
come back to the hyperdoctrinal point of view and use Definitions 41, 42, 43 to introduce 
bundle models. Equivalently, we may replace Definition 43 by the corresponding forcing 
conditions: for instance, (T) is the forcing condition for 0.3! 

Once again, however, the trouble with bundles is the instantiation Lemma 44. In fact, 
the notion of a modal hyperdoctrine should be modified [55], [56]? in order to adapt 
it to bundles: the powerset functor fails to give a modal hyperdoctrine over Top/S (in 
the sense of Definition 40), because if f : D — D’ is a continuous function, the inverse 
image function P(f) := f7! : P(DY — P(D) is not an interior algebras morphism, we 
only have 


(CO) F OA) COf A 


for every A C D’ (here O obviously denotes the topological interior operator). Notice that 
condition (CO) is very similar to condition (Cp): the former expresses the continuity 
definition with respect to interior, whereas the latter expresses ‘continuity with respect to 
a kind of closure’. The calculus of Table 1 is not sound with respect to bundle models:*% 
there is no surprise in that, such calculus wrongly assumes (through Definition 39(d)) the 
converse of (CO) to hold, i.e., it assumes that all continuous functions are open. Notice 
that, on the contrary, continuous maps among etale spaces are open: this is why we did 
not meet any trouble in Example 5 from Subsection 10.1. 

In next section, we shall get an axiomatization of bundle models. Since, when all 
involved topologies are preordered, bundle models reduce to counterpart models and 
since the latter are sufficient for completeness, we prefer to directly skip to counterpart 
models. 


11 COUNTERPART SEMANTICS 


The previous subsection’s analysis of the interplay between substitution and modal op- 
erators in mathematically motivated models (topological bundles, essential geometric 
morphisms of toposes) suggests the revision of some basic syntactic definitions from Sub- 
section 9.1: in this way, a continuity condition can be easily formulated. Continuity turns 
out to be the only axiom schema needed in order to axiomatize counterpart semantics. 
We shall devote the present final section to the illustration of this (surprisingly) very 
simple axiomatization taken from [55]. 


31Bundle models should not be confused with the models over Kripke bundles of [111] (such Kripke 
bundles define a semantics which is intermediate between Kripke frames with equality and presheaf 
semantics [121]). 

32The modification is simple: in Definition 40, just replace Int by the category having as objects 
interior algebras and as arrows the Boolean morphisms f such that f(Oa) < Of (a). 

33For instance, the calculus of Table 1 derives the necessity of identity, which holds (when S is the 
singleton space) precisely for trivial discrete spaces. 
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Before philosophically motivating, introducing and discussing counterpart semantics, 
we prefer to immediately make the needed modifications at the syntactic level. In order 
to express the continuity axiom, we need to treat substitution carefully: in fact, the 
statement of the continuity axiom is that only one half of Definition 39(d) holds, the other 
half being an openness requirement which is not valid (the definition of a continuous map 
in topology says that inverse image of the interior is contained in the interior of inverse 
image). To get the desired effect, we treat modalized formulas as atomic formulas and 
change Definition 38(iv) as follows: 


(iv’) if 6: k is a k-formula and if tı : n,..., tẹ : n are n-terms, then (O¢)(t1,... tk): n 
is an n-formula. 


We shall abbreviate (¢)(a1,...,an) : n by Od: n. Next, we modify Definition 39(d) 
by: 


(d’) if u:m is an n-tuple of m-terms and (O¢)(t1,...,tk):n is an n-formula, we let the 
m-formula (Od) (t1,...,t%)[v]:m be equal to (A¢)(ti[v],..., tlu]: m. 


The ‘counterpart’ modal calculus CS4 has again the rules and the axiom schemata of 
Table 1 (to be interpreted according to the new definition of formula and substitution) 
and, in addition, the following continuity axiom schemata: 


(Cont) (O¢)[ti,..., th] > O(¢[ti,...,tk])) in 


(notice that (O¢)[t1,..., tk] is precisely (O@)(ti,...,t,) by the above definitions and 
conventions). 


11.1 Counterpart Models 


The origins of counterpart semantics come from philosophical considerations: counterpart 
semantics is a way of overcoming transworld identification problems when evaluating de 
re statements in possible worlds semantics: 


The counterpart relation is our substitute for identity between things in different 
worlds. Where some would say that you are in several worlds, in which you have 
somewhat different properties and somewhat different things happen to you, I prefer 
to say that you are in the actual world and no other, but you have counterparts in 
several other worlds ([79], p. 114). 


A large philosophical debate (see for instance [64], [42]) has pointed out both the 
merits and the difficulties of the counterpart-theoretic point of view in the semantics of 
quantified modal logic. We shall mainly concentrate here on axiomatization issues: these 
turn out to be useful for clarifying aspects of the counterpart doctrine that are commonly 
considered rather obscure. 

Counterpart theory is introduced in [79] by axiomatizing the intuition behind the 
intended notion of a counterpart. Such intuition is provided by the concept of similarity: 
informally, a (living in w) is a counterpart of b (living in v) iff ‘a resembles to b more closely 
than anything else living in w’. For the axiomatization of the notion of a counterpart, 
a suitable first-order theory I is introduced ([79], Section I). A translation of first-order 
modal language into the extensional language of J is then considered ([79], Section IT): 
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such translation gives implicitly — as happens with standard translation in the Kripkean 
case — the inductive forcing conditions for counterpart semantics.?+ A counterpart 
relation is finally joined to a customary accessibility relation (in order to model systems 
whose propositional basis is not S5) and the translation from modal language into the 
counterpart extensional language is modified accordingly ([79], Section V). 

The axioms of I express rather light constraints on the relation ‘being a counterpart 
of’: this is taken to be an almost generic binary relation among individuals. In particular, 
the counterpart relation needs not be symmetric nor transitive, individuals may have one, 
many, or no counterparts at all in any other world; however individuals live in a unique 
assigned world and are their own unique counterpart in the world they live in ([79], 
p.114). 

Models of J can consequently be represented as triples d : D —> W, where W is the 
set of possible worlds, D is the set of individuals and the function d specifies the world 
d(a) a given individual a € D lives in. Both W and D are endowed with binary relations: 
these are the counterpart relation Rp for D and the accessibility relation Rw for W. 
The function d must preserve such relation: this means that, whenever b is counterpart 
of a, then the world d(b) where b lives in should be accessible from the world d(a) where 
a lives in. Formally we have that 


(8) aRpb => d(a)Rwd(b) 


holds for all a,b € D. Although Lewis does not make assumption (8) in Section V 
of [79], this assumption is implicit in the translation instructions he gives from the 
modal language to the extensional language.®° We shall call Lewis triples the triples 
d: (D, Rp) — (W, Rw) satisfying (8). 

Since we want to make a close comparison with the topological bundles of Subsection 
10.2, we assume that both D and W are preodered sets: this means that both the 
accessibility relation Ry and the counterpart relation Rp are assumed to be reflexive 
and transitive. We point out that we do that just for enlightening comparisons with 
topological bundle semantics to be immediate. In fact, dropping reflexivity and transitivity 
for both the counterpart and the accessibility relation, would simply result in treating 
K-based systems: this is quite easily done in our framework, because once S4 axioms 
are removed from the syntax and reflexivity-transitivity requirements are removed from 
the semantics, soundness and completeness results of Subsection 11.2 extend trivially. 

Lewis’ requirement that every individual a living in a world w has itself as counterpart 
in w (together with reflexivity of the accessibility relation) is precisely what is needed in 
order to make axiom T valid: for this reason, this requirement is included in our setting, 
but should be dropped for K-based systems. Finally, Lewis requirement that a is the 
only counterpart of a in the world a lives in, is a non-modally definable condition which 
does not affect soundness and completeness of our systems (as will be evident from the 
completeness proof of Subsection 11.2). 


34Other translations (different from Lewis’ original one) have been proposed by G. Forbes and M. 
Ramachandran: see the recent paper [28] for an essential account of them and for the relevant pointers 
to the literature. 

35In other words, the translation of a modal sentence is not influenced by this extra assumption: 
quantifiers are relativized to individuals living in the current world w and, when the translation of a 
modalized formula requires taking into consideration another world v, then v must be accessible from 
w and the translation instruction takes care of replacing current free variables ranging over individuals 
living in w by variables ranging over counterparts of them living all in v (see (T2i*)-(T2j*) in [79], p. 
125). 
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Thus we restrict our considerations to reflexive-transitive Lewis triples: these are the 
triples d : (D, <) — (W, <), where (W, <) and (D, <) are preordered sets and d is an 
order-preserving map. This is nothing but a special case of the notion of a topological 
bundle from Subsection 10.2: more precisely, it is the special case arising when topologies 
are preordered.?° 

Given a reflexive-transitive Lewis triple d : (D, <) — (W, <) and a world w € W, 
we can associate with it the fiber over w, namely the set D, = {a € D | d(a) = w}; 
whenever v < w, we can also consider the relation Dyw = {(a,b) | a € D,,b € Dy and 
a < b}, obtained from the restriction of the counterpart relation to Dy x Dw. Now the 
collection of sets {Du | w € W} and the collection of relations {Dyw | v < w} form 
a (W, <)-relational domain, in the sense of the definition below. Relational domains 
and reflexive-transitive Lewis triples are equivalent formalisms (there are precise and 
easy technical results guaranteeing that),37 so that we prefer to move to the relational 
domain formalism. 

We have finally arrived at the relevant formal definitions from [55], [56], [51]. Given 
a preordered set ¥ = (W, <), by an -relational domain D, we mean a collection of sets 
{Dw | w E€ W}, endowed for every pair v < w € W with a relation Dyw C Dex Dy. Such 
‘transition’ relations are assumed to satisfy the following requirements for all v < w < 
z € W, for all a € D,,b E Du,c € Dz: 


(L) aDa, aDb & bDc = aDe 


(where we write aDb for (a,b) E€ Dyw, etc.). Whenever aDb holds (for v < w,a € Dy, b € 
Dw) we say that b is a w-counterpart (or simply a counterpart) of a. 

The following list of further definitions/notational conventions will complete our coun- 
terpart domain settings. Let an §-relational domain D be given; then given tuples 
a = (a,...,@n) E DP, b= (b1,..., bn) E€ D7, (with v < w), the notation aDb means that 
aiDb; holds for all i = 1,...,n. We also use the notation a; to mean the i-th component 
of the tuple a (i.e., if a = (a1, ..., an), then a; stands for a;). 

A §-relational map f : D — D' among §-relational domains is a collection of func- 
tions {f, : Dy — D!, | v € W} satisfying the requirement aDb = f,(a)D’f.,(b) 
(for every v < w,a € D,,b € Du). The n-th cartesian power of an §-relational do- 
main D is the relational domain D” so specified: (D")y = (Dw)” and aD”b holds (for 
v < w,a € D?,b € D”) iff a;Db; holds for every i.38 For n = 0, the singleton $-relational 
domain D° is so described: D®, contains for every w just the empty tuple x from Dw 
and we have «D°x for all v < w € W. A sub-relational domain S C D of an $-relational 
domain D is a collection of subsets S = {Sw C Dy | w € W}. The following pair of 
definitions is the expected one: 


36Recall that a topology is said to be preordered iff there is a preorder relation such that the open 
sets coincide with the upward closed subsets. Notice also that a topology is preordered iff open sets are 
closed under arbitrary (not just finite) intersections. 

37We mention precise connections for the interested reader: let Preord be the category of preordered 
sets and let ¥ be a preorder. Then the category of counterpart frames Rel’ over % is equivalent [56], 
[89] to the category of reflexive-transitive Lewis triples over §, which is nothing but the slice category 
Preord/¥; the latter is embedded in Top/¥ (both the equivalence and the embedding extend to the 
modal hyperdoctrinal level). 

38Thus D” is the n-th cartesian power of D in the category Rel® [55],[56],[89] of -relational domains 
and -relational maps. Similarly, sub-relational domains defined below correspond to regular subobjects 
in that category. 
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DEFINITION 50. Let £ be a language and let ¥ be a frame; an §-counterpart model 
(or, simply an §-model) M consists of the following data: 


- an $-relational domain D (the domain of M); 


- an interpretation Z mapping every function symbol f to an §-relational map Z(f) : 
D” — D and every predicate symbol P to a sub-relational domain Z(P) C D” 
(here n is clearly the arity of f, P). 


It is assumed that Z(L) C D° is the empty sub-relational domain and that Z(=)y = 
{(a,a) |a E€ Dy}. 

DEFINITION 51. Given an §-model M = (D,Z) and an n-term t : n, the §F-relational 
map [t] : D” — D is so defined by induction (for all w € W, a € D”): 


- if t= x; @=1,...,n), then lt]? (a) := a;; 
- ift = ftn- tx), then Ea) := ToO,- E120) 


We must now define forcing conditions: this is done in complete analogy with Lewis 
translation instructions (T2i)-(T2j) from [79] (or, better, as we also have an accessibility 
relation, with Lewis translation instructions (T2i*)-(T2j*) from Section V of [79]). Notice 
that: (i) we use model-theoretic forcing instead of a pure syntactic translation into the 
extensional language of J; (ii) we have typed languages, so our model-theoretic forcing 
uses finitary assignments; (iii) we modified above the standard definition of a formula, so 
our truth clause for formulas whose main connective is a modal operator is a combination 
of the truth clause for O and of the truth clause for atomic formulas. 


DEFINITION 52. Given an §-model M = (D,Z), an n-formula ¢: n, a world w € W 
and a tuple a € D®, the forcing relation a = ¢ is so defined, by induction: 


a iy P(ti,.-.,te) iff (Mile (a), [trlo (a)) € LP) w: 
a Ha pi > Y iff (a H pi ary v2); 

a Veni iff for alla € Dy, (a,a) =? Y; 
aE (Oy) (t,..., te) iff for all w < v, b € DË 


(lz (a), tla) De => b H y. 


We say that ¢: n is valid in M iff a K% ¢ holds for all w € W,a € D”. 


We underline that, in case ¢: n is just Dy : n, the above forcing condition says that 
the tuple a satisfies OW: n in w iff for all w < v, all tuples made of v-counterparts of the 
a’s satisfy p : n in v. This is just Lewis’ translation instruction written in our notation; 
moreover it coincides with the topological forcing condition (T) from Section 10, in the 
case of topologies induced by a preorder relation. 


11.2 Soundness and Completeness 
For the soundness theorem, we first need a suitable instantiation lemma, which is easily 
proved by induction: 


LEMMA 53. For all ọ: k, v: k, ti: n,...,tk : n and for alla € D?, we have in any 
-model M = (D,T): 
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(i) eti. tel a) = hlte a), trlo a); 
(ii) a H oltita] iE (tile la), trlo a) Fat o. 


THEOREM 54. (Validity). If ọ : n is provable in CS4, then it is valid in every §-model 
M. 


Proof. Rule (Inst) is valid by Lemma 53, whereas S4-propositional tautologies are 
valid by conditions (L). Validity of (MP), (Nec), (Y-Ex), (v-In), (Refl) and (Repl) are 
trivial: using the instantiation Lemma 53, we have e.g. for the case of (V-Ex) (let a = 
(a1, ae) An+1)); a H (Vin41 v)[21, snes Tn] iff ([ei]2"(@), £0349 [zn] (a)) Fe VEn41 Y 
iff (a1, ... , an) = Yzn+1 Y and the latter implies (a1,...,@n41) FÆ Y, that is a H® y. 
Validity of the continuity schema (Cont) follows from the definition of an §-relational 
map and Lemma 53 again. m 


We now sketch in some detail the completeness proof. The first-order (non-modal) 
language L, is obtained by adding to £ a new n-ary predicate symbol Pog for every 
n-formula of the kind Od : n of £. To every modal formula Y : m of £L we assign 
a non-modal formula pe : m of Le simply by replacing the subformulas of the kind 
Q)(t1;,-.. tk): m by the atomic formulas Pog(t1,..-,tk): m. The classical first-order 
theory Te has as proper axioms the formulas ¢, : n such that @: n is provable in CS4. 
Notice that all formulas of £, are of the kind Ye : m (for suitable ¢:m) and that Y% : m 
turns out to be provable in CS4 iff Ye : m is provable in the classical first-order theory 
Te (one direction is trivial from the construction of T., for the other side simply observe 
that Te has no deductive machinery which is not already available in CS4).°° 

We use the letters w,v,... to denote T.-models (i.e., classical first-order £,.-structures 
making the universal closures of the proper axioms of Te true); for a T.-model w, we use 
the notation Dy to denote the domain of w, [t],, to denote the interpretation Dè} — Dy 
of the term t: n in w, a Hw Qe to denote the (finitary assignments) forcing relation in w 
with respect to classical first-order Tarski semantics. 

An admissible relation R among T,-models w,v is a relation R C Dy x D, satisfying 
the following two requirements, for every n > 0 and for every a € D7, b € D?: 


(Al) if a,Rb,; holds for every i = 1,...,n, then [t]w(a@) R [t]e (b) holds for every n-term 


tin; 


(A2) if a,Rb; holds for every i=1,...,n, then 


a Fw altist Tn) => DF» Qe 


holds for every n-formula ¢ : n. 


Notice that, thanks to the propositional S4-axioms, identity relations are admissible and 
admissible relations compose. 

Following model-theoretic terminology, we call n-type a set T of n-formulas of Le; an 
n-type is T,-consistent iff for no finite conjunction Ype : n of formulas from I, the formula 
aw, : n is provable in Te. For a T.-model w and for an n-tuple a € Di, the n-type Tg is 


39For classical first-order logic, we keep for uniformity reasons the same typed framework of Subsection 
9.1. 
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the set of n-formulas Ye : n such that a Fy, We. An n-type T is realized in w iff for some 
a E€ Di, we have I C Ta. It follows from completeness theorem for first-order theories, 
that a T,-consistent n-type is always realized in a T,-model. The following lemma is a 
crucial step: 


LEMMA 55. Let w,v be T,-models, a € D}, b € DU; if{Qe: n | a Fw Pog(41,---5%n)} E 
Ty, then there is an admissible relation Dy, C DyxDy such that a; Dat holds (for every 


i=1,...,n). 


Proof. Define D,,, as follows: say that aD,,,b holds iff there is a term t : n such that 
[t]w(a@) = a and [#],(b) = b. Condition (A1) holds trivially, whereas for condition (A2) 
we need the continuity axiom schema. In fact, fix a k-tuple tı : n,...,t, : n of n-terms 


such that 
([tiJw(@),---; [telw(@)) Hw Paog(21,---, 2k) 


holds; by the instantiation Lemma 53(ii) (which holds in classical first-order semantics 
as well), we get a Fy Pog(ti,..-,t~). Since (O¢)(t1,...,th] > Ol¢lti,...,te]) : n is 
provable in CS4, by the definition of T, we have a Fy Polet, aa vagy)? By 
the hypothesis of the lemma, we get b He (@[t1,...,tk])- = b-[t1,..., tx], that is (by the 
instantiation lemma) ([tiJv(b),..-,[te]u(b)) Hv de. QO 


THEOREM 56. (Completeness).[55], [51] If a formula ¢: n is not provable in CS4, then 
there are a frame § and an §-model M = (D,T), in which ọ : n is not valid. 


Proof. We use the ‘subordination frame’ technique [67]|*° and inductively define a tree 
& = (W,<) of T.-models and of admissible relations as follows. The root of § is any 
T.-model realizing the T.-consistent n-type {79e : n}. Let the node w of ¥ be already 
defined; for every pair (a, y:m) such that a Ay Poy(21,...,¢%m), we take a T,-model 
v, an admissible relation Dwy C Du x D, and a tuple b from D, such that b £, Ye and 
a;Dwyb; (for i=1,...,n): this is possible, by Lemma 55, because the m-type 


{py:m|a Ew H pi (L1,---,2m)}U {Ye : m} 


is T.-consistent by propositional modal validities. These v and these Dw» are all added 
to the already defined part of ¥ = (W, <) in the inductive step of the construction. 

Now that § has been built, it is clear that the collection of the supports Dw — and of 
the compositions of the admissible relations Dwy introduced during the construction of 
5 — gives in the obvious way an -relational domain D. Similarly, the collection of the 
interpretation functions of the various T,-models w € W can be glued together to form 
a global interpretation function Z (notice, however, that (A1) is needed here to show 
that the global interpretation of a function symbol is an §-relational map). It remains 
to prove a standard ‘truth-lemma’, namely that we have 


a Ew Ye iff aby 


for all y : m,w € W,a € D7). This is trivial, however, by the construction of ¥ and by 
(A2). m 


40If we allow categories (and not just preordered sets) to be frames, there is an obvious ‘canonical- 
model’-like technique that works: just take as ¥ the category having T.-models as objects and admissible 
relations as arrows. 
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As pointed out above, Theorem 56 covers also bundle semantics.4! A past-possibility 
tense operator ©, can be added both to the syntax and to the semantics (Theorems 
54 and 56 extend trivially): we call the related system CS4;4. More precisely, to get 
CS4;, we add for instance to Table 1 the axiom schema ¢ — O10, : n and the rule 
@—- Oy :n/Op¢d— vw :n (notice that the continuity principle 0,(¢[t]) > (Op¢)[t] : n 
for ©, follows from the corresponding continuity principle (Cont) for O). The semantic 
forcing condition for >, says that a n-tuple a from Dý, forces (OW)(ti,...,tkh) : n iff 
there is a k-tuple b that forces Y% : k of which ([t,]"(a),..-,[t.J2"(@)) is a k-tuple of 
(respective) w-counterparts. 

Natural conditions (like being totally defined, partial functions, etc.) can be imposed 
on the transition relations Dyw: such conditions are modally axiomatizable by suitable 
axiom schemata in CS4,. The summary of such extensions [55] of Theorems 54 and 56 
is given in Table 2 below:*? the meaning of that Table is that the semantic condition in 
the third column is axiomatized by any one of the equivalent axiom schemata written 
in the corresponding second column (the notation D9, means the converse relation of 
Dw). Notice that the equivalent axiom schemata in the second column sometimes 
involve properties of substitutions and sometimes they are just well-known standard 
modal principles (this explains why, if properties of substitutions are built-in in the 
language through definitions like 39(d), then there is no way of blocking the derivation 
of the corresponding modal principles). 


Table 2. 
No. | Equivalent Axiom Schemata Semantic Conditions 


1 zı = 22 > O(z1 = 22): 2 all Dy» are partial functions 
Oo 41 = 22) > 21 = 2922 


(olz, y: y) > (Og)lz, y, y]: n=+1 
2 Jyðdo — UJyg: n all Dyw are totally defined 
Opyo —> Jyp: n relations 
(g[x]) > (Og)[z] : n+1 
3 zy # z2 > O(z1 F 22): 2 all D?„ are partial functions 


Opl21 F 22) > 21 F 22: 2 
(Oro)[z, y, y] > Op(dla,y, yl) :n+1 
4 Vylld — Vy: n all D?„ are totally defined 
OpVyd > VyOpo in relations 

(Op) [2] > Op(Olz]) : n+1 


11.3 Conclusions 


At the end of a lengthy detour around alternative semantics for predicate modal logics, 
we met in the present section systems CS4, CS4, together with the ‘old-style’ alternative 


41 For plain topological semantics (i.e., for bundles over the singleton topological space), an extra axiom 
schema is needed, see [56], [51]. 

42Īn particular, the axiomatization of the essential geometric morphisms semantics outlined at the 
beginning of Subsection 10.2 corresponds to lines 1+2 of Table 2. From the axiom schemata of lines 
1+2, the openness principle (L1¢)[t] > O(¢|t]) : n can be derived for O, but not for Op. 
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semantics proposed in the sixties by D. Lewis. In fact, although systems CS4, CS4 were 
built in [55], [56], [51] in order to axiomatize the mathematical frameworks outlined in 
Subsection 10.2, we just showed that such systems axiomatize counterpart semantics as 
well. We feel that this unexpected confluence among mathematically and philosophically 
motivated research should be taken seriously. We conclude the second part of the chapter 
by giving some more information on this topic. 


- In Definition 52, variables are given only local values: this is because Definition 52 
uses finitary assignments relative only to the possible world in which a formula is 
evaluated. This seems to be in accordance with concrete use of free variables as 
indexicals in linguistics [19] (reference of indexicals is fixed by the pragmatic context 
in which a sentence containing them is uttered). Moreover, de re statements like 
‘you will eventually spend holidays at the seaside’ or ‘some actual women will be 
sooner or later elected as the president of the USA’ are correctly evaluated by 
referring to a future state of affairs in which the individual in question ezists.*% 
This is why, as already pointed out in [79] (p. 124), the converse of the Barcan 
formula is a valid modal principle: if JyOP(y) is true at w, then there is a € D,, 
which has a v-counterpart a’ enjoying P and this implies that 0dyP(y) is true in w 
as well. The role played by the converse of the Barcan formula in varying domains 
semantics is played here by the axiom schemata of line 2 of Table 2: such axiom 
schemata are valid whenever individuals never ‘die’ in accessible worlds (from the 
topological point of view, the axiom schemata of line 2 of Table 2 express the special 
condition that projections from fibered products are open maps). 


- Our axiomatization of counterpart semantics seems to clarify some the classical ob- 
jections that have been raised against it. For instance, Kripke argued in [74] that 
since the necessity of identity 


(9) zı = x2 > O(a) = x2) : 2 


(which is invalid in counterpart semantics) follows from 


(10) O(a, = z1): 1 


and from 


(11) zı = z2 A O(z1 = z1) > O(a; = x2) : 2 


then the counterpart theorist is either forced to reject the Leibniz principle of 
replacement or to reject the evident fact that everything is necessarily equal to 
itself. However, (11) is not an example of the Leibniz principle: the latter principle 
(which is obtained from the axiom schema (Repl) and the rule (Inst) of Table 1) 
can be formulated as: 


(12) u = v A 4[z,u] > ọļz, v] : n 


(where @ : n+1 is an n+ l-formula and u,v are n-terms). That (11) cannot 
be confused with the Leibniz principle is clear from the following counterexample 


43Notice that no existence predicate is used in Lewis’ counterpart semantics (but see [23] for an 
extension in this sense). 
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(which is a special case of topological bundle semantics from Subsection 10.2): 
interpret n-ary predicate letters as subsets of R”, let identity, quantifiers, and 
Boolean connectives be interpreted as in first-order extensional Tarski semantics 
and let L be interpreted as the interior operator in the product Euclidean topology. 
It is clear that in this interpretation any correct version (like (12)) of the Leibniz 
principle holds (trivially, equal points belong to the same subsets). Moreover, the 
interior of zı = zı contains all points (because the interior of the whole space is 
the whole space), which means that (10) is valid. Nevertheless, the necessity of 
the identity (9) is false, because the interior of the diagonal in the plane is empty. 
Consequently, we must admit that in order to ‘derive’ (9) we used something quite 
different from the Leibniz principle (and, as a matter of fact, we used (11) which 
is easily seen to be invalid). 


- Notice that the formula zı = x2 A OR(z1, £2) > OR(z1, £1) : 2 is valid, whereas the 
formula zı = t2AQR(a#1, 22) > QR(z1, £1) : 2is not. The reason why this happens 
is that the continuity principle is different for ‘interior’ and ‘closure’ (to derive the 
former formula we need (OR(x1, £2))[£1, x1] > O( R(x, £2)|£1, £1]) : 2 which is 
not available for ®, because the continuity principle for © is the converse). This 
explains why, in order to axiomatize counterpart semantics, we cannot simply use 
‘generic restrictions’ to quantifiers and identity principles that apply to arbitrary 
intensional contexts. 


- In our typed systems, there is a very natural way of formalizing the de re/de dicto dis- 
tinctions: we can use (O¢)[t] : n and O(¢ft]) : n, respectively. Constants which are 
non-rigid designators** can consequently be treated either by dropping the continu- 
ity principle for them or, in a more uniform way, by taking a suitable many-sorted 
approach [54] (validity and completeness theorems extend trivially). The nota- 
tion (O¢)[t] : n is very similar to A-abstraction notation of intensional semantics: 
in CS4-like systems, it can be seen just as a notational variant of A-abstraction 
whenever the axiom schema L(¢[z]) — (O¢)[z] : n+1 from line 2 of Table 2 holds. 


- Whenever the axiom schemata from line 2 of Table 2 do not hold however (i.e., whenever 
transition relations are not totally defined), the A-notation is insufficient if types 
are omitted: this is because (a1,a2) =? (P(a1) may be false when ay H OP(21) 
holds (a> may not have enough counterparts). Hence, the formulas (P(x) : 2 and 
®P(ax1) : 1 should be kept as distinct: the former is relative to contexts in which 
two free variables (say, two indexicals) have been assigned a value, the latter to 
contexts in which only one variable has been assigned a value. 


- The need for types explains why sometimes people got the wrong impression that basic 

principles like Aristotle’s law fail in Lewis’ semantics. What may fail is a formula 
like O(P(#1) > Q(z2)) > ((OP(21))[21] —> (AQ(21))[x2]) : 2, which is not an 
example of the Aristotle schema; the latter obviously is O(¢ p) (O¢é 
w) : n and, as such, it can be instantiated only into valid formulas, like e.g. 


(P(x1) > Q(22)) > (OP(z1) > OQ(z2)) : 2. 


44A non-rigid designator constant c is interpreted as a collection of elements {cw € Dw | w € W} such 
that c, needs not be a v-counterpart of cy when w < v holds. Using the isomorphism of -relational 
domains and preordered bundles over %, these are exactly arbitrary non-continuous functions from the 
terminal bundle § to D. 
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Additional comments can be found in [54]; still the overall implications of the above 
systematization of counterpart semantics need to be further explored. 
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1 INTRODUCTION 


A logic is called higher order if it allows for quantification (and possibly abstraction) 
over higher order objects, such as functions of individuals, relations between individuals, 
functions of functions, relations between functions, etc. Higher order logic (often also 
called type theory or the Theory of Types) began with Frege, was formalized in Rus- 
sell [46] and Whitehead and Russell [52] early in the previous century, and received its 
canonical formulation in Church [14]. While classical type theory has since long been 
overshadowed by set theory as a foundation of mathematics, recent decades have shown 
remarkable comebacks in the fields of mechanized reasoning (see, e.g., Benzmiiller et 


1For a good survey of (non-modal) higher order logic, see van Benthem and Doets [8]; for a textbook 


development, Andrews [3]. 
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al. [9] and references therein) and linguistics. Since the late 1960’s philosophers and logi- 
cians, for various reasons which we will dwell upon, have started to combine higher order 
logic with modal operators (Montague [35, 37, 38], Bressan [11], Gallin [22], Fitting [19]). 
This combination results in higher order modal logic, the subject of this chapter. 

The chapter will be set up as follows. In the next section we will look at possible 
motivations behind the idea of combining modality and higher order logic. Then, in 
Section 3, Richard Montague’s system of ‘Intensional Logic’, by far the most influential 
of higher order modal logics to date, will be discussed. This logic will be shown to have 
some limitations. One of these is that, despite its name, the logic is not fully intensional, 
as it validates the axiom of Extensionality. This leads to a series of well-known problems 
centering around ‘logical omniscience’. Another limitation is that the logic is not Church- 
Rosser (it matters in which order A-conversions are carried out). These limitations can 
be overcome and the remaining sections of the chapter will contain an exposition of a 
modal type theory that is intensional in two ways: in the sense of being a modal logic and 
in the sense that Extensionality does not hold. The logic in itself is not strong enough 
to make the usual rules of A-conversion derivable, but these rules can consistently be 
added as an axiomatic extension and in that case the Church-Rosser property will hold 
(as an alternative, the rules can be hard-wired into the theory, in which case the theory 
is also Church-Rosser). Section 4 will introduce the basic syntax and semantics of this 
logic, Section 5 will give a tableau calculus, and Section 6 provides some elementary 
model theory in the form of a model existence theorem and its usual corollaries, such as 
generalized completeness. We conclude with a conclusion. 


2 MOTIVATION 


Why should one want to combine modality with quantification or abstraction over objects 
of higher type? Possible reasons come from areas as diverse as rational theology, the 
axiomatization of classical mechanics, the semantics of natural language, and modal 
logic itself. Let us look at each of these in turn. 


2.1 The Ontological Argument 


Anselm (1033-1109) proved the existence of God by defining him as “a being than which 
none greater can be thought” and by arguing that, since that definition can be under- 
stood, such a being must “exist in the understanding”. But if this being exists in the 
understanding, one can also think of it as existing in reality and, since real existence 
is “greater” than mere conceptual existence, the “being than which none greater can 
be thought” must truly exist. Otherwise one could think of an even greater being that 
did truly exist. Moreover, by an analogous argument, Anselm comes to the conclusion 
that it is even impossible to think of God as nonexistent. For something that cannot be 
thought of as nonexisting is greater than something that can be so thought of. It follows 
that a “being than which none greater can be thought” cannot merely exist contingently, 
otherwise one could think of an even greater being with necessary existence. 

Anselm’s original argument was phrased in ordinary Latin and its lack of precision may 
be deemed a weakness by some, but increasingly more precise variants of the argument 
have been put forward by Descartes, Leibniz and, more recently, Gödel [24]. Gédel’s 
argument centers around “positive” properties and being a god can be defined as having 
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every positive property. There are axioms regulating the behaviour of the predicate 
“positive”, stipulating e.g. that exactly one of a property or its complement is positive, 
that, whenever P is positive and the extension of P necessarily is a subset of that of 
Q, Q is also positive, that necessary existence is a positive property, etc., etc. The 
conclusion is identical to that of Anselm’s: God necessarily exists (and is unique), but 
this time premises and argument are spelled out in great detail (some of the premises 
may be hard to swallow, even for those who are willing to accept the conclusion). The 
argument combines quantification over properties with the modal notions of necessity 
and possibility and as a consequence is naturally framed in a higher order modal logic. 
For a recent evaluation of Gödel’s proof, its history, a precise formalization, and extensive 
discussion of the argument and subsequent literature, see Fitting [19]. 


2.2 Axiomatization of Classical Mechanics 


As a second example of the use of a higher order modal logic, let us briefly mention 
the proposal in Bressan [11] for a logical foundation of classical mechanics in general 
and Mach’s often criticized definition of mass in particular. Mach’s definition has a 
counterfactual character and this is where modality comes in. Suppose we have a particle 
M, whose mass is to be established. Fix some inertial frame. If a particle Mı with 
unit mass and velocity vı parallel to M’s velocity v were to collide with M at time 
t, then, if the changes in the velocities of M and Mı at t would be Av 4 0 and Av; 
respectively, the mass of M would be Av;/Av. This means that the mass of M can 
be established experimentally, but, as Bressan points out, in an axiomatic foundation of 
physics it is important that the axioms do not imply that the experiment actually takes 
place, as many physically possible situations that one wants to be able to describe are 
in fact incompatible with such an assumption. Thus, Bressan argues, an axiomatization 
based on a modal logic is required. Bressan’s logic is not only modal but also higher 
order, as it essentially replaces set theory and concepts such as natural number and real 
number should therefore be definable within the logic (for example, the natural number 
n is defined as the property of having n elements, AF.d,2 Fz, with 4, the obvious 
abbreviation, in Frege’s way). 


2.8 The Semantics of Natural Language 


A third illustration of the use of higher order modal logic comes from Richard Mon- 
tague’s [36, 37, 38] contributions to the semantics of natural language, work that truly 
revolutionized the subject.? It was Montague’s aim to treat the semantics of natural 
language in a completely precise way and to provide a truth definition for sentences of 
(say) English very much in accordance with the usual Tarski truth definition for logical 
languages. One way to achieve this is to directly assign modeltheoretic objects to syn- 
tactic expressions. This road was taken in Montague [36], but a way that is easier to go 
in practice is to translate expressions of English to an interpreted logical language. The 
interpretation of the logic then indirectly provides a model theory for the fragment of 
English under consideration. This is done in Montague [37, 38]. The logic used is higher 
order and modal. 


2The presentation here is inspired by Montague’s work but deviates from it in many minor details. 
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Why did Montague use a logic that combined modality with higher order quantification 
and abstraction? It is not difficult to see why one should want a modal logic for the 
treatment of natural language, as the latter abounds with phrases and constructions 
that have motivated modal logics in the first place (temporal operators, counterfactuals, 
true modals like can, might and would, propositional attitude verbs, and so on). But the 
reason for employing a higher order logic may be less clear to logicians not working in 
linguistics. Although natural language is able to quantify over properties and in general 
can express things that are not normally expressible with first order means only (think 
of sentences like most men have green eyes, for example), this is not the sole or even 
the primary reason for using type theory in linguistics. The main reason is that in type 
theory the availability of lambda-abstraction allows for a closure of the gap between the 
syntactic forms of natural language expressions and those of their logical translations. 

Let us illustrate this with the help of the simple example sentence in (la). Linguists 
almost universally provide this sentence with a constituent structure along the lines of 
(1b), i.e. the determiner every is thought to form a constituent (a noun phrase) with the 
noun elephant and this resulting constituent then forms another constituent (a sentence) 
with the verb phrase danced. Essentially, therefore, the linguistic analysis of such sen- 
tences follows the pre-Fregean pattern of dividing each sentence in a subject (here every 
elephant) and a predicate (danced). 


(1) a. every elephant danced 
b. [[every elephant] danced] 
c. Va (Ex > Da) 
d. (((AP\AP2.Va (Pia > P2x))E)D) 


The analysis of natural language expressions as consisting of larger and larger clusters 
of constituents is an important feature of modern linguistic theory, and syntacticians are 
in the possession of a whole battery of empirical tests to determine constituenthood, but 
the syntactic form that is given to any sentence is not in general congruent with its usual 
logical form. The structure in (1b), for example, is fundamentally different from that of 
the logical sentence (1c), the usual translation of (la). While the constituents elephant 
and danced in (1b) reappear in (1c) as Æ and D respectively, there are no continuous 
parts of (1c) corresponding to every or every elephant. This gap between logical form 
and linguistic form is what logicians such as Russell and Quine had in mind when they 
alluded to the misleading form of natural language: the ‘correct’ form of (1a) according 
to this perspective is (1c); (1b) merely misleads. This point of view could never be shared 
by the linguistic community, as giving up the standard notion of constituenthood would 
greatly diminish the predictive power of syntactic theory. 

Can the gap be bridged? Here lambdas come to the rescue, for in a higher order logic 
with lambda abstraction (1c) can alternatively be written as (1d). While (1c) is the 
GB-normal form of (1d), the latter, but not the former, follows the syntactic pattern in 
(1b). Lambdas allow us to have our cake and eat it. They allow us to maintain the view 
that the logical form of an expression closely mirrors its syntactic form without having 
to give up the usual logical analysis. 

In fact, with lambdas in hand, it is now possible to think of inductive translation 
mechanisms sending syntactic forms to logical forms. In the present case one can trans- 
late every as AP AP2.Yx (Pix — Pox), a term containing two \-abstractions over pred- 
icates, elephant can be translated as the predicate constant E and dances as D. If 
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one lets onstituent formation correspond to application, [every elephant] translates as 
(AP|AP2.Va (Pix —> P2x))E, which reduces to \P2.Va (Ex — Px) (a generalized quan- 
tifier), and a further step shows that (1b) translates as (1d), or, equivalently, (1c). 

But now a difficulty crops up. If [every elephant] translates as AP2.Vx (Ex — P22), 
how are we going to translate the verb phrase [fed [every elephant]] in (2b), the syntactic 
analysis of (2a)? The verb fed should presumably be translated as some binary relation 
F between individuals and this is not the kind of object that AP2.Vx (Ex — Px) can 
apply to (or that can apply to that term). 

Montague solved this by complicating the translations of transitive verbs like fed. He 
translated fed not simply as F, but as the term AQAz.Q(F x)? (with Q ranging over 
quantifiers and x over individuals), and if the translations for a and girl are chosen to be 
AP AP2.3x (Pix A Pox) and G respectively, the translation in (2c) results, as the reader 
may care to verify. 


(2) a. a girl fed every elephant 
b. [[a girl][fed [every elephant] 
c. da (Ga AVy (Ey > Fxy)) 
d. Vy (Ey > da (Gx A Fry)) 


Translating an intransitive verb like fed as AQAz.Q(F'x), and not as the simpler and 
more intuitive binary relation symbol F, seems ad hoc, however. In fact, researchers 
in the Montague tradition have argued that a combination of giving simple translations 
with providing systematic ways of obtaining certain translations from others is not only 
more elegant than Montague’s original approach was, but also gives a better fit with 
the data (Partee and Rooth [44], Hendriks [26, 27]). Discussing the calculi for ‘shifting’ 
translations that these authors have proposed would lead us too far afield here. Suffice 
it to say that from their considerations, in conjunction especially with those of van Ben- 
them [7], the picture emerges that linear combinators* play an all-important role. The 
translation of fed as AQAv.Q(F'x), for example, can be thought to result from apply- 
ing the linear combinator ARAQA«.Q(Rz) to a basic translation F, while applying the 
combinator ARAQ,AQ2.Q1(Ay.Q2(Az.Rery)) to F results in a translation that eventually 
leads to (2d), another possible translation of the original sentence." 

For more information on Montague’s approach to the semantics of natural language, 
see the textbooks Dowty et al. [15] and Gamut [23], the survey in Partee with Hendriks 
[43], and the chapter on Linguistics by Moss and Tiede in this handbook (Chapter 19). 
Montague’s higher order modal logic IL will be described shortly. 


3For the sake of exposition I am disregarding Montague’s intensional operators here. 

4A combinator is a closed \-term built from variables with the help of \-abstraction and application 
only. A combinator M is linear if each abstractor AX in M binds exactly one X in M. 

5While linear combinators play an important role in semantic composition, just letting them apply to 
semantic translations without further ado results in serious overgeneration. Applying the permutation 
operator ARAyAc.Rery to F above, for example, would allow the derivation of translations for a girl 
fed every elephant that are normally associated with an elephant fed every girl. Partee and Rooth [44] 
and Hendriks [26, 27] provide calculi in which permutation is not derivable, while de Groote [25] and 
Muskens [40, 41] base their grammars entirely on linear lambda terms but make sure that any permu- 
tation in semantics is mirrored by a permutation in syntax. 
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2.4 Modal Logics with Propositional Quantifiers 


Motives inherent in modal logic itself may also lead to a combination of modality with 
higher order, or at least second order, quantification. The standard definition of the 
truth of a formula in a frame at a world is defined with the help of a quantification over 
valuations and therefore essentially corresponds to universal quantification over sets of 
possible worlds. More precisely, the frame truth of a formula y containing proposition 
letters p1,...,Pn corresponds to the truth of a formula VP,...P,y’, where y’ is the 
standard translation ST(p) of y; see Chapter 1 by Blackburn and van Benthem in 
this handbook. This gives global second order quantification, with the second order 
universal quantifiers taking scope over the whole formula, but one may now be inspired 
to add quantifiers Vp and dp ranging over sets of possible worlds to given modal logics. 
This was done in Kripke [33] and modal logics with propositional quantifiers have been 
studied by a variety of authors since, amongst whom are Bull [12], Fine [16], Kaplan [30], 
Kremer [32, 31], Fitting [18], and ten Cate [13], to name but a few. 

Semantically there are two lines of attack here. If one has a frame (W, R), the most 
obvious interpretation of quantifiers Vp and Jp in that frame lets them range over the 
power set P(W) of the set of possible worlds W. This is called the second order (or pri- 
mary) interpretation of propositional quantifiers. If propositional quantifiers are added 
to a modal logic L in this way (where L = S4, S5, etc.), the resulting logic is called 
La+. The behaviour of the logics thus obtained rather varies. S5a+, on the one hand, 
is decidable (Fine [16], Kaplan [30]), as this logic is embeddable into monadic second 
order logic. (The embedding essentially is the standard translation, with clauses such 
as ST(Oy) = VeST(y) and ST(Vpy) = VP ST(y).) Fine and Kaplan also axiomatize 
S57+. The logics Kr+, T7+, K47+, B4r+4+, S4.27+, and S474, on the other hand, 
are recursively isomorphic to full second order logic (this was proved independently by 
Kripke and Fine; Fine [16] has a weaker result). 

In order to obtain nice proof systems for modal logics with propositional quantification, 
one can also follow the example of Henkin [28], who, in the context of higher order logic, 
defined a class of models in which higher order quantifiers do not necessarily range over all 
subsets of the relevant domains, but only over designated subsets of them. In the present 
context such a set-up means that frames (W, R) are replaced by triples (W, R, II) such that 
II C P(W). Here II must be closed under boolean operations, including arbitrary unions 
and intersections and it must be the case that R[P] € H and R~'[P] € H whenever P € H 
(see e.g. Thomason [50], who considers such structures for tense logics). Propositional 
quantification is now interpreted as quantification over I]. This is the so-called first 
order (or secondary) interpretation of propositional quantifiers. The resulting logics are 
denoted as S47, S5z, etc., according to the constraints that are put on accessibility 
relations R. All these logics are axiomatizable with the help of reasonable axioms. 

How does the axiomatization of S57 that one gets in this way (basically the usual S5 
axioms and rules + the usual quantification axioms and rules for propositional quantifi- 
cation) compare to the one obtained by Fine and Kaplan? Curiously, an axiomatization 
of S5a+ requires one additional axiom, namely 


(3) 
A little reflection shows that if this formula is evaluated in a world w in a frame (W, R) 
using the primary interpretation, it is true, with {w} as a sole witness for p. On the other 
hand, evaluation with respect to w in a frame (W, R,IT) may not result in truth, as there 


p(p A Va(q > Op > @))) 
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may be no P € II such that w € P and P C P’ for all P’ such that w € P’ € II. A very 
similar situation obtains in higher order logic. In the models of Henkin [28] sets may be 
so sparse that there are not enough of them to distinguish between objects that are in 
fact not identical. Two distinct objects dı and d2 may have exactly the same properties, 
and in particular {dı } may fail to exist (Andrews [2]). In a modal context definability of 
singleton sets {w} can be enforced through the introduction of nominals (Blackburn et 
al. [10], Areces and ten Cate, Chapter 14 of this handbook). 


3 MONTAGUE’S INTENSIONAL LOGIC 


In the previous section we explained some of Montague’s ideas with the help of a non- 
modal logic, but Montague himself actually framed them in IL (Intensional Logic), a 
higher order modal logic that will be discussed in this section. (See also Moss and 
Tiede’s Chapter 19 of this handbook. For a highly interesting alternative to Montague’s 
IL, see Zalta [53, 54, 55]). The logic is an extension of Church’s [14] theory of types and 
inherits many, though not all, of the latter’s properties. 


3.1 Overview of IL 


In order to set up the logic, one first needs to define a simple type system. 
DEFINITION 1. The set of IL types is the smallest set of strings such that: 

(i) e and t are IL types; 

(ii) If a and 8 are IL types, then (aĝ) is an IL type; 

(iii) If a is an IL type, then (sa) is an IL type. 
Here the type e is the type of entities, while t is the type of truth-values. Note that, 
while s can be used to form complex IL types, it is not itself an IL type. The intended 
interpretation of the types defined here is that objects of a type a8 (also written a —> £) 
are functions from objects of type a to objects of type @ and that objects of type sa are 
functions from the set of possible worlds to objects of type a. 

The next step is to define the terms of IL. It will be assumed that each IL type 
a comes with a denumerably infinite set of variables and a countable set of constants. 
Terms are built up from these as follows. 
DEFINITION 2. Define, for each IL type a, the set of IL terms Ta as follows. 

(i) Every constant or variable of any type a is an element of Ta; 

(ii) If A € Tag and B € Ta, then (AB) € Tg; 

(iii) If A € Tg and z is a variable of type a then (A.A) € Tag; 
(iv) If A,B € Ty then (A= B) € Ty; 

(v) If A € Ta then (^A) € Tsa; 
(vi) If A € Tsa then (~A) € Ta. 


So we have application and abstraction, identity, and “cap” and “cup” operators that, 
as we will see, are very much analogous to application and abstraction. If A € Tẹ we 
will often indicate that fact by writing Aa. Terms of type t are called formulas and we 
often use metavariables vy, w, etc. to range over them. 
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Definition 2 does not seem to provide us with the expressivity that we want, as the 
common logical operators, including the modal O and Q seem to be absent, but in fact 
such operators are definable from the ones just adopted (Henkin [29], Gallin [22]). 


DEFINITION 3. Write 


T for (Axx) = (Aaz.2), 
L for (Axx) = (Ax. T), 
ay for L = y, 
pA for (Afu-fe =Y) = (Afa-fT), 
Vray for (Azap) = (Aza. T), and 
y for ^p = ^T. 


Other operators will have their usual definitions. 
Whether these abbreviations make sense can be checked as soon as we are in the 
possession of a semantics for the language. So let us turn to that. 


DEFINITION 4. A (standard) model for IL is a triple (D, W, I) such that D and W 
are non-empty sets and J is a function with the set of all constants as its domain, such 
that I(c) € Dsa for each constant c of type a, where the sets Da are defined using the 
following induction. 


De = D 

D; = {0,1} 

Dog = {F | F : Da > De} 
Dea = {F| F:W > Da}. 


The function I is called an interpretation function. Intuitively, we interpret D as a 
domain of possible individuals and W as a set of possible worlds. 


In order to interpret terms on models, we additionally need to define an assignment to 
M = (D,W,I}) as a function a with the set of all variables as its domain, such that 
a(x) € Da if x is of type a. The notation a[d/z] is defined as usual. Terms can now be 
evaluated on models with the help of a Tarski-style truth definition. 


DEFINITION 5. The value || A||4“-* of a term A on a model M = (D, W, I} in world 
w € W under an assignment a to M is defined in the following way: 

(i) le% = I(c)(w) if c is a constant; ||z||@””-* = a(x) if x is a variable; 

(ii) || ABI? = || Al] -2(| BI"); 

(iii) ||AvgAl|”* = the function F with domain Dg such that F(d) = || A|% el4/2] 
for all d € Dg; 
(iv) A= BM = 1a Aor = ||: 
(v) || A| PEWS = the function F with domain W such that F(w’) = || Al] for all 
w € W; 
(vi) || Al) = A| (w); 


Note the special treatment of the non-logical constants in the first clause of this definition: 
constants of type a are interpreted as functions of type sa by the interpretation function 
I but these functions are applied to the current world in order to get the actual value, an 
object which is of type a again. The second and third clauses interpret application and 
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abstraction in a way that is to be expected. The fourth clause interprets = as identity 
relative to a possible world, i.e. A= B means that A and B have the same extension in the 
world of evaluation, not necessarily in all possible worlds. The last two clauses interpret 
the cap and cup operators in a way that is analogous to abstraction and application; 
cap is abstraction over possible worlds while cup is application to the current world. We 
leave it to the reader to verify that the abbreviations of definition 3 provide the operators 
defined there with their usual semantics (with O the universal modality). 

A formula y is true in a model M in world w under an assignment a if |p| 204 = 1. 
The notion of standard entailment, or s-entailment for short, is defined accordingly. 


DEFINITION 6. Let I and A be sets of IL formulae. We say that I s-entails A, 
T H, A, if, whenever M = (D, W, I) is a model, w € W, and a is an assignment to M, 
ole = 1 for all y €T implies ||y|| 102 = 1 for some w € A. 


While it is clear from Gédel’s incompleteness theorem that the relation s can have 
no recursive axiomatization, it is possible to define a generalized notion of entailment 
=, that can be so axiomatized. For Church’s logic this was done in Henkin [28], while 
Gallin [22] (in general a rich source of information about Montague’s logic) generalizes the 
completeness proof found there to the setting of IL. The |=; notion is obtained with the 
help of generalized (or: Henkin) models, the main difference between these and standard 
models being that, while for each a and 8 it must hold that Dag C {F | F : Da > Dg}, 
the Dag need not be the entire function spaces {F | F : Da > Dg}. Similarly, it is 
only required that Dsa C {F | F : W — Dg}. We will not pursue the proof of Henkin 
(or: generalized) completeness for IL here, but refer to Gallin’s original work. For a 
generalized completeness proof for a similar higher order modal logic, see Section 6. 


3.2 Limitations of IL 


Montague’s work has been a tremendous boost for natural language semantics but with 
the advantage of hindsight it is possible to point out some shortcomings of the logic that 
he used. These limitations will be reviewed here. First, let us ask ourselves the question 
whether the logic lives up to its name. Is IL really an intensional logic? If “intensional” 
merely is another word for “modal” there can be no discussion, but there is an older 
definition of the concept of intensionality that makes perfect sense in a higher order 
context and in which sense IL is not intensional. Whitehead and Russell’s Principia 
Mathematica [52, number *20] is one place where this definition can be found. In this 
work a distinction between extensional and intensional functions of functions is made 
and Whitehead and Russell give as “the mark of an extensional function f” a condition 
which in their notation reads 


(4) pla. =» wie Doy: f(y!2). = f!) 
but which in the present setting can be written as 
(5) Vgh(Va(gr = ha) > fg = fh) 


Thus a function of functions f is extensional if, whenever f is applied to a function g, 
the resulting value fg depends only on the extension of g; a function of functions is 
intensional if not extensional.® 


6 Whitehead and Russell only consider propositional functions and as a consequence their f, if it had 
been typed in our way, would have received a type of the form (at)t (so that = can be read as +>). In 
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Whitehead and Russell point out that contexts of propositional attitude such as “I 
believe that p” are examples of functions that are not extensional and hence intensional. 
However, it is immediately clear that in IL all functions of functions are extensional in 
the sense of (5) and that intensional functions are ruled out. IL conforms to the following 
form of the axiom of Extensionality: 


(6) VfVgh(Va(gx = hx) — fg = fh) 
For an Intensional Logic this seems below par. The situation is alleviated in a sense by 
the fact that the following scheme (in which y{P := F} denotes the result of substituting 
the constant F for the variable P in ọ) is not generally valid. 


(7) Va(Fa = Hx) > (p{P := F} = {P := H}) 
For example, one does not have 


(8) Va(Fx = Hx) > (O(H = F) = O(H = H)), 


as it is easy to construct a model in which H and F are coextensive at some point but 
not at another. This is desirable, since from the premise that all and only humans are 
featherless bipeds (to take a truly Russellian example) it should not follow that being a 
featherless biped necessarily is being human. 

But now there is room for a second point of criticism, for how come (6) can be valid 
while (7) is not? Surely, one can always instantiate g as the constant F, h as H, f as 
AP. yp and from 


(9) Va( Fa = Hx) > ((AP.p)F = (AP.p)H) 


get (7) with the help of two 6-conversions? The answer is that 8-conversion unfortu- 
nately is not generally valid in IL but is subject to side conditions additional to the 
usual constraint on substitutability. (AP.O(H = P))F, for example, is not semantically 
equivalent to O(H = F), as the reader may care to verify. 

We will turn to the side conditions on 8-conversion shortly, but first, as a third crit- 
icism, let us notice that, while the scheme in (7) is not valid, the strengthened version 
in (10) does hold in all models at any possible world (the proof is by induction on the 
complexity of y). 


(10) OVa(Fa = Hx) > (p{P := F} = y{P := H}) 


But this is far from desirable. Read “is provable with the help of Zorn’s Lemma” for 
F and “is provable with the help of the Axiom of Choice” for H while choosing “John 
believes that Zorn’s Lemma is P” for y. It is presumably a necessary fact that everything 
that is provable with the help of Zorn’s Lemma is provable with the help of the Axiom 
of Choice and vice versa. But from “John believes that Zorn’s Lemma is provable from 
Zorn’s Lemma” one cannot conclude “John believes that Zorn’s Lemma is provable from 
the Axiom of Choice”. Hence (10) should in fact not be valid. This is what is usually 
called the problem of logical omniscience but is really a consequence of one variant of 
the Extensionality principle. 

Let us consider the side conditions on 3-conversion in IL. They will unfortunately lead 
to a fourth problem. Define a term to be modally closed if it is built up from variables and 
terms of the form ^A with the help of application, A-abstraction and =. The following 
scheme is valid. 


IL the scheme in (5) will be valid for f of any type (a)y (with g and h of type af and zx of type a). 
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(11) (Ata Ag) Ba = A{x := B}, if 


(a) B is free for x in A, and 


(b) either no free occurrence of x in A lies within the scope of ^ or B is modally 
closed. 


This is in fact one of the six axiom schemes that are used to axiomatize generalized 
consequence in Gallin [22]. But, as was observed by Friedman and Warren [21], the second 
side condition that needs to be imposed here destroys one of the attractive properties 
that lambda calculi usually have. For notions of reduction —> such as +g or —>gņ (see 
Barendrecht [4] for definitions), one can often establish that whenever A —> A, and 
A —> Ag there is an A3 such that A; —> A3 and Ag —> As, i.e. it is immaterial in which 
order reductions are made. This so-called Church-Rosser property is not retained in IL 
as Friedman and Warren show with the help of (12). 


(12) (Ata(Aya-"Y = falsa) 2)2) Cor 


Here x, y, and f are variables, while c is a constant. One possible reduction leads to 
(13) (Ay. ^y = fee, 

while another reduction of (12) results in 

(14) (Ax.^xz = fajc. 


Neither of these terms can be reduced any further (as c is not modally closed but the 
variable that is abstracted over occurs in the scope of ^) and hence there is no single 
term to which both reduce. 

Gallin [22] gives a translation of IL into a two-sorted variant TY of Church’s original 
logic, which has an extra type s for possible worlds. The translation proceeds by letting 
^ correspond to A-abstraction over a fixed variable xs, while ~ corresponds to application 
to x, (the translation is related to the standard translation of modal logic into first 
order logic). Constants are translated as the result of application of a constant to the 
fixed type s variable. This translation clarifies the behaviour of IL in many ways. For 
example, since a term that is not modally closed will translate to a term containing a free 
occurrence of £s, the side condition (ii) in (11) in a sense reduces to side condition (i) 
after all. Since the logic TY% is just Church’s logic (but two-sorted), it is Church-Rosser, 
but the difficulty of not being intensional is shared between IL and TY2. 


4 A MODAL TYPE THEORY 


In the previous section Montague’s logic IL was described and various criticisms were 
levelled against it. In this and the next few sections we will propose a logic MTT that 
is compatible with the usual (a), (8) and (7) rules and that is intensional in the sense 
that two relations can have the same extension yet be different. In order to obtain this 
logic we must deviate from IL in two respects. First, we shall follow Bressan [11] in 
letting the value of an expression AB in some world w depend not only on (the value of 
A and) the value of B in w, but possibly on the values of B in other worlds as well. This 
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immediately solves the problem with (-conversion, as no extra side conditions on that 
rule will then be necessary.” 

For the second deviation from IL, and indeed from the usual semantics for Church’s [14] 
classical type logic, a class of models will be considered that is a further generalization of 
the generalized models considered in Henkin [28]. These intensional models, as they will 
be called here, derive from the structures considered in the proofs of cut elimination in 
Takahashi [49] and Prawitz [45]. The latter also play an important role in Andrews’ [1] 
proof that his (non-extensional) resolution calculus corresponds to the first six axioms 
of Church [14]. The structures considered by these authors are proof-generated and are 
defined on the basis of a purely syntactic notion (Schtitte’s [47] semivaluations), but 
recently purely semantic, stand-alone, generalizations of such models have been offered 
in Fitting [19] (‘generalized Henkin models’) and in Benzmiiller et al. [9] (‘X-models’). 
Fitting’s models involve a non-standard interpretation of abstraction, while the models 
of Benzmiiller et al. have a non-standard form of application, but these complications 
seem unnecessary, as our intensional models will do without them. 

Intensional models will serve two purposes. The first is that they deal with problems 
of logical omniscience. A second use is technical: the notion of entailment one gets from 
intensional models is easily axiomatized with the help of a cut free tableau calculus. 
This second point will be dwelled upon below; for the first point consider the following 
example. While it is reasonable to assume that sentences (15a) and (15b) determine the 
same set of possible worlds, it is not reasonable to assume that applying the function 
“Mary knows that p” to (15a) necessarily results in the same value as applying that 
function to (15b): (15c) might be true while (15d) is false. Intensional models provide 
a way to make the necessary distinction. The idea will be that co-entailment, or, more 
generally, having the same extension in all models, will not imply identity, i.e. the axiom 
of Extensionality will not hold. 


(15) a. The cat is out if the dog is in 
b. The dog is out if the cat is in 
c. Mary knows that the cat is out if the dog is in 
d. Mary knows that the dog is out if the cat is in 


4.1 Types and Terms 


Unlike IL, which is based on hierarchies of functions, the logic MTT will be based on 
hierarchies of relations (Orey [42], Schiitte [47]), as relational models are pleasant to work 
with. Some definitions therefore must be changed and we shall start with the definition 
of types. Assume that some set B of basic types, among which must be the type s of 
possible worlds, is given. 

DEFINITION 7. The set 7 of types is the smallest set of strings over the alphabet 
BU {), (} such that (i) B C T and (ii) if a1,...,a, E T (n > 0) then (a,...an) ET. 


Types formed with clause (ii) of this definition will be called complex. The complex type 
(), obtained by letting n = 0 in (ii), will be the type of propositions; this will also be the 


TSee also N. Belnap’s foreword to Bressan [11], especially point 11, where this “nonextensional pred- 
ication” (nonextensional in the modal sense, not in the stronger sense used in this chapter) is called 
Bressan’s cardinal innovation. 
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type of formulas, which will have sets of possible worlds as their extensions. In general, 
extensions for terms of type (a ,...Q@,) will be n + 1-ary relations, with one argument 
place for a possible world (the world where the relation is evaluated) and one for each of 
the a;. Note that we have defined types to be certain strings, so that there is a difference 
between (say) the type s and the type (s). The latter is associated with a set of possible 
worlds in each world, or, equivalently, with the type of binary relations between worlds. 
Any of these relations can be viewed as an accessibility relation. 

A language will be a countable set of non-logical constants such that each constant 
has a unique type. If £ is a language, the set of constants from £ having type a is 
denoted La. For each a € T we assume the existence of a denumerably infinite set Va 
of variables of type a, such that Va N Vg = Ø if a 4 B. We let V = U aer Va. In proofs 
it will occasionally be useful to be able to refer to fixed well-orderings <¢ and <y on 
languages £ and on the set V respectively, so we will assume that these are in place as 
well. 

The following definition gives terms in all types. Apart from variables and non-logical 
vocabulary, there will be application and abstraction, and a basis for defining the usual 
connectives and quantifiers. Moreover, for any term R of type (s) there will be a modal 
operator (R) and a term R~ intended to denote the converse of R. 


DEFINITION 8. Let £ be a language. Define sets T£ of terms of L of type a, for each 
a € T, as follows. 

(i) La C TE and Va C TE for each a € T 

(ii) If Ae Thor..a „) and Be T§, then (AB) € Ts 


and x € Vg, then (Az. A) € Tha. On) 


Qn) 


) 
) 
(iii) I (ay...an) 
(iv) Le Th 
) If yeTs and y € TẸ then y > Y € TẸ 
i) If yeTy and £ € Va then Vay € TẸ 
)IfReE Thy and yeTy then (R)ọ € Te 
(viii) If RET, then RY € TE, 


(vii 


The operation of taking converses will be useful in applications where the notion arises 
naturally, such as in temporal logic where, if < is used to denote the relation of temporal 
precedence, (<) will be Prior’s future operator F and (<~) (or (>) after an obvious 
abbreviation) his past operator P. 

We will write T£ for the set of all terms of the language £, i.e. for the union User TE: 
If A is a term of type a, we may indicate this by writing Aa and we will use y, Y, x for 
terms of type (), i.e. formulas. The notions free and bound occurrence of a variable and 
the notion B is free for x in A are defined as usual, as are closed terms and sentences. 
Substitutions are functions o from variables to terms such that o(a) has the same type 
as x. If ø is a substitution then the substitution o” such that o’(x) = A and o'(y) = a(y) 
for all y # x is denoted as ol” := A]. If A is a term and ø is a substitution, Ac, the 
extension of ø to A, is defined in the usual way. The substitution o such that o(x;) = A; 
and o(y) = y if y € {21,...,@,} is written as {z1 := Aj,..., En := An}. 

Parentheses in terms will often be dropped on the understanding that association is 
to the left, i.e. ABC is ((AB)C). The operators T, =~, A, V, © and J are obtained as 


634 Reinhard Muskens 


usual. The following definition gives some other useful operators. 
DEFINITION 9. We will write 
=(aa) for ATaMaVZ(a) (ZX > zy), 
[Rly for +(R)-9, 
Qy for (Ars. TY, 
y for [Ars.T]y, and 
A for Vir ie As. 


The first of these abbreviations gives equalities of type (aa) for each a. Of course we 
will usually write A = B instead of =AB. The second abbreviation introduces the usual 
dual to (-) and, for example, allows us to write [<] for Prior’s G and [>] for his H. The 
second and third conventions let us write > and [O for the global possibility and necessity 
operators, which have the universal relation on worlds as their underlying accessibility 
relation. The abbreviation Å, lastly, introduces what are called nominals (see Blackburn 
et al. [10] or Areces and ten Cate, Chapter 14 of this handbook, for much more on these). 
As will become apparent below, Å will be true in a world w if and only if w is denoted 
by A. 


4.2 Standard Models 


Before we introduce the intensional models that will interpret MTT terms, let us have 
a brief look at a class of models that, in order to conform to general usage, will be called 
standard (even though for many practical purposes the intensional models defined below 
will be preferred). 


DEFINITION 10. A standard collection of domains is a set D = {Da | a € T} such 
that Da # Ø if a is basic, Da N Dg = Ø if a # GB and a and ĝ are basic, while 
Dioi.an) = P(Ds x Da, X ++: X Dan) for each Diay...a,)- A standard model is a pair 
(D, J) such that D = {Da | a € T } is a standard collection of domains and J is a function 
with the set of all constants as its domain, such that J(c) € Da for each constant c of 
type a. J is called the interpretation function of (D, J). 


Letting the interpretation function J send constants of type a directly to Da diverges 
from the set-up in IL, but is in conformity with Church’s original logic. It will bring the 
behaviour of constants in line with that of free variables. 

An assignment a for a standard collection of domains D = {Da | a € T} is a function 
which has the set of variables V as domain and has the property that a(x) € Da if 
x E€ Va. The usual notational conventions for assignments obtain: If a is an assignment, 
T1, ..., Zn are pairwise distinct variables, and d1, ...,dn are objects such that d; € Da if 
x; is of type a, then a|dı/£1,.. ., dn/£n] is the assignment a’ defined by letting a’(x;) = di 
and a’(y) = a(y), if y € {£1,..., 2n}. 

When working with hierarchies of relations it is often expedient to have a way of 
interpreting relations as certain functions. The following definition provides one (compare 
Muskens [39]). 


DEFINITION 11. Let R be an n-ary relation (n > 0) and let 0 < k < n. Define the k-th 
slice function F&(d) of R by: 


PES {(d1,... ,dk-1,; dk413---; dn) | (di, . veg dk-1, d, dk41, -< -; dn) € R} 
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So FK(d) is the n — 1-ary relation that is obtained from R by fixing its k-th argument 
place by d. Note that if R is a relation in P(D, x Da, X++- x Da,,) its first slice function 
is a function from possible worlds to relations in P(D,, x ++- x Da„) and can therefore 
be identified with what Montague would call a relation-in-intension. This motivated the 
choice of letting D(a,...a,) equal P(Ds x Da, X +++ X Dan) in definition 10. 

The next definition provides terms with values in standard models. Clauses (i) and 
(iv)—(viii) will probably not surprise the reader, as they are essentially standard; for 
clauses (ii) and (iii) second slice functions provide motivation. For (ii) lets V(a, AB) be 
equal to the result of applying the second slice function of V(a, A) to V(a, B), while (iii) 
defines V(a, Axg.A) as the relation whose second slice function is the function F such 
that, for all d € Dg, F(d) = V(a[d/cz}, A). 


DEFINITION 12. The value Vm(a, A) of a term A on a standard model M = (D, J) 
under an assignment a to M is defined as follows (we drop subscripts M): 

(i) V(a,c) = J(c) if c is a constant; V (a, x) = a(x) if x is a variable; 

(ii) V(a, AB) = {(w,d) | (w, V (a, B), d € V(a, A)}; 


) V( 
(iii) V(a, Avg. om = {(w,d,d) | d € Dg and (w,d) € V(a[d/2], A)}; 
(iv) V(a, 1) = 
yy ae Dees 
(vi) V(a, Yap) = TA V(aļd/z], 9); 
(vii) V(a, (Rp) = {w | dw’ € V (a, p) such that (w, w’) € V (a, R)}; 


(viii) V(a, RY) = {(w,w') | (w', w) € V (a, R)}. 


4.3. Intensional Models 


Intensional models generalize the standard models just given in two ways. The first 
generalization follows Henkin [28] in not necessarily associating domains Diay..an) With 
the full powerset P(Ds x Do, X ++: X Da,,), but to be contented with some subset of 
this relational space. When this generalization is made it becomes possible to prove 
(generalized) completeness for the logic. However, if a tableau system is used it will 
contain a Cut rule. In order to avoid invoking the latter it seems to be necessary to 
adopt a second generalization and to move to a class of structures that do not necessarily 
validate the axiom of Extensionality, which says that two predicates are identical when 
they can be predicated of the same objects. The strategy of taking out Extensionality, 
pioneered by Takahashi [49] and Prawitz [45], allows one to prove the completeness of a 
cut-free system, after which Extensionality can be added to the logic again if that should 
be desired. 

In the present set-up, which is inspired by Fitting [19], we will get rid of Extensionality 
by distinguishing between the intension and the extension of a term of complex type. 
The basic idea will be that any object in a domain Da can be the intension of some term. 
Intensions of complex type will not be constructed set-theoretically out of those of a less 
complex type. Extensions, on the other hand, will be relations over the relevant domains 
of intensions, with their identity criteria therefore given by set membership. One and 
the same extension may be determined by two or more different intensions. 

Let us see how this can be done. A collection of domains will be a set of non-empty 
sets {Da | a E€ T}, such that Da N Dg = Ø if a # p. There are no further constraints 
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on collections of domains. Assignments and the notational conventions pertaining to 
assignments are defined as before. The set of all assignments for a collection of domains 
D is denoted Ap. The intension functions defined below send terms to almost arbitrary 
domain elements. There are a few restrictions on these functions but they are rather 
liberal. 


DEFINITION 13. An intension function for a collection of domains D = {Da | a ET} 
and a language £ is a function I with domain Ap x T£ such that 


(i) I(a, A) € Da, if A is of type a 
(ii) I(a, 
(iii) I(a, A) = I(a’, A), if a and a’ agree on all variables free in A 
(iv) I(a, A{x := B}) = I(alI(a, B)/x], A), if B is free for x in A 


Before we continue with also defining extension functions, let us pay some attention to 
the nitty-gritty and observe that the intension functions just defined behave well when 
the language is restricted or extended. The following property will be used a couple of 
times below. 


PROPOSITION 14. (i) Let I be an intension function for D and L and let L' C L. 
Then the restriction I' of I to Ap x TČ is an intension function for D and L’. (ii) Let 
I be an intension function for D and L, let LCL’ and let f be a function with domain 
L'\L such that f(c) E€ Da if c E€ Li,\La. Then there is an intension function I’ for D 
and L' such that I and I' agree on Ap x TE and I'(a,c) = f(c) for every c € L'\L. 


x) = a(x), if x is a variable 


Proof. (i) is trivial, so let us verify (ii). Let A be an arbitrary term in Tl’ and let 
C1,--+,€n be the constants occurring in A that are in £’ but not in £ such that c; <£ Cj 
if i < j. Let AŤ be the result of replacing each c; in A with the first variable x; in <y 
such that x; is not free in A, has the type of c; and is distinct from each of the z; (j < i). 
Clearly A = At{ay := c1, ..-, En = Cn}. Let I’(a, A) = Tal f(e1)/a1,---,f(en)/2n], A") 
and check that I’ meets the requirements. QO 


The next definition provides the promised extension functions, which send objects of com- 
plex type to certain relations. We first give very general constraints; more requirements 
will follow in definition 17. 


DEFINITION 15. An extension function for D = {Da | a € T} is a function E with 
domain U{D,, | a is complex} such that E(d) C Ds x Da, X +++ X Da, if d € Deay.an): 


Note that there is no requirement that the restriction of an extension function to any 
Day...a,) Should be onto P(Ds X Da, X +++ X Da,,) or that extension functions should 
be injective. This reflects the two generalizations discussed above. The possible lack 
of surjectivity is Henkin’s generalization and the possible lack of injectivity reflects the 
move that Prawitz and Takahashi made. 


DEFINITION 16. A generalized frame for the language CL is a triple (D, I, E) such that 
D is a collection of domains, J is an intension function for D and £, and E is an extension 
function for D. 


We are interested in the extensions E(I(a,A)) of terms A. For the sake of readability 
we will often write V(a, A) for these, letting V denote the composition of E and I. The 
following definition puts a series of constraints on extension functions that make things 
start to behave in a desired way. 
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DEFINITION 17. A generalized frame (D, I, E) for £ is a intensional model for £ if 
(i) V(a, AB) = {(w, d) | (w, I(a, B),d) € V (a, A)}; 


(ii) Va, Avg. = = {(w,d, d) |d € Dg and (w, d) € V(ald/zx], A)}; 
(ili) V(a, L) = 

(iv) V(a, p => na — (V(a, p) — V (a, ¥)); 

(v) V(a,Vtay) = ae V(ald/z], 9); 

(vi) V(a, (R)y) = {w | dw’ € V (a, p) such that (w, w’) € V (a, R)}; 


(vii) V(a, RY) = { (w, w") | (w’,w) € V (a, R)}. 


The clauses here are identical to the relevant ones in definition 12, with one important 
exception: in the clause for AB the (second slice function of) the value of A is no longer 
applied to the extension of B, but to its intension. The idea is that the extension of 
a predicate A determines and is determined by all the things that A can truthfully be 
predicated of while the intension of A determines and is determined by all the predicates 
that hold of A. 

Do intensional models exist? One answer is that the standard models defined in the 
previous section obviously correspond to a subclass of the class of intensional models in 
which F is the identity function, but one would like to see intensional models that are 
not standard. For the latter we refer to the construction in the section on elementary 
model theory below. 

Having the notion of intensional model in place we can define what it means for a 
sentence to be made true by an intensional model in a given world or to be valid in an 
intensional model. 


DEFINITION 18. Let M = (D,I, E) be an intensional model for £, let w € D, and let 
y be a sentence of L. M and w satisfy p (or make ọ true), M,w E y, if w € V (a, p) 
for any a. We also say that M satisfies ọ if there is some w € Ds such that M, w = 
and that ọ is satisfiable if some M satisfies y. If M,w = ¢ for all w € D, then ¢ is said 
to be valid in M and we write M E y. 


The corresponding notion of entailment is defined as follows. 

DEFINITION 19. Let II and X be sets of sentences in £. II is said to intensionally entail 
or i-entail X, Il |; ÈX, if, for every intensional model M = (D,I, E) for £ and every 
w E€ Ds, if M,w E ¢ for all y € II then M,w H ¢ for some y € X. 


This gives a rather weak logic in comparison with other type logics. In applications it will 
usually be necessary to strengthen the logic with sets of sentences S which may typically 
contain modal axioms, but may also contain classical axioms, such as instantiations of 
the Extensionality scheme, the Axiom of Descriptions, or axioms regulating \-conversion. 
About the latter notion the following proposition lists some useful facts. 


PROPOSITION 20. Let M = (D,I, E) be an intensional model, and let a be an assign- 
ment for D. Then, for all A and B of appropriate types, 


(i) V(a, Av. A) = V (a, Ay. Af{ax := y}), if y is free for x in A; 
(ii) V(a, (Av.A)B) = V(a, A{x := B}), if B is free for x in A; 
(iii) V(a,Av.Ax) = V (a, A), if x is not free in A. 


Proof. Left to the reader. Q) 
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T 
w if Cr 
E 
T, Tu: L r, Tu: y, Fu: p 
TL — Ax 
T, Su: (Ax.A)BČ T, Su: R” u' 
— B-ext EO y 
T, Su: A{x := B}C T, Su’: Ru 
T, Tu: y >% T, Fu: y w 
T — F 
T, Fu: yg | T, Tu: wy T, Tu: p, Fu: w 
T, Tu: Yzy T, Fu: Yzy 
a TY era 
T, Tu: {x := A} T, Fu: {x := c} 
(c not in the premise) 
T, Tu: (R)y T, Fu: (R)p 
ae eS ee 
T, Tu: Ru’, Tu’: y, T, Fu: Ru’ | T, Fu’: p 


(u’ not in the premise) 


Table 1. Tableau rules for MTT. 


These statements show that \-conversion preserves identity of extension, but that does 
not imply that intensional identity is also preserved and that V can be replaced uniformly 
with J in the proposition above. If such intensional identities are wanted, and in most 
applications one will certainly want to have at least the possibility of a and 8 conversion 
in any context, an axiomatic extension of the logic may provide them. See 5.2 below. 


5 TABLEAUS FOR MODAL TYPE THEORY 


5.1 Tableaus 


In this section the proof theory of MTT will be given in the form of a tableau system. 
The calculus will be set up as a form of labeled deduction, with labels storing information 
about worlds and truth values. Formally, a labeled sentence of £ will be a triple (S, u, p) 
consisting of a sign S, which can either be T or F, a constant u € Ls, and a sentence y 
of L. Labeled sentences (S, u, vy) will typically be written as Su: y, where Tu: y can be 
read as ‘vy is true in world u’ and Fu: y as expressing that y is false in u. 

Tableaus will be defined as certain sets of branches. A branch in its turn will be a set 
of labeled sentences. The notion of satisfaction can easily be extended from sentences to 
labeled sentences and branches, for we can define an intensional model M = (D, I, E} to 
satisfy Tu: y if I(a,u) € V(a,y) for some (and hence every) a, while letting M satisfy 
Fu: y if I(a,u) ¢ V (a, p) for any a. M is said to satisfy a branch T if it satisfies all 0 € T. 
If no model M satisfies I, T is said to be unsatisfiable; otherwise T is satisfiable. 

We will use the usual sequent notation for branches, writing [,@ for T U {6}, etc. 
Diverging slightly from the usual set-up of tableaus, tableau rules will be defined as 
certain relations between branches, not as relations between labeled sentences. The 
interpretation of these rules (that are given in Table 1) is one of replacement of branches, 
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Tu: ~y Fu: ny Tup AY Fu: p AY 
z F~ ——_—— TA ——_—— Fa 
Fu: p Tu: Y Tuy, Tu: Y Fu: | Fu: Y 
TupgVvw Fu: y Vw Tu: dry Fu: day 
— TV — Fv a —— Fd 
Tu: | Tu: y% Fu: p, Fu: Y Tu: p{x := c} Fu: p{xa := A} 
(c fresh) 
Tu: y > y% Fu: p > Y 
T F 
Tuy, Tu: Y | Fu: yp, Fu: w Tu: p, Fu: Y% | Fu: p, Tu: Y% 

Tu: [R]y Fu: [R] Tu: ù Fu: ù 
a oes l = eta Ck T k 
Fu: Ru |Tu : p Tu: Ru , Fu: y Tuu = u 

(u’ fresh) 
Tu: Oy Fu: Op Tu: Oy Fu: Oy 6 
F 
Tu: p Fu: p Tu: Fu: p 
(u’ fresh) (u’ fresh) 
Tu: A = B, Su: p{a := A} : Tu: A= B 
LL ——— id Ey 
Su: p{x := B} TuA=A Tu: A=B 
1 
Su: p, Tuu =u ; Cut 
— LL Tu: |F ; 
F u: y | Fu: p 


Table 2. Derived tableau rules and Cut (abbreviated forms). 


for example the interpretation of T— in Table 1 is that the branch T, Tu: y —> w can 
be replaced by the two branches T, Fu: y and I, Tu: Y in any tableau. The format also 
allows the formulation of a weakening rule W that allows the removal of signed formulas 
from a branch. 

Compare T— with a more usual approach where one would have a rule 


Tuyow 
Fu: | Tu: 


meaning that whenever a branch is found to contain Tu: p — w it may be split, Fu: y 
may be added to one side and Tu: # to another. Of course the two approaches very much 
boil down to the same thing. The present set-up is close to that of a Gentzen calculus 
for the logic: read T as ‘left’ and F as ‘right’ and turn the rules in Table 1 upside down. 

A convention that is adopted in Table 1 (and that we shall continue to use) is that 
wherever the notation A{z := B} is used B must be free for x in A. An alternative 
notation for tableau rules, better suited for inline environments, is [/T1;...;[,, where 
/ replaces the horizontal line and ; the vertical lines in any rule. The following definition 
tells how we can expand sets of branches and obtain tableaus. 


DEFINITION 21. A set of branches T” is a one step expansion of a set of branches T if 
T’ = (T\D) U{li,..., Pn} for some tableau rule [/T1;...;Pn. T’ is an expansion of T 
if there is a sequence T,,...,7;, such that T, = T, Ta = T’ and each Tk+1 is a one step 
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Name Modal axiom Corresponding R rule 

Ty Vp([R|p > p) /Tu: Ru 

Dy Vp([R]p > (Rp) /Tui: Ruz (ue fresh) 

4y Vp([R]p > [R][R]p) Tui: Rug, Tuz: Ru3/Tu1: Rug 
5y Vp((R)p —> [R| (Rp) Tuy: Rug, Tuy: Rug /Tug: Rug 


Table 3. Correspondences between modal axioms and certain rules. 


expansion of Tẹ. A set of branches T is a tableau if it is an expansion of {I} for some 
finite branch T. 


Thus while no finiteness condition was imposed on branches per se, tableaus are stipulated 
to originate from finite branches. Note that the TL and Ax rules can cause branches 
to disappear from a tableau while it is being expanded. This can lead to the closure of 
tableaus as defined in the following definition. 


DEFINITION 22. A finite branch T has a closed tableau if Ø is an expansion of {T}. If 
II and © are sets of sentences then II + X holds if, for some finite Io C I, some finite 
Xo C X and some u € Ls that does not occur in any sentence in Ho U Xo, {Tuy | y € 
IIo} U {Fu: y | y € Xo} has a closed tableau. 

We employ the usual notational conventions with respect to F. A formula g is called 
tableau provable if F vy. 


For ease of reference Table 2 lists some rules that are derivable from those already given 
in Table 1. We leave it to the reader to show that these rules are indeed derivable (most 
cases are entirely trivial, some easy but amusing). Another exercise is to show that 
F Ap(p A Yqlq —> [R](p > q))). Table 2 also displays the Cut rule, which we will see is 
admissable. Here we have not bothered to write all the I's of our official rule presentation 
and have reverted to the more usual way of presenting tableau rules. 

Clearly the rules were chosen in a way that makes it possible to show Soundness to 
hold. 


THEOREM 23 (Soundness). If T has a closed tableau then T is unsatisfiable. Hence 
IFE implies II j; X. 


Proof. For each tableau rule I /T1;...; In, if T is satisfiable, one of the T; is satisfiable. 
Verifying this will involve proposition 14 for some cases. By induction, if T is an expansion 
of {T} then, if T is satisfiable, some I’ € T must be satisfiable. Hence if I has a closed 
tableau, T can not be satisfiable. This proves the first statement of the theorem. Suppose 
IF £. Then for some finite Io C II and Np C X and some u € L, that does not occur 
in Hp U Xo, {Ture | p € MHo} U {Fu:y | Y € Xo)} has a closed tableau and hence is 
unsatisfiable. It follows that I =; X u 


5.2 Axiomatic Extensions 


If, in some setting, one wants to restrict attention to a class of models that validate some 
set of sentences S then it becomes natural to define II Es © as S UI j; X. Similarly, 
II Fs X can be defined as S UII F X and the soundness theorem gives that II Fs X 
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Tu: OVp([R]p — [R][R]p) 
Tui: Ruz 
Tuz: Rug 
Tu: Vp([R]p > [R][R]p) 
Tui: [RJR~ ur > [R][R] R~ u: 


Fui: [R] R” u: Tu: |[R]|[R]R~ u1 
i 1 
Tui: Ru Fun: Rus Tun [R] Ru 
Fu’: R“ ur 
Fui: Ru’ Fuz: Rus Tus: R“ u1 
x x Tui: Rus 


Figure 1. Derivation of Tuy: Ruz, Tug: Ru3/Tuz: Rug from 4y 


implies II Es © (while completeness, yet to be shown to hold, gives the converse). Prime 
candidates for inclusion in such a theory S are the usual rules for lambda conversion. 
These are the universal closures of any instantiation of one of the following schemes. 


(a) Av.A = Ay. A{ax := y}, if y is free for x in A; 
(B) (Av. A)B = A{ax := B}, if B is free for x in A; 
(n) Av. Ac = A, if x is not free in A. 


It is clearly consistent to add these rules to MTT, as they are valid in standard models. 
Once they are added, the derived rules U and LL ensure that 


Su: p{x := A} 
Su: y{x := B} 


à if A=p, B 


also becomes a derived rule. Since one can work with the standard notion of reduction 
— gy here, it is clear that the resulting logic is Church-Rosser. This will also hold if, for 
some reason, it is decided that S should contain (a), but only one of the rules (3) and 
(7). Note that the (3) rule scheme discussed here should well be distinguished from the 
rule we have called G-ext, which is much weaker, as it only allows ({-conversions in head 
position. 

Other obvious candidates for inclusion in a theory S are the usual modal axioms for 
modalities (R). For instance, one could ensure validity of T by including the scheme 
([Rly — ọ) (the leading O ensures that one gets validity, not just truth of T in the 
initial world). Another way to express the same idea, more natural perhaps in the present 
context, is by quantification over propositions, as in DVp([R|p —> p), which is called Ty 
in Table 3, where also quantified analogues of D, 4 and 5 are found. If such axioms 
are adopted it is often possible to use derived rules in one’s tableaus that closely mirror 
the usual frame correspondences in modal logic (for the latter see e.g. Chapter 1 of this 
handbook, by Blackburn and Van Benthem). In fig. 1, for example, is a tableau verifying 
that Tui: Ruz, Tuz: Rus/Tur: Rug is a derived rule in the presence of the 4y axiom. On 
the other hand, if Tui: Rug, Tuz: Ruz/Tu1: Rug should be adopted as an additional rule, 
Vp[R]p — [R][R]p becomes tableau provable, as fig. 2 shows. Table 3 lists some more of 
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Fu: OVp([R]p — [R][R]p) 
Fu: Vp([R]p — [R][R]p) 
Fur: [R]eo — [R][R]c 
Tun: [Rec 
Fui:[R][R]c 
Tuy: Rue 
Fuz: [R]c 
Tua: Rus 
Fus:c 


Tut: Rug 


ete eee 


Fui: Rus Tu3:¢ 


N 


x X 


Figure 2. Derivation of 4y in the presence of Tuy: Rug, Tuz: Rug /Tu1: Rus 


these correspondences (use a nominal ug when showing the correctness of the last one) 
and the reader will have no difficulty providing many more. Note that, with the help of 
nominals, it is also possible to directly express properties of accessibility relations, even 
those that are not modally definable in the usual set-up. For example, irreflexivity of R 
can be expressed as OYzs(& — ~(R}t). See Blackburn et al. [10] for more information 
on expressing first order relational properties with the help of nominals. 


6 ELEMENTARY MODEL THEORY 


In this section we will prove some basic modeltheoretic properties of MTT: Generalized 
Completeness, the Generalized Lowenheim-Skolem property, and the admissability of the 
Cut rule, all via a Model Existence theorem in the way Smullyan [48] did it for first order 
logic (see also Fitting [17, 19]). None of the techniques employed here is new, but we 
include full proofs for two reasons. The first of these being that, since our definition of 
an intensional model deviates from existing notions in the literature and since the devil 
is always in the details, it is good to have an explicit sanity check on those definitions. 
The second reason is that readers not already familiar with these kind of proofs may find 
examples here in a relatively streamlined setting. 

Before we tackle the main modeltheoretic properties of MTT, some attention must 
be paid to the notion of identity in intensional models, as this relation may not be the 
identity of the metalanguage. 


6.1 Identity and Indiscernability 


The decision to let the relations =/aa) be abbreviations of ArgAYaV2(q)(Z@ > zy), as it 
was done in definition 9, derives directly from Russell, and via Russell from Leibniz, as 
the abbreviation equates identity with indistinguishability. It is clear that in standard 
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models identity and indistinguishability coincide, but, as was noted by Andrews [2] for 
the non-modal case, in nonstandard models it may happen that two objects dı and d2 
that are in fact not identical may fail to be distinguished because there simply is no set 
to keep them apart. This may be thought of as an anomaly and one may be tempted to 
restrict attention to intensional models that are normal in the following sense. 


DEFINITION 24. An intensional model M = (D,I, E) is normal if, for any a, any 
d,d' € Da and arbitrary a, d = d' if (w,d,d’) € V (a, =) for some w € Ds. 


In fact restriction to normal models will not buy us any new truths as will be shown 
shortly. First some facts that will come in handy. 


PROPOSITION 25. Let M = (D,I, E) be an intensional model, and let a be an assign- 
ment for D. Then, for all A, B and B’ of appropriate types, 
(i) V(a, A = B) = @ or V (a, A = B) = D,; 
(ii) V(a, A = A) = Ds; 
(iii) V (a, A{x := B} = A{a := B'}) = D, if V(a,B = B’) = Ds, provided B and B' 
are free for x in A. 


Proof. (i) Suppose w € V(a, Aa = Ba), ie. w € V(a,Yz(xA — xB)). Choosing 
AYa OV2q)(2A — zy) for x, it is easily shown that w € V(a,OVz(zA — zB)). Hence 
w € V(a,Yx(xA — «B)) for all w’ € D, and we are done. (ii) Trivial. (iii) Assume that 
w € V(a,B = B', ie. w € V(a,Vy(yB — yB’)). Choose \v.A{x := B} = A{x := v} 
(with fresh v) for y and derive that w € V(a, A{x := B} = A{ax := B’}). Q 


The following proposition shows that, if desired, one can always ‘normalize’ models by 
‘dividing out’ the indistinguishability relation. The proof implicitly uses the axiom of 
choice. 


PROPOSITION 26. Let M = (D, I, E) be an intensional model and let w € Ds. There 


are a normal intensional model M = (D,I, E) and aW € D, such that, for each sentence 
p, W satisfies p in M iff w satisfies p in M. 


Proof. Suppose M = (D,I, E}. We define the relation ~ between objects of identical 
type in M’s domains as follows. For any a, any d,d’ € Da and arbitrary a let d ~ d’ 
iff, for some (and therefore every) w € Ds, (w,d,d') € V(a,=(aa))- Clearly, ~ is an 
equivalence relation. Using proposition 25 and definition 13 it is straightforward to show 
that, for any term A, 


(16) d~ d => I(ald/a], A) ~ I(ald'/x], A) . 

It is also worth noting that, for any w, w’ and any and a 
(17) w ~ w = (w € V (a, p) = w E V(a,9)) . 

The way to show this is to observe that, if neither xs nor ys is free in ọ, 
(18) V(alw/a], (Ay-p)~ x) = Ds = w E V(a,9) , 


and to then use the definition of w ~ w’. 7 
Define d = {d’ | d ~ d’}, and let Da = {d | d € Dg}, while D = {Da | a € T}. 
Let f be a function such that f(d) € d, if d € Da. For any assignment a for D, let a° 
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be the assignment for D defined by a°(a) = f(a(x)), for all x. Let I(a, A) = I(a®, A), 
for each assignment a for D and each term A. Then T is an intension function for D. 
The first three requirements of definition 13 are easily checked, so let us check the last 
requirement. Note that 


II 


) (by definition 13) 
Jox (by (16)) 

) (by the definition of T) 
) (by the definition of o) 


From this conclude that I (a, A{x := B}) = I(a[I (a, B)/a], A). 


Define E by letting E(da) = { (W, d1,- .-, dn) | (w,di,...,dn) € E(d)}, if a is complex. 
In order to show that this is well-defined assume that w ~ w’, d ~ d', and d; ~ dj. Then, 


if R, £1,..., £n are distinct variables of appropriate types 
(w,dy,...,dn) E€ E(d) <=> (by def. (17)) 
wE V(ald/R,d/x1,..., d Atals Rz.. Ln) < (by (1 7)) 
w € V (aļld/R,d1/z1,...,dn/£n], R£1..-£n) => (equational reas.) 
w € V(ald' /R, di /£1,.--, dh /£n], Rz1.-.- £n) <=> (by def. (17)) 
) 


ileal ois 1) © Eld! 


so that the definition was legitimate. 
Write V (a, A) for E(I(a, A)) and observe that 


(19) (W, d1, ..., dn) € V(a, A) iff (w,di,...,dn) € V (a°, A) 


From this it follows by a straightforward induction on term complexity that M = 


(D,I,E) is a intensional model. It also follows that W satisfies y in M iff w satisfies 
pin M and that M is normal. m) 


So the notion of identity of the logic may diverge from the notion of identity employed in 
the metalanguage, but for notions like satisfiability and entailment this does not matter. 


6.2 Model Existence 


We now come to the Model Existence theorem and its proof. This theorem (Theorem 
30 below) roughly says that if a branch I does not have a certain kind of property, here 
called a ‘sound unsatisfiability property’, it is satisfiable by an intensional model. The 
proof proceeds in two steps. One step shows that such a branch I can be extended to a 
branch I* that is downward saturated in a sense to be defined shortly. The other step 
shows that downward saturated branches are satisfiable. We will prove the last of these 
two statements first. Let us start with the definition of a downward saturated branch. 


DEFINITION 27. A branch T of £ is called downward saturated if the following hold: 
(a) {Tu:y, Fu: y} ZT for any sentence y and constant u; 
(b) Tu: L ¢T; 
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(c) Su:(Ar.A)BC € T => Su: A{x := B}C €T, if Av.A, B, and the sequence of terms 


> 


C are closed and of appropriate types; 
Tu: > 4 E IT => Fup Er or Tuy eT; 
Fu: y > 4 eT => {Tu: y, Fuy} CT; 
Tu: Yzay E T = > Tu: {x := A} ET for all closed A of type a; 
Fu: Yxay E T => Fu: {x := c} ET for some c € La 
h) Tu: (R)y E€ T => {Tu: Ru’, Tu’: y} CT for some u’ € Ls; 
) Fu: (R)y E T => Fu: Ru’ €T or Fu’: y ET for all u’ € Ls; 
(j) Su: Ru’ €T => Su’: Ru ET; 
A downward saturated branch T of £ is said to be complete if Tu: y ET or Fu:y ET for 
each sentence y of £ and each u € Ls. 


That downward saturated branches are satisfiable is the content of the next lemma. 
Here an intensional model is constructed using the method employed by Takahashi and 
Prawitz. 


LEMMA 28 (Hintikka Lemma). Jf T is a downward saturated branch in a language £L 
such that La # Ø for each basic type a then T is satisfied by a intensional model. If T 
is complete, then T is satisfied by a normal countable intensional model. 


Proof. Let T be a downward saturated branch in a language £ as indicated. We will 
find an intensional model satisfying [ using the Takahashi-Prawitz construction. The 
following induction on type complexity defines domains Da as sets of pairs (A, e}, where 
A is a closed term of type a and e is called a possible extension of A. 

(i) If a is basic let Da = {(c,c) | cE La}; 

(ii) If a = (ai... an) let (Ag, e) € Da iff A is closed, e C Ds x Da, X +++ X Da, and, 
whenever (B1,e1) E€ Da,,---; (Bn, en) E Dan 
(a) If Tu: AB,...B, ET then ((u,u), (By, e1),...,(Bn,en)) E€ €; 
(b) If Fu: AB,...B, ET then ((u, u),(Bi,e1),..-,(Bn,en)) £ e 
Each Da is non-empty. For basic types a this follows from the requirement that La 4 Ø; 
for complex types (a1...Qn) consider (Arq, .--ALa,,-L,2). Since induction on term 
complexity easily shows that terms have unique types, we also have that Da N Dg = Ø 
if a # 8. Hence {Da | a € T} is a collection of domains. It is worth observing that each 
Da is a function if I is complete. In that case each Da will be countable. 

The set D = {Da | a € T} will be the collection of domains of the intensional model 
we are after. We will define a function J which will turn out to be an intension function 
for D. First some handy notation. If m is an ordered pair, write m! and 7? for the first 
and second elements of 7 respectively, so that m = (r1, 77). If f is a function whose values 
are ordered pairs, write f! and f? for the functions with the same domain as f, such 
that f(z) = (f(z))! and f(z) = (f(z))? for any argument z. Let a be an assignment 
for D. The substitution ‘a is defined by ‘a (x) = a(x) and we let T! (a, A) = A‘@ for any 
term A. The second component of J is defined using an induction on term complexity. 
(a) I?(a,x) = a? (x), if x is a variable; 

I?(a,Ca) = c, if a is basic; 
I?(a, co) = {((u, u), (Ai, e1),---, (An, en)) | (Ai, ei) € Da; 
& Tu: cA; ... An ET}, if a is complex; 
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(b) (a, AB) = {(w,d | (w, F(a, B),d) € (a, A)}; 

(c) I2(a, Axg.A) = {(w,d,d) | d € Dg and (w, d € I?(a[d/a], A)}; 

(d) P?(a,L) = 2; 

(e) Play > Y) = Ds — (P (a, 9) — P(a,¥)); 

(£) 1?(a,Wtap) = AG. P(ald/z], p); 

(g) I?(a,(R)y) = {w | dw’ with (w, w’) € I?(a, R) and w’ € I7(a,)}; 


(h) I? (a, RY) = {(w,w’) | (w’,w) € I?(a, R)}. 

The definition obviously follows definition 17 save in its first clause. Note that well- 
definedness does not depend on the question whether J is an intension function for 
D and £, and indeed the latter is not immediately obvious. We need to check the 
requirements in definition 13. That (a,x) = a(x) for any variable x is immediate and 
that I(a, A) = I(a’, A) if a and a’ agree on the variables free in A follows by a standard 
property of substitutions and an easy induction. Suppose that B is free for x in A. Then 


I" (a, A{x := B}) = A{a := B}@ = AG [x := BG] = 
AG [x := I! (a, B)| = Aaļ|I (a, B)/x] = I'(a[I(a, B)/2], A) . 


That I?(a, A{x := B}) = I?(a{I(a, B)/z}, A) follows by a straightforward induction on 
the complexity of A which we leave to the reader. It follows that I(a, A{x := B}) = 
I(alI(a, B)/x], A) if B is free for x in A. 

It remains to be shown that I(a, A) € Da for any assignment a and term A of type a. 
This is done by induction on the complexity of A. That I(a, £a) € Da if x is a variable 
follows from the stipulation that I(a, x) = a(x) and that I(a,cq) € Da if a is basic is 
immediate. In the remaining cases the type of A is complex. Since it is easily seen by a 
separate induction that I?(a, Aa) C Ds x Da, X +++ X Da, if a = (a1...An), it suffices 
to prove that, whenever a = (a1...Qp), and (Bi,e1) E Da,,.--, (Bn, en) € Dan 

(a) If Tu: Aa B,...B, ET then ((u, u), (Bi, e1),...,(Bn,e€n)) € I?(a, A); 

(b) If Fu: Aa By... Bn ET then ((u,u),(Bi,e1),---,(Bn,en)) £ I7(a, A). 
We will consider some remaining cases of the induction, leaving others to the reader. IH 
will be short for ‘induction hypothesis’. 


e Ay = cand a= (a,...Qn,). The requirement follows from the definition of [?(a, c) 
and clause (i) of definition 27. 


e A= Begay...on)Ca- Suppose (B1, e1) € Das, ...,(Bn,en) € Do, From the induc- 
tion hypothesis it follows that I(a,C) = (C“a, I?(a,C)) € Dg. Hence 


Tu: (BC)@B,...By eT <=> 
Tu BaCaB,...B,¢T => (IH) 
((u,u), I(a,C), (Bi, e1),---,(Bn,en)) € P?(a,B) = (def. of I) 
((u, u), (Bi,e1),---, (Bn, en)) € I?(a, BC) 


This proves the (a) part of the case; the (b) part is similar. 
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© A= (A®a,Clas...0n))- Again suppose d; = (Bj, ei) € Da,, and reason as follows. 


Fu: (Az.C)@ B,...B, ET 
Fu: (Az.C'a [x := 2])B,...B, ET 


== 

=> def. 27, Bı is closed 
Fu: Ca [x := B,JBo...B, EL <> 

=> 

=> 


Fu: Cad, /x]Bz...Bn ET (IH) 
((u,u),dz,...,dn) ¢ I?(ald,/z], C) (def. of I?) 


((u, u), di, do,...,dn) ¢ I?(a, \x.C) 
This proves the (b) part, which is similar to the (a) part. 


e Ay =Vagy. Let d € Dg be arbitrary. Then d = (B,e) for some closed term B. In 
order to prove the (a) part of the statement we reason as follows. 


Tu: (Vay)a Er 4> 


Tu: Veya|z:=a])eT => def. 27 
Tu: yale := zr :=B}Eer <> 
p 
Tu: yald/x] Er = (IH) 


(u,u) € I*(ald/2], p) 
Since d was arbitrary, we conclude that (u, u) € I?(a,Vxy). The (b) part is similar. 
e The cases Ay) = 1, Ay =~ > y, Ay: = (R)y and A;,) = R“ are straightforward. 


This concludes the proof that J is an intension function for D and £. Now define 
the function E by letting E((A,e)) = e if (A,e) € Da for any complex a. Clearly, 
E(I(a, A)) = I?(a, A) for any A, E is an extension function for D, and M = (D, I, E) is 
an intensional model for the language £. It is easy to see that M satisfies T. 

In order to prove the second part of the lemma, assume that [ is complete. We have 
already established that M is countable in that case, and proposition 26 gives a normal 
countable intensional model satisfying T. m) 


We now come to the first step sketched in the introduction to this section. The notion 
of an unsatisfiability property (related to the abstract consistency properties of Smul- 
lyan [48] and Fitting [17]) is defined and it is shown that branches that do not have a 
‘sound’ unsatisfiability property can in fact be extended to a downward saturated branch 
and hence are satisfiable. The interest in the theorem comes from the fact that many 
interesting notions can in fact be related to sound unsatisfiability properties as we shall 
see below. 


DEFINITION 29. Let U be a set of branches in the language £L. U is an unsatisfiability 
property in £ if, for each tableau rule T'/T1;...;In, {T1,... Pn} CU implies T €U. 

An unsatisfiability property U in £ is sound if no T € U is satisfied by an intensional 
model for £. 


THEOREM 30 (Model Existence). Let L and C be languages such that each Ca is denu- 
merably infinite and LOC = Ø. Assume that U is a sound unsatisfiability property in 
LUC and that T is a branch in the language L. IfT U thenT is satisfied by a countable 
normal intensional model. 
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Proof. Let U and T be as described. We construct a downward saturated branch T* 
such that T CT*. Let 01,...,0n,... be an enumeration of all labeled sentences in LUC. 
Write #(0) for the index that the labeled sentence 0 obtains in this enumeration. Let 
To =T and define each [,,41 by distinguishing the following four cases. 


e Dai = Dn, if Pp U {0n} EU; 


e Pn} =Tn U {0n}, if T,U {0n} €U and Ùn is not of the form Fu: Vay or of the 
form Tu: (R)y; 


e Pra = Tn U {0n Fu: {ax := ch}, where c is the first constant in Ca which does not 
occur in F'n U {0n}, if Tn U {9n} EU and VU, = Fu: Vray; 


e a41 = [n U {0n, Tu: Ru’, Tu’: p}, where u’ is the first constant in C, which does 
not occur in F, U {0n}, ifT, U {9n} EU and Dn = Tu: (R)y. 


This is well-defined since each [,, contains only a finite number of constants from C. 
That T, ¢ U for each n follows by a simple induction which uses the definition of 
an unsatisfiability property and the fact that FY and T(-) are tableau rules. Define 
T* = [J„ Tn. For all finite sets {V,,,..., Ûk, } and all k > max{k1,..., kn} 


(20) 10ks- Okan} C T* STk U {0k Pent EU 


In order to show this, let k > max{k1,..., kn} and let {9k ,.--, Ok, } C T*. Then 
there is some £ such that {0k,;... Uk } C Te. Let m = max{k, 4}. We have that 
Ty U {0k kn} C Pm. Since Tm ¢ U and U is closed under supersets (because 
of the weakening rule W), it follows that Tẹ U {0ki;,---, Ok } ¢ U. For the reverse 
direction, suppose that Tk U{Ux,,..., Ok} U. Then, since U is closed under supersets, 
Ty, U{0n,} ¢ U, for each of the k;. By the construction of [* each vy, € I* and 
{0p,,---, 0, } CT. 

T* is a downward saturated branch. The conditions (g) and (h) of definition 27 
immediately follow from the construction of [*. For checking the other conditions of 
definition 27 the equivalence in (20) can be used. Here we check condition (i), which 
may serve as an example for the other cases. Assume Fu: (R)y € I* and let u’ be a 
constant of type s. Let k be the maximum of #(Fu: (R)y), #(Fu: Ru’), and #(Fu’: p). 
Since, by (20), T U {Fu: (R)y} ¢ U, it must be the case by definition 29 and the fact 
that F(-) is a tableau rule that either Ty U {Fu: Ru’} € U or Tk U {Fu’: p} £U. Using 
(20) again, we find that either Fu: Ru’ € [* or Fu’: p Ee I™*. 

We conclude that I* is satisfied by an intensional model M. In order to prove that 
there is a normal countable intensional model satisfying [* and hence T it suffices to show 
that I* is complete. Let y be any sentence of L UC and assume that Tu: p ¢ I* and 
Fu:y ¢I*. Then, by (20), Ty U{Tu: yp} € U and Tp U{Fu: p} € U, for sufficiently large 
k. But M satisfies [y and therefore must either satisfy T U {Tu: y} or Ty, U {Fu: 9}, 
contradicting the soundness of M. Thus I* is complete and some normal countable 
intensional model satisfies [* and r. Q 


We can now reap a harvest of corollaries by relating various notions to unsatisfiability 
properties. In the following T will always be a branch in some language £ while A ranges 
over branches in £ UC, where £ and C are as in the formulation of Theorem 30. 


COROLLARY 31 (Generalized Compactness). If each finite To CT is satisfiable then T 


is satisfiable. 
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Proof. {A | some finite Apo C A is unsatisfiable} is a sound unsatisfiability property. 
Q 


COROLLARY 32 (Generalized Löwenheim-Skolem). IfT is satisfiable then T is satisfi- 


able by a countable intensional model. 


Proof. {A | A is unsatisfiable} is a sound unsatisfiability property. Q) 


COROLLARY 33 (Generalized Completeness). [fT is unsatisfiable then T has a closed 
tableau. 


Proof. {A | A has a closed tableau} is a sound unsatisfiability property. Q) 


COROLLARY 34 (Admissability of Cut). If rT U{Tu: y} and T U {Fu: y} have closed 
tableaus then T has a closed tableau. 


Proof. Use soundness and generalized completeness. Q 


7 CONCLUSION 


This chapter has looked at some of the motivations for combining modality with quan- 
tification and abstraction over objects of higher order. Montague’s logic IL was reviewed 
and was found to have some shortcomings: it is not Church-Rosser and it is not inten- 
sional in Whitehead and Russell’s original sense. An alternative higher order modal logic 
MTT was then introduced. MTT imports many ideas from the higher order logics in 
Fitting [19], but is based on a simpler notion of model. We have dubbed the generalized 
models on which MTT is based intensional models. As was shown above, the usual 
rules of a, 6 and 7 conversion can consistently be added to the logic in which case the 
logic sports the Church-Rosser property. 

The logic is also fully intensional (or “hyperintensional” ) in the sense that co-entailing 
expressions need not be identical and we shall use the rest of this conclusion to discuss 
some points that arise in relation with this. Consider (21-24), where in each case a 
natural language sentence is accompanied by its MTT rendering. (Here fido, fritz and 
mary are constants of individual type e, in is a predicate of type (e), and know is a 
relation of type (()e).) 


(21) a. Fritz is out if Fido is in 
b. in fido > 7(in fritz) 

(22) a. Fido is out if Fritz is in 
b. in fritz > 7(in fido) 


(23) a. Mary knows Fritz is out if Fido is in 
b. know (in fido > ~(in fritz)) mary 


(24) a. Mary knows Fido is out if Fritz is in 
b. know (in fritz > 7(in fido)) mary 
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Simple tableaus will verify that (21b) and (22b) co-entail, as they should. But (23b) and 
(24b) do not co-entail: Note that {Tu: (23b), Fu: (24b)} is downward saturated and thus 
will have an intensional model refuting one direction of the entailment. 

It may be protested that there is at least one sense in which Mary knows that Fido is 
out if Fritz is in if she knows that Fritz is out if Fido is in: While she may have failed to 
derive the contraposed statement explicitly, there is still a sense in which she is implicitly 
committed to it. Such a notion of implicit knowledge is also available in MTT. Let K 
be a constant of type (es). K can be given the role of an epistemic alternative relation 
by adopting the following meaning postulate. 


(25) OVa.Vw.(Kaw > Ypy (know pr > O(w A p))) 


This says effectively that a world w is an epistemic alternative for a person x if w is in 
the intersection of the extensions of all propositions that x explicitly knows to hold.8 A 
tableau will show that (25) entails (26). 


(26) VreVp (know pa > [Ka]p) 


Thus it can be deduced that (27), where the modal operator [kK mary] was used to 
model Mary’s implicit beliefs, follows from (23). In fact implicit beliefs are closed under 
consequence and hence co-entailment. 


(27) a. Mary implicitly knows Fido is out if Fritz is in 
b. [K mary](in fritz > 7(in fido)) 


The non-equivalence of (23b) and (24b) discussed above illustrates that MTT is in- 
tensional in Whitehead and Russell’s sense of the term. Relations, including zero-place 
relations, can be co-extensional without being identical. This means that linguistic ex- 
pressions that are assumed to denote relations are no longer predicted to be intersubsti- 
tutable if they have the same extension, not even if they have the same extension in all 
possible worlds. 

This is not unimportant since many expressions in natural language are undoubtedly 
relational and a nasty foundational problem will no longer be associated with them, but 
there seems to be a rest category of problems with expressions of basic type. Above we 
have treated proper names as having a basic type e, and this leads to the well-known 
Hesperus—Phosphorus, or Cicero—Tully, kind of problem. If Hesperus is translated as 
hesperus, Phosphorus as phosphorus,, and the identity statement Hesperus is Phospho- 
rus as hesperus = phosphorus, the consequence will be the false prediction that the two 
names can be substituted for one another in any context salva veritate. 

There are two reactions to this. One possible reaction is an adaptation of the logic. One 
could introduce some domain of individual concepts and allow many-one correspondences 
between individual concepts and individuals. Such a strategy is followed by Fox and 
Lappin [20] in a different set-up, but in our case it would lead to a complication of the 
logic, be it probably a mild one. 

The second reaction leaves the logic as is, but adapts the rendering of natural language 
expressions. If names can be treated as predicates in some way, the intension—extension 


8Note that the present set-up distinguishes between propositions (the elements of Dy) and sets of 
possible worlds. The extension of a proposition will be a set of worlds. Different propositions may 
determine the same extension. 
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distinction will come for free for them as well. In fact, the existing literature contains 
several proposals for treating names as based on predicates and not on individual con- 
stants. Russell’s description theory of names is an early example and Montague [38] 
offers another example by essentially treating names as being of the “raised” type ((e)), 
not simply of type e. In combination with a treatment of identity as co-extensionality (in 
all possible worlds) this would avoid the problems if our logic is used. A third proposal 
that in effect treats names as relations comes from the literature on plurality. Many 
authors on this subject, starting with Bartsch [5] and Bennett [6] (see Lønning [34] for 
an overview), have argued that both singular and plural individuals should in fact be 
treated as sets, with the semantic property of being a singleton corresponding to the 
grammatical notion of singularity. In the present set-up this effect can be obtained by 
redefining type e as a complex type (0), where 0 is a new basic type for abstract in- 
dividuals. Type 0 objects will now correspond one-to-one with the extensions of those 
type e objects that have singleton extensions, i.e. to singular individuals, but there are 
many intensional models in which hesperus, and phosphorus, are co-extensional (with a 
singleton extension) in all worlds but are not identical. Let Ae ~ Be be an abbreviation 
of OYxo(Ax +> Ba), i.e. let A ~ B express necessary co-extensionality, and assume that 
natural language is (the “is of identity”) in fact expresses ~. Then the argument in (28) 
will be rendered as (29) and will therefore be predicted to be invalid. 


(28) Hesperus is Phosphorus Mary knows that Hesperus is Hesperus 


Mary knows that Hesperus is Phosphorus 


(29) hesperus © phosphorus know (hesperus ~ hesperus) mary 


know (hesperus ~ phosphorus) mary 


Again, the invalidity of the argument depends on the fact that Mary’s knowledge was 
taken to be Mary’s explicit knowledge. If implicit knowledge is taken, the argument will 
turn out to be valid, as the reader will have no difficulty to verify. 

We conclude that the logic MTT is truly intensional, as it will distinguish between 
the meaning of one relation and another necessarily co-extensive with it. This can be 
used to avoid many substitution problems in natural language semantics and other areas. 
If it is moreover accepted that proper names should in fact be treated as constants of 
complex type, they will also be treated hyperintensionally. For example, letting them be 
of type (0), a move which may be argued for on independent grounds having to do with 
the treatment of plurality, will make them start to act as naming individual concepts 
and substitution problems with them will be avoided. 
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1 INTRODUCTION 


Time has always been with us, though few of us have enough of it. The nature of time 
itself is a conundrum that we nowadays leave to physicists. But we have always had to 
find our way through time, plan our activities, and cope with the uncertain future. This 
can be, indeed, has to be done without a deep scientific knowledge of what makes time 
tick. 


We use language and its rich tense structure to express and reason about events in 
time. This of course throws up linguistic and philosophical conundrums of its own. With 
the rise in the 20th century of formal logical languages, it became natural to try to express 
temporal concepts and arguments in formal terms, and so it was that Arthur Prior from 
the 1950s came to develop tense logics. These were modal logics, with box-modalities 
H and G for ‘always in the past’ and ‘always in the future’, motivated by tenses in 
natural language. The advent of Kripke semantics in the 1960s gave the enterprise a 
boost, because a Kripke frame is so naturally seen as a set of time points endowed with 
an ‘earlier-later’ relation. 

Temporal logic today is a large, busy subject with stakeholders from many disciplines. 
Philosophers and linguists have continued to make major contributions to it. Since 
Pnueli’s pioneering 1977 paper [147], several branches of computer science and related 
fields — such as databases, specification and verification, synthesis of programs, temporal 
planning, temporal knowledge representation — have had a huge influence, and the 
use of temporal logic in some of these areas has developed to the point of commercial 
application. There is even some contact with physics, but so far this has been limited. 

Temporal logic is in a way a branch of applied modal logic, but modal logicians may 
be disconcerted by what they find here. Temporal logic has always focused on handling 
time, it has developed whatever methods it found useful for this end, and not all of them 
are modal in a narrow sense. Connectives such as Until and Since, again mimicking the 
natural language constructs, go beyond boxes and diamonds and are of great importance 
in the subject. Indeed, completely general first-order-definable connectives are used 
as well. Bearing in mind the evaluation and reference points of natural language, it 
is natural that many-dimensional evaluation has long been of importance in temporal 
logic, whereas it only recently attracted great interest in modal logic proper. The focus 
in temporal logic is on a fairly narrow range of Kripke frames — nearly always irreflexive 
and transitive, and typically linear orders or trees, though relativistic and circular time 
are sometimes considered. The natural numbers are the dominant model of linear time, 
though dense and continuous and indeed arbitrary linear orders have found their way in 
(and in this chapter we are happy to consider them). Sometimes the pressures of time 
have led to a style of evaluation of formulas that seems non-modal at first sight (see 
Section 3.7). A very influential strand of work, started by Kamp in 1968, compares the 
expressive power of modal and first-order languages on the model (rather than frame) 
level. Rather than be content with limited but well-behaved modal expressiveness, the 
thrust of the work created temporal languages as strong as classical first-order logic 
and even monadic second-order logic. Perhaps because the proofs rely heavily on the 
assumption that time is linear or even natural number-like, not much similar research in 
modal logic has been done. Classical logic is not just a benchmark for the expressiveness 
of ‘real’ temporal logics: using first-order logic for handling time is itself a respectable 
tradition. In temporal logic there is an unusual (for modal logic) use of methods from 
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classical mathematical logic and combinatorial techniques such as automata. Problems 
such as model-checking (considered in Chapter 17) are all-important in temporal logic 
but do not appear much in modal logic. 


Nonetheless, from Prior’s work onwards, modal ideas have been prominent in temporal 
logic. Its most basic syntax and Kripke semantics are (multi-)modal; one often comes 
across modal techniques such as canonicity and Sahlqvist’s theorem, filtration and non- 
standard inference rules; and problems of axiomatisation, decidability, and complexity 
are ubiquitous in modal and temporal logic. Sophisticated results on modal logics above 
K4 have been transferred to temporal logic. Chapters 2, 3, 4, 9, and 12 are very relevant 
to temporal logic. In Chapter 17, the reader will find a concentrated discussion of modal 
and temporal logic in computer science. In the current chapter, we will examine some 
topics in temporal logic that are considered both in computer science and in other fields. 
As we have not the space to provide a rigorous development from scratch, the chapter 
is intended more as a gateway to the subject. It is mostly a survey-style commentary 
on some important strands, with directions to the literature for those wishing to find 
out more. Our priority is range rather than depth, but we cannot be comprehensive. 
A chapter of definitions would be indigestible, so we have tried to include some of the 
arguments, but space limitations have meant that their level of detail veers wildly from 
a few words to (occasionally) something approaching a full proof. Readers may of course 
skip details if they so desire. 


We start out in Section 2 with a basic round-up of the semantic options for handling 
time. In Section 3 we cover some of the logics (syntax and evaluation) that can be used. 
Bearing in mind the remarks above, it will be no surprise that we do not confine ourselves 
to modal-style logics: first- and second-order logics, and others, find their way in, and 
our lack of consideration of mu-calculi is only because chapter 12 is devoted to them. 
Cn Section 4 we compare the expressivity of classical and modal-style logics. Kamp’s 
famous 1968 expressive completeness theorem makes its appearance here. In Section 5 
we discuss temporal reasoning, mainly avoiding automata (see Chapter 17 for them) but 
covering Hilbert systems, tableaux, resolution, filtration and the finite model property, 
and other methods. 


A word about first-order temporal logic. This is a complex issue. There is a con- 
fusing variety of ways to add first-order logic to a temporal system, and undecidability 
results obtained in the 1960s, accompanied by later expressive incompleteness results, 
also cast their shade over the development of this part of the subject. But at the time 
of writing, there is something of a resurgence of interest in it from the database and 
reasoning communities. We will discuss the rudiments of first-order temporal logic in 
Sections refchapter11:sec2—3, and also some of the recent results on expressive complete- 
ness and decidability in Sections refchapter11:sec4d—5. Chapter 9 is also relevant of course. 


Temporal logic, then, is a branch of applied logic that brings to bear a gamut of pow- 
erful methods from many fields to study time and temporal phenomena. It is not wholly 
modal, but rests on a modal base — it is a meeting ground for concepts from modal logic, 
classical first-order logic, and higher-order logic. It has found very successful application 
in computing, and embodies seminal contributions from philosophy and linguistics as 
well. We hope our chapter, and other chapters here, will serve as a guide for the reader 
wishing to discover more about this intensely active field. 
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2 STRUCTURES 


How can we model time? Clearly, such a question can generate much heated debate. 
Rather than make a futile attempt to settle it, we prefer to take a practical viewpoint, 
and simply offer the reader a number of options which have been studied in some depth 
and found useful. 

This section is devoted to setting up some of the standard models of time. They will 
be called structures. We will use them as semantics for the various logics of time to be 
discussed in the next section. For now, we have no specific logic syntax in mind. 

However, the future choice of syntax does have an effect here, because the structures 
we set up must be suitable for evaluating atomic formulas of the logics to come. So our 
treatment will divide into cases, according to the kind of evaluation we envisage. We will 
begin with the simplest case: models of time suitable for propositional temporal logics. 
This continues in Section 2.2 with cyclical models of time. In Section 2.3, we will consider 
some options for branching time. Section 2.4 will discuss structures supporting varying 
granularity of focus. Section 2.5 goes into the options when propositions depend on 
several time points; this leads naturally into Section 2.6, on temporal intervals. Finally, 
Section 2.7 considers the options for temporal logics beyond propositional. 


2.1 Structures for propositional temporal logic 


The simplest and most common form of temporal logic is propositional temporal logic. 
In it, time is viewed as simply a set of points. To facilitate making statements and 
reasoning about time, additional information is included in the model. We will start off 
with probably the simplest useful information, which is to state which time points are 
earlier than, or later than, which. To represent basic facts of interest, there are available 
a number of atomic propositions, or propositional variables (or as some say, propositional 
atoms). These are syntactic objects; they are usually written p,q,r,po,pi, etc. Their 
truth values (true or false) are expected to be given by the model. These truth values 
will be time-dependent: so each atom will be either true or false at each time point, 
and the model will specify which. Logical machinery can be erected on top of the atoms 
in a variety of ways, to permit representation of and reasoning about more complex 
statements; this is the task of the next section. 

Thus, our models or structures will have three parts: a set of time points; information 
about which time points come before or after which (this much is called a flow of time); 
and information about which atoms are true at which time points (this much is called a 
temporal structure). 


Flows of time, and temporal structures 


DEFINITION 1. A flow of time is a pair (T,<), where T is a non-empty set, and < is 
an irreflexive and transitive binary relation on T. 


The idea is that T is the set of time points, and < is the earlier-later relation on T. 
For time points t,u € T, t < u (or equally, u > t) will mean intuitively that t is earlier 
than u, and that u is later than t. This explains the requirements that < be irreflexive 
— no time point should be in the past or future of itself — and transitive — if t is earlier 
than u, and u earlier than v, then we expect t to be earlier than v. However, we will 
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see a few circumstances (such as in Section 2.2) where it is appropriate to modify these 
requirements. 

We can define the notion of two flows of time being isomorphic, or one being a subflow 
of the other, in the usual way. We also define the time point relations >, <, and > in 
terms of < in the usual way. 

Clearly, a flow of time (T,<) can be regarded as a (certain kind of) Kripke frame: 
the set of possible worlds is T, and the accessibility relation is <. This will later lead to 
modal-style logics for time. 

Modelling truth and falsity of the atoms is done in the usual way. We assume a fixed 
ambient set L of atoms. Let p(T) be the set of subsets of any given set T. 


DEFINITION 2. A temporal structure is a triple (T, <, h), where (T, <) is a flow of time, 
and h : L — p(T) is a map (called an ‘assignment’ or ‘valuation’). 


We regard an atom q as being true at a time t € T if t € h(q), and false at time t if 
t ¢ h(q). Some authors present valuations in the form g : T — g(L), g(t) being the 
set of atoms regarded as true at time t. The two methods obviously carry the same 
information. Clearly, a temporal structure can be regarded as a Kripke structure (see 
Chapter 1). 


Classes of flows of time We will often be interested in various classes of flows of 
time. The class of all flows of time is one such. Another is the class of all linear flows of 
time: 

DEFINITION 3. A flow of time (T, <) is said to be linear if given any two distinct time 
points in it, one is before the other. That is, (T, <) = Vay(@=yVu<yVy<2). 


Linear flows have been very heavily studied, and various classes of linear flows will 
figure prominently in this chapter (though not to the exclusion of other kinds of flow). 
Here are some other interesting properties that a linear flow of time may have: 


DEFINITION 4. Let (T,<) be a linear flow of time. 
1. (T,<) is said to be discrete if for each t € T, 


(a) if there is any u € T with u > t, then there is a first such u: one such that 
there is no v € T witht < v < u, and 


(b) if there is any u € T with u < t, then there is a last such u: one such that 
there is nov ET withu<v<t. 


2. (T,<) is said to be dense if for all t,u € T, if t < u then there is v € T with 
t<wv< u. This is in some way the opposite of discrete. 


3. (T,<) is said to be Dedekind complete if any non-empty subset S C T that is 
bounded above — i.e., there is t € T with t > s for all s € S — has a least upper 
bound in T: i.e., there is t € T such that (i) t > s for all s € S, and (ii) there is 
no t < t with t > s for all s € S. Equivalently, any non-empty U C T that is 
bounded below has a greatest lower bound in T. (Any greatest lower bound of U 
is a least upper bound of {t € T : t < u for all u € U}, and vice versa.) 


4. (T, <) is said to be continuous if it is dense and Dedekind complete. 
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5. (T,<) is said to be separable if there is a countable subset D C T that is dense in 
T: for allt,u € T with t < u, there is v € D with t < v < u. (It follows that (T, <) 
is itself dense.) 


The corresponding classes of linear flows, such as the dense linear ones, the discrete 
linear ones, and the continuous linear ones, as well as others such as the class of all finite 
linear flows, will be important to us. We will later write £ for the class of all linear flows 
of time, and D for the class of all Dedekind-complete linear flows. 

Non-linear flows such as trees are also much used: 


DEFINITION 5. A flow of time (T,<) is said to be a tree if for all t € T, the set 
{u € T : u < t} is linearly ordered by <. A branch of a tree (T,<) is a maximal 
linearly-ordered subset of T. 


In a tree, the past of any time point is linear. However, its future may not be, so that 
many branches may pass through (i.e., contain) any given time point. Our models of 
‘branching time’ will be based on trees. 

There are also certain specific flows of time that are natural to consider, well studied, 
and useful in applications. We now list some of them, and make some comments. A 
general reference for information about linear orders is [171], in which the reader may 
find more details. 


1. The natural numbers, (N, <), where N = {0,1,2,...} and < is the usual order. 
This is the most commonly used flow of all. It occurs naturally in computing 
applications, where programs execute instructions at successive moments. Time 
is viewed as discrete (ticking, so that any non-final moment has a next moment), 
linear, and with a first moment but no last moment. Of course, these properties 
alone are insufficient to pin down N: for example, they are also true of the flow of 
time consisting of a copy of N followed by a copy of the integers, Z, and indeed, 
this flow is indistinguishable from (N, <) by any first-order sentence. One may 
characterise (N, <) up to isomorphism in a second-order way as the unique discrete 
Dedekind-complete linear flow with a first point and no last point. 


2. The integers, (Z,<), where Z = {...,—2, —1,0,1,2,...}, and < is the usual order. 
The discrete Dedekind-complete linear flows of time are precisely the ones that are 
isomorphic to sub-flows of (Z, <), and (Z, <) is up to isomorphism the unique one 
of these without endpoints. 


3. The rationals, (Q, <), where Q is the set of all rational numbers and < is the usual 
order. We can use this flow when we view time as dense; density may correspond 
more closely than discreteness to our natural intuition about time as we move 
through it. Density may also be useful in modelling distributed computing appli- 
cations, in which a program may find another acting in between its own execution 
steps. By Cantor’s theorem, (Q,<) is up to isomorphism the unique countable 
linear dense flow of time without endpoints. 


We may wish to impose a ‘real-world’ constraint on valuations into (Q, <). If atoms 
represent basic states of a system, we may decide that only finitely many changes 
in state may occur, either in any bounded interval, or at all. So we may restrict to 
temporal structures (Q, <, h) in which each atom may change its value only finitely 
often in any bounded interval, or at all. 
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4. The reals, (R, <) where R is the set of all real numbers, and < is the usual ordering. 
Here we have not only density, but continuity and separability too. In fact, (R, <) 
is up to isomorphism the unique continuous separable linear flow of time without 
endpoints. The reals are one of the most interesting and expressive linear flows; 
most other common linear flows can be ‘encoded’ in them. 


Various restrictions on atoms can be considered in the context of (R, <). Bounded 
or finite variability is again a possibility. Another is to require that the values of 
assignments are ‘simple’ in some way. For example, we might restrict to temporal 
structures (IR,<,h) with assignments h : L — g(R) such that for each q € L, 
h(q) is F (a countable union of closed sets), or Borel (in the countably complete 
Boolean subalgebra of (g(R),U,\,9,R) generated by the closed sets). See [33] for 
applications of this idea to decidability of temporal logics over (R, <). 


5. The binary tree T = (<“2,<). For ordinals a, 3, we write Ža for the set of all 
maps f : 8 > a. We write <q for U,eg7a. So <2 is the set of all maps 
from a natural number n into 2. (We treat natural numbers n as ordinals, so that 
n = {0,1,...,n — 1} and 2 = {0,1}.) We can regard such a map as a sequence of 
Os and 1s of length n, so that <“2 can be viewed as the set of all finite sequences 
of Os and ls. The ordering < on T is that of proper initial segment: so t < u iff 
u is a proper extension of t. Clearly, TJ is a tree. Each branch of 7, ordered by 
the restriction of <, is isomorphic to (N, <); trees with this property will be called 
w-trees. 


In this case, we may sometimes wish to restrict to assignments h : L > o(<“2) 
such that h(q) is finite for all q € L. Topological restrictions can also be made: see, 
e.g., [85]. 


6. Relativistic temporal logic has been considered a little in the literature: see, e.g., 
[71] (reprinted in [73]) and [180]. For n > 2, we can define n-dimensional space-time 
T” to be (R”, <). Here, R” is the set of all n-tuples of real numbers; the first n—1 
coordinates are for space and the last is for time. We define (a1,...,¢n) < (yi, 

Yn) if OPT (yi — xi)? < (Yn — £n)? and £n < yn. This ordering is reflexive 
(so strictly, we are not dealing with a flow of time), and transitive (exercise). T+ 
is the traditional Minkowski space-time. 


2.2 Cycles 


We have defined flows of time to be transitive. One context in which this assumption 
seems unjustified is in the occasionally studied case of circular or cyclical time. Interest 
in this has stemmed from studies of general relativity [70] as well as from philosophical 
and religious motivations. The intuitive idea here is that there is a sequence, or locally 
linear arrangement of time which has its start temporally after its end time point. If 
we follow along the flow of time through such a structure we see the same arrangements 
of atoms repeated forever (and into the past as well as into the future). Obviously this 
behaviour can be mimicked by making restrictions on the valuations of atoms on an 
appropriate transitive linear flow of time so that the same pattern of truth values is 
repeated periodically. Cyclical time models, however, are instead based on a cyclical 
arrangement of time points. 
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A moment’s thought makes it clear that it is not straightforward to make a mathemat- 
ical structure to model this idea. It is certainly inadequate to have a flow of time (T, <) 
with a transitive relation <: each time point would be after every other time point as 
well as being after itself. 

Two solutions to this have been proposed. In [104] we see the idea of a model of time 
(T,¢) based on a ternary between-ness relation ¢. We say that y lies between x and 
z and put ¢(x,y,z) iff moving forwards in time from x to y does not pass through z. 
Appropriate conditions on ¢ are suggested in [104]. 

In [158] we see instead the usual binary < being used as an irreflexive, anti-symmetric 
and non-transitive relation with x < y meaning something like that y is a while after x 
but not so long after, not more than half way round the cycle of time. According to this 
approach we have the following definition. 


DEFINITION 6. A cyclical flow of time is (T,<) with < being a binary relation on the 
set T such that < satisfies the following axioms: 


total order: Veyl(a < y) V (x = y) V (y <2)] 

anti-symmetry:  Vaynl(x < y) ^ (y < x)] 

future 

transitivity: Veyzul(a < y) A(x < z) A(x <u) A (y < z) A(z <u) = (y < u)] 
past 

transitivity: Vryzuļ|(y < x) A(z < zx)A (u< zx)A(y<z)A^(z< u) > (y< u)] 


non-transitivity: Jxryz|(x <y) A (y <2z)A (z< x)| 


2.8 Branching Time 


The term Branching Time is sometimes used for general, i.e. transitive and irreflexive 
but not necessarily linear flows of time. 

However, there is a more specific use that is more common both in philosophical and 
in computing contexts. These are the flows of time (T, <) which are trees according to 
definition 5 above, i.e. in which < is linear towards the past. The branching towards 
the future is often used to capture the indeterminacy of the future: openness, choices 
and chances. The linearity of the past instead captures the fixed, (already) determined 
nature of that part of time. 

We shall use Branching Time in this latter sense, i.e. to refer to flows of time which 
are trees. We will see that there are branching time temporal logics in which formulas 
are evaluated at points (sometimes called nodes) on such tree structures. Branches are 
maximally linearly ordered subsets of the the set of time points: see Definition 5. Note, 
however, that the terms path, or history are sometimes used instead of ‘branch’ in the 
literature. Also, it is sometimes the case that a branch may be a linearly ordered set 
of points maximally towards the future but not necessarily towards the past, i.e. 1) b is 
linear, 2) if x < y for all x € b, then y € b, and 3) for all x,y,z, if £ < y <z andzEb 
and z € b then y € b. 

In Burgess’s [28], a more complex branching time temporal structure is suggested. 
Burgess notes that in some situations it is useful to pick out certain branches of a tree 
structure as being legitimate and to ignore others. For example, in a computing appli- 
cation some branches might exhibit a required fairness property in that certain atoms 
are true an infinite number of times along the branch, while other branches are unfair 
and thus may not be considered to be able to eventuate. In philosophical applications 
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some branches may correspond to “intended” or “possible” branches while others may 
be deemed impossible. As discussed in [165], there are also technical reasons to consider 
tree structures with a pre-identified set of branches. See also [218, 219]. 

In order to support such reasoning, certain temporal logics are defined on tree struc- 
tures with identified sets of branches. In order for all the points of the tree to be non 
redundant and to be able to play a role in the semantics of such logics, it is useful to 
suppose that for each point there is one of the identified branches containing that point. 
We thus have the following definition. 


DEFINITION 7. We say that a set B of branches of a tree (T, <) is a bundle (on (T, <)) 
iff for all x € T there is b € B such that x € b. If B is a bundle on tree (T,<) then we 
say that (T, <, B) is a bundled tree (frame) and, if h is a valuation, then (T,<, B,h) isa 
bundled structure. 


Temporal logics can be defined on bundled tree structures. Of course, the bundle only 
comes in to play in the semantics if the logic allows some sort of quantification over 
branches. Bundled tree temporal logics will also be appropriate in the case that a bundle 
B in a bundled tree structure is the set B(T,<) of all branches of the tree (T,<). In 
that case we say that the bundle is complete. Bundled tree temporal logics can thus also 
be used on plain, not bundled tree structures: just use the complete bundle as a default. 

Major variations in branching time temporal logics on tree structures, plain or bundled, 
arise from differences in the locations of evaluation of formulas. If we consider truth to 
reside in points then we evaluate formulas at points (or worlds) in tree structures. An 
eminent tradition, however, requires that truth is evaluated at points on branches in 
structures, i.e. evaluation is at a ‘world’ = pair (time, history). We will investigate the 
differences more fully later when we consider the syntax and semantics of temporal logics 
which utilise them. 

This choice of location of evaluation does, however, give rise to an important but subtle 
difference in structures. Those structures which use time-branch pairs for evaluation of 
formulas may also permit valuations of atoms to be sensitive to branch. Thus the atom 
p may evaluate to “true” on branch b at point x but evaluate to “false” on branch b at 
point x. 


DEFINITION 8. Suppose that (JT, <) is a tree. 
A map h: L > ¢(T) is called a local assignment. 
A map h: L — o{(b,x2) |x € b€ B(T,<)} is called a non-local assignment. 


We use similar definitions for the case of bundled structures. 

Local versus non-local assignments were first distinguished by Prior in [150]. In [218], 
they are discussed in terms of atoms containing (or not) a trace of “futurity”. Should the 
truth of an atom at a time, now say, be dependent on which of the many possible futures 
actually comes about after now? Structures with a non-local assignment to atoms allow 
atoms to contain this trace of futurity. An example of Stefan W6lfl (quoted in [219]) is 
the seemingly atomic statement “the King is dying”, the truth of which actually depends 
on the branch of evaluation. 

The evaluation of atoms and/or more general formulas at time-branch pairs suggests 
an alternative model of time which allows us to keep the more traditional modal logic 
approach of evaluating formulas at worlds. We can arrange the time-branch pairs in a 
two-dimensional structure. Such an arrangement was suggested by Kamp and recorded 
in [189]. 
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Figure 1. A Kamp Frame 


DEFINITION 9. A Kamp frame is a triple (K, <, =), where: 
1) K is the set of points; 
2) < isa union of linear orders on K 
i.e., Vayz(a<yAy<z74< z), 
Vayr(a<yAy < zr), 
Vryz(lz <y ^z <z—>(y<zVy=zVz<y)) 
and Vzyz(ly <z^z<gz—>(y<zYVYy=zVz<y)); 
3) = is an equivalence relation such that for all x,y € K: 
if x = y then we do not have x < y, 
if x = y and u < x then there is v < y such that u = v, and 
if x = y and for all u > x there is v > y with u = v then z = y. 


A Kamp-structure is a Kamp Frame with a valuation of the atoms which agrees across 
=. Corresponding to each Kamp-structure is a bundled structure: see Figures 1 and 2. 
The < relation relates worlds (i.e. time-branch pairs) on the same branch while the = 
relation relates worlds which represent the same time point possibly paired with different 
branches. See [165] for details. 

The special case of w-trees, i.e. those in which each branch is isomorphic to the natural 
numbers, is of particular interest in computing. These structures arise as representations 
of the possible runs starting from a fixed state through a transition system. Let us be 
more precise. 


DEFINITION 10. A total frame is a pair (S, R), where: 
S is the non-empty set of states 
R isa total binary relation CS x S$ 
(i.e. for every s € S, there is some t € S such that (s, t) € R) 
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Figure 2. The corresponding tree 


DEFINITION 11. A transition system is a triple M = (S, R, g) where: 
(S, R) is a total frame, 
g: S — pL is a labelling of the states with sets of atoms. 


A fullpath (or branch or run) in M (or in (S, R)) is an infinite sequence sọ, $1, $2,... 
of states of M such that for each i, (si, 5:41) E€ R. For the fullpath b = so, 81, s2,..., and 
any i > 0, we write b; for the state s;, b<; for the prefix sequence sọ, $1,...,5; and bs; 
for the fullpath Ssi, 5:41, Sj42,...- 

The set of all prefixes of fullpaths of a transition system M with a fixed initial state 
naturally forms a tree: we put so, 51,...,5; < 70,T1,---,7; iffi < j and for all k < 3, 
Sk = rk. The branches of this tree, sometimes called the unwrapping of the transition 
system, correspond exactly to the fullpaths themselves. 

We can easily put an assignment to the atoms on the unwrapping of a transition 
system. Put h(p) = {b<; | p € g(bi)}. 

For a deeper survey of the range of models used for branching-time semantics, the 
reader is referred to [218, 219]. Alternating time generalises branching time in some 
ways, and was considered in [9, 78]. 


2.4 Granularity 


For certain applications of temporal reasoning it is important to allow formulas which 
refer to behaviour occurring across a combination of different layers of time measure- 
ments. For example, we might want to say that a property holds during the last week of 
every month, thus supposing that time is divided somehow into weeks as well as somehow 
into months. This multi-layered multi-grained aspect of temporal experience is known as 
granularity and several formal structures have been suggested and investigated in order 
to represent this. One basic suggestion is to use trees in which each particular height 
of nodes represents a given granularity: a node at that height corresponds to a one unit 
period of time at that granularity, the nodes at that height are ordered by the earlier- 
later relation and the children nodes in the tree represent the periods of time at the next 
finest granularity which comprise that period. For example, a node representing a week 
may have 7 children representing its days. 
For more on granularity, we refer the reader to references such as [55], [137], [17]. 
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2.5 Many-dimensional Evaluation 


Some temporal expressions may involve what seems to be two or more dimensions of 
time. Examples here include formalizations of natural language expressions which rely 
on multiple points of evaluation (for example see [155, 113]), properties which hold over 
intervals of time and circumstances where time is being used in several different ways. In 
such examples there may be a fundamental choice of how to construct a formal temporal 
model to capture the situation. We might be able to use a standard linear one-dimensional 
flow of time as defined above, but on which the truth of expressions are evaluated at pairs 
(or tuples) of time points: we discuss this approach briefly when we consider syntax and 
evaluation in the next section. 

The alternative approach is to model the situation using structures which them- 
selves have a multi-dimensional aspect. We have already considered branching structures 
which may be regarded, especially in their Kamp-frame incarnation, as two-dimensional. 
Shortly we will look at interval structures and these are sometimes built from two di- 
mensions of time. 

Another important example is in reasoning about databases and database management 
systems, particularly regarding temporal databases which need to record some timing or 
date information. In temporal database work, a distinction is sometimes made between 
valid time, that is the date-time when an event or state holds in the world, and transaction 
time, that is when a fact or property is recorded in the database. In reasoning about 
the correctness of a database system it may be important to have explicit descriptions 
about relationships between valid and transaction times of various events. See [188], [49] 
for example. To provide formal semantics for such reasoning, it is useful to consider 
structures which are a cartesian product of a flow of valid time and a flow of transaction 
time. 


2.6 Intervals 


As we will see below, it is possible to reason about linear structures, such as those we 
have met above, by considering descriptions of the behaviour of atoms across intervals of 
time. This reasoning is about point-based temporal structures: the atoms are evaluated 
at points. From these atoms, more complicated expressions can be built which need to 
be evaluated on intervals of time. 

An alternative approach to interval temporal logics is to evaluate propositional atoms 
on intervals of time. There are natural language motivations for doing this: for example, 
it is natural to explain the semantics of the proposition “I climbed Everest” with reference 
to an interval of time. Intervals of time can be posited as the basic ontological entities. 
An interval temporal structure could be a set of intervals from a linear structure along 
with an evaluation for the atoms on the intervals. 

In general, an interval could be defined to be any convex set of points from a linear 
structure: i.e. J is an interval of (T,<) iff for all x < y from J, for all z from T, if 
x<z<ythen z € I. Different structures can arise from the choice of (T, <) (e.g., the 
integers, or the reals) or by only looking at some subset of the set of all intervals, for 
example the set of closed intervals of the reals. 

Allen identified 13 basic relations that may hold between intervals. One interval may 
precede another with a gap in between, or it may just end where the second one starts, 
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etc. See [6] for details. An algebra can be defined to capture the relationships between 
these relations. 

The approach of taking intervals as primitive objects has also received much attention 
[192, 87, 196]. A structure is then typically a set I of abstract objects thought of as 
‘intervals’, together with some relations on them, perhaps motivated by some of Allen’s 
13 relations, and an assignment of atoms to sets of intervals, just as in the point-based 
approach we assign atoms to sets of time points. For example, van Benthem in [192] 
takes as primitive relations ‘i < 7’ and ‘i E 7’, and their converses. The intuition is that 
i < j means that every point in 7 is earlier than every point in j, andi E j means that all 
points in 7 are in j; but these meanings are only analogies, since i,j are not necessarily 
intervals but only abstractions of intervals. The ‘interval structures’ then have the form 
(,<,>,€,i,h) where h: L — (I). The elements of I are not necessarily sets of time 
points, and the interval structure may not even be isomorphic to a set of intervals arising 
from time points, with relations induced from the point structure. However, it may 
be of interest to characterise when there is such an isomorphism or to consider similar 
representation results [119, 7, 196, 31, 20, 76]. 


2.7 Combining temporal logic with other logics 


So far in this section, we have been presenting structures that will serve as semantics for 
propositional logics of time. They have had the form (M,h), where M consists of a set 
of objects — points, intervals, etc., — representing time, with additional structure such 
as an earlier-later relation, and h assigns truth values to atoms at time objects in M. 
Thus, we envisage that the atomic formulas of the associated logics (to be developed in 
the next section) will be essentially atoms. 

We now wish to examine how to handle more complicated atomic formulas. Their 
meaning will not simply depend on a time object, but also on extra, typically non- 
temporal, information. Since the non-temporal domain will typically have its own asso- 
ciated logic, we are in the area of combining logics, or many-dimensional logics, to be 
discussed in detail in Chapter 15. See also [131]. There are applications in computing, 
philosophy, linguistics, etc., in which these more expressive logics can be useful; they 
also present intriguing mathematical problems that have been more and more actively 
studied in the last few years. 

Here, we discuss three kinds of structure that offer semantics for combinations of 
temporal logic with other logics. 


1. Epistemic temporal logic (see Chapter 18 and [88]) combines temporal logic with a 
logic of knowledge. To model knowledge, we can use a Kripke frame (W, R). W is 
the set of possible worlds, and each w € W is regarded as a state of knowledge. The 
accessibility relation R is set up to reflect the meaning of OA as ‘A is known’. To 
model temporally-dependent knowledge, we can use structures that have the form 
(T,<,W, R,h), where (T,<) is a flow of time, (W, R) is a Kripke frame suitable 
for representing knowledge, and h : L — p(T x W) is an assignment: a pair 
(t,w) € h(q) is one in which q is regarded as true at time t in state w. Both 
temporal and epistemic operators can be given meaning in such structures. 


2. This approach can be taken further, by adding in a similar way a temporal dimen- 
sion to an arbitrary Kripke frame. For example, if we use an S5 frame on which 
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the accessibility relation is global, we obtain essentially parallel identical flows of 
time, indexed by the worlds of the frame. If we use an equivalence relation that is 
refined as we move through time, so that any two points equivalent at time t were 
also equivalent at all earlier times than t, we obtain a special kind of Kamp frame, 
as in definition 9. If we use another flow of time (or another copy of the same flow) 
then we obtain a structure suitable for two-dimensional temporal logic as described 
above. 


3. One of the most interesting combinations is of temporal logic with classical first- 
order logic, to obtain first-order temporal logic. There are very many options over 
exactly how to do it: see Chapter 9 and also Garson’s excellent survey [68] on first- 
order modal logic. We confine ourselves here to discussing a single, fairly powerful 
option, summarised as constant domains, rigid constants, and flexible functions 
and predicates. 


The atomic formulas of our logic will be classical atomic first-order formulas. So 
we fix a signature (or similarity type, or vocabulary) L, consisting of relation 
symbols, function symbols, and constants (in many treatments, function sym- 
bols and even constants are omitted). A temporal structure will have the form 
M = (T,<,D,(M:t € T)), where (T,<) is a flow of time, D is a non-empty 
set (the domain of M), and for each t € T, M; is an L-structure with domain 
D (so the domain is constant over time). Let us write the interpretation in M 
of a symbol s € L as s“+. We require that c+ = cM! for each constant c € L 
and all t,u € T (so constants are ‘rigid’, their meanings not varying over time). 
There are no restrictions on the interpretations of relation and function symbols; 
these may vary over time, so are called ‘flexible’. For some purposes, for example 
in databases, we may wish to restrict consideration to models with finite domains. 


3 TEMPORAL LOGICAL SYSTEMS 


In the preceding section, we set out a variety of temporal structures. Now we have to set 
up some logical syntax for expressing properties of them. There are many choices here. 
The most basic choice is whether to adopt an external or internal perspective. Some 
logical systems, such as first-order logic, make statements about a temporal structure 
‘from the outside’: sentences of these logics are evaluated relative to an entire temporal 
structure. They are natural for making statements involving ‘before’ or ‘after’. There 
are other, more modal-style systems in which formulas are evaluated ‘internally’: e.g., 
at individual time points. They are more natural for expressing tense constructions like 
‘tomorrow’, ‘used to be’, and so on. There is an extensive philosophical literature on this 
point (see, e.g., [149, 150, 151]). The distinction between the two approaches is somewhat 
artificial, in that each can simulate the other to some extent. But the choice of whether 
to use first-order logic or extensions of it, or to adopt a more modal-style logic, is still a 
major decision point. 

Modal-style logics of time — commonly referred to as temporal logics — have received 
much attention. Several kinds of temporal logic are available, of varying expressivity, 
so one may hope to choose the best logic for the problem in hand. Temporal logics are 
well understood, and compared with first-order-based systems, they are arguably closer to 
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natural language, and reasoning with them is generally computationally simpler. Various 
computer implementations of temporal logics exist and have been very successful. 

But in fact, it pays to take both the internal and external approaches seriously. There 
is no real reason not to: each is a legitimate way to handle time. Some situations lend 
themselves to one, some to the other. A key point is that the availability of both kinds 
of system allows us to compare them — for example, in expressive power. Roughly, 
though in some situations they are equally expressive, in general we find that the first- 
order approach is stronger and more succinct, and this is another reason to consider 
it. Though the computational complexity of first-order systems is usually higher than 
for modal-style ones, still there exist powerful computer theorem-provers for first-order 
logic. First-order logic and its extensions can serve as a benchmark for expressivity of 
modal-style temporal logics. Moreover, results in first-order logic can be transferred to 
temporal logic, and potentially vice versa. 

We begin this section by exploring some first-order-based systems for time. After- 
wards, we set out some ‘modal-style’ temporal logics. Then we consider extensions of 
basic temporal logic with various second-order operations. Finally, we examine some 
logical syntaxes with operations specific to branching time. 


3.1 First-order logic 


Consider temporal structures of the form M = (T,<,h), where (T, <) is a flow of time 
and h : L > p(T) is an assignment, L being the underlying set of atoms. The natural 
first-order logic appropriate for such structures has signature 


L* ={<}U{Q:¢e L}, 


where < is a binary relation symbol, and for each atom q € L, Q is a unary relation 

symbol. We may regard M naturally as an L-structure M”*, defined as follows. The 
domain of M* is T. ‘<’ is interpreted as the given earlier-later relation < on T. Finally, 
for each relation symbol Q (q € L), we set M* = Q(t) iff t € h(q), for all t € T. 
We may now write whatever first-order L-formulas we wish, and evaluate them in M*. 
For example, Vriy(y > x) is true in M* just when the flow of time (T, <) has no last 
moment. If the flow of time is (N, <), we can express that an atom q is true infinitely 
often, by Vady(y > x A Q(y)). 


3.2 Monadic second-order logic 


Second-order formulas can also be useful. Monadic second-order logic has a prominent 
role in the logic of time, as we shall see. In this logic, we can quantify over both individual 
time points and sets of time points (i.e., unary relations on time), but not over binary and 
higher-order relations. The syntax of monadic second-order logic is as follows. We have a 
set V, of first-order variables, which will be written x, y,..., and a set V2 of second-order 
variables, written X,Y,.... Both these sets are generally taken to be countably infinite. 
The atomic formulas of our system are x = y, x < y, Q(x) for each q € L, and X(x); 
and if y,~ are monadic second-order formulas, then so are ~y, pA wW, dry, and 1X Y 
— all for each x,y € Vı and X € V2. Evaluation of formulas takes place in a temporal 
structure M = (T,<,h) with respect to assignments vı : Vj —> T and v2: V2 > 9(T). 
We define M, v1, v2 = y by induction on y: 
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e M, v, v2 = z = y iff (x) = ni (y), 

e M, n,n =z < y iff v(x) < vi (y), 

e M, vi, v2 = Q(x) iff (x) € k(q), 

e M, n, v = X(x) iff (x) € v(X), 

e M, ni, n = ~y iff M, ni, vz K y, 

e M,n, n = p Ay if M, vi, v2 Æ| yp and M, v1, v2 E Y, 


Lu 


s M, v1, v2 ~ 
y € Vi \ {a}, 

e M, n,n = IXy if M, nı, vi H ọ for some 14 : V2 — p(T) with v4(Y) = n(Y) 
for all Y € V2 \ {X} 


xp iff M, vi, vz = y for some vi : Vi —> T with vi (y) = vı(y) for all 


This is a very expressive logic. For example, over the natural numbers (N, <), we can 
express that an atom q, represented by the unary relation symbol Q as usual, is true only 
at even numbers: 


IX(X(0) A Yzyļe < yA =3z(x < z < y) —> (X(x) > =X (y))] A Yz (Q(x) > X (z))). 


This cannot be expressed in first-order logic. 


3.3 Temporalised first-order logic 


When we are dealing with a combination of time with first-order logic, a two-sorted first- 
order approach can be used. Recall from Section 2.7 that in this setting, L is an ordinary 
first-order signature, and structures have the form M = (T, <, D, (Mi : t € T)), where 
(T, <) is a flow of time and each M; (t € T) is an L-structure with domain D. Constants 
are interpreted rigidly (each constant has the same interpretation in each M+). 

To handle this in two-sorted first-order logic, we use sorts d, t (standing for ‘domain’ 
and ‘time’, respectively). We introduce an (n + 1)-ary relation symbol R* of sort t x d”, 
for each n-ary relation symbol R € L. (The notation t xd” means that the first argument 
of R* is of sort t and the last n arguments are of sort d.) That is, we make our relation 
symbols time-dependent. The same process is undertaken for function symbols in L. 
Each constant symbol of L is rigid in M, so we simply make a copy of it, of sort d. We 
let L* be a new signature consisting of all these symbols. L* also has a binary relation 
symbol < of sort t x t. 

We now define a two-sorted L*-structure M* from M. The domain of M* is the 
disjoint union of two sets, D (sort d) and T (sort t). For n-ary R E€ L, a1,...,an € D, 
and t € T, we define M* | R*(t,a1,...,@n) iff My | R(ai,...,an). For an n-ary 
function symbol f € L, a1,...,@n,b € D, and t € T, we let M* — f*(t,a1,..., an) =b 
if Mi K f(ai,...,an) = b. We let cM” = cM € D, for each constant c € L and any 
t € T; this is well-defined since constants are rigid in M. And < is interpreted in M* as 
the earlier-later relation < from (T, <). Now we can readily write two-sorted L*-formulas 
to describe the original M, via M*. For example, if L contains unary relation symbols 
dog and day to pick out the dogs and days in an L-structure M, then the £*-sentence 
Vt, x(dog” (t, £) — St day*(t, x)) is true in M* just in case every dog has his day. 
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3.4 Temporal Logics 


Let us now examine the ‘modal-style’ temporal logics. 

The simplest is just the propositional modal logic K4 which has a modal diamond © 
added recursively to the formulas of classical propositional logic. The formulas are just 
then p E€ L, ~a, aA B, and Oa where a and 8 are themselves formulas. The logic can 
be presented in a semantic way by evaluating these formulas on structures (T,<,h) in 
which (T, <) is a transitive irreflexive flow of time. 

To be absolutely clear in this first case we present the full semantics. Formulas are 
evaluated at points of time t € T in such structures T = (T,<,h). We write T,t Ea 
to represent a being true at time point t in the structure. This is defined formally 
recursively as follows: 

T, tp if t€ h(p), 
T,t H ~a iff T,tKa, 
; anb iff T,tEaandT,tE 8, 
T, tH ĝa iff there exists s € T such that t < s and 7, s = qa. 

K4 is a traditional modal logic. The simplest seriously temporal logic incorporates 
a modal diamond directed towards the past as well as one directed towards the future. 
This is one of the temporal logics invented by the “father” of temporal logic, Arthur 
Prior. In order to present this clearly we switch to his original notation of using F for 
the future diamond and P for the past diamond. The syntax is obtained by adding both 
the following two clauses to the standard ones for classical propositional logic: if œ is a 
formula of the logic then so are Fa and Pa. The logic can be given semantics on any 
temporal structure. The additional semantic clauses are: 

T,tļ}H Fa iff there exists s € T such that t < s and 7T, s Ea (as above in K4) 
T,t}H Pa iff there exists s € T such that s < t and 7,s = a 

The dual, modal box, versions of F and P are traditionally known as G and H. Ga 
is true at a time point in a structure if and only if a@ is going to be true at all points in 
the future of that point. G can be introduced as a temporal connective in its own right, 
like F or P, or it can be just regarded as an abbreviation: Ga = Fa. Likewise for H, 
“has always been true”. 

Temporal languages with some combination of these connectives F, P, G and H 
can be given semantics over the class of all temporal structures (i.e. flows of time with 
assignments to the atoms). Equally, they can be given semantics on smaller classes of 
structures, even on the set of structures with a given fixed flow of time. Making such 
restrictions generally gives rise to different temporal logics in the sense of the set of valid 
formulas of the logic. Take Prior’s propositional language with F and P. The formula 
Fp ^ Fq > (F(pA Fa) V F(q ^ Fp) V F(p A q)) is not valid: there are structures in 
which there are points at which this formula is false. If however, we restrict attention to 
structures over linear flows of time then this formula is valid. We discuss validity and 
related issues in a later section. 

We have used the term “temporal connective” loosely above. It is time to make this 
a little more precise. By a temporal connective we will mean a tuple consisting of a 
symbol, its arity and a semantic clause. For example we have seen the l-ary connective 
F with its future directed clause. Below we will see how to present the semantic clause 
in a standard way. This will allow temporal logics to be constructed by choosing a base 
logic, say classical propositional or predicate logic, choosing a set of connectives, and 
choosing a class of structures on which the semantics is evaluated. Such flexibility is a 
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very powerful feature of temporal logics: the right logic can be put together for a specific 
application. 

Before doing this let us mention a few variations on Prior’s original temporal connec- 
tives. When these connectives are used for computing applications and when the flow 
of time is taken to be the natural numbers then we often see a variant of F, commonly 
written as Q, which has a reflexive semantics. We might use the symbol F< for this 
“non-strict” version of F. The semantic clause is: 

T,tE Fea iff there exists s € T such that t < s andT,s E a. 
There are similar non-strict versions of P, G and H. Note too, that in general there is 
no reason for them only to be seen in the context of natural numbers time. 


Also in the context of natural numbers time, and especially in combination with non- 
strict F', it is common to see a connective written as X, T, or O, and meaning ‘tomorrow’ 
or ‘next-time’. The semantics could be presented for general flows as 

T,ttXa iff there exists s € T such that t<sand7,sEa 

and there is no u with t < u < s, 

but for natural numbers flows only, we can be more straightforward and define 

(N, <, h), n= Xa iff (N,<h),n+lEa. 
A yesterday or last-time connective can also be given but there is a subtlety: what to 
do at the start of time? In fact, there end up being two yesterday connectives, a weak 
yesterday W and a strong yesterday Y: 

(N, <, h) nH Wa iff n=0or(N,< h), n-—1 } a, and 

(N, <, h) nYa if n>Oand(N,<h),n-1lEa. 
These are in fact duals of each other: Wa = ~Y ~a. Tomorrow is self-dual. 


Arbitrary temporal connectives with first-order tables. For an n-ary connective #, 
there will be a table T(t, Pi,...,P,) for # being a formula of the first-order logic L* 
(introduced in Section 3.1 above), written using variables including t, and the 1-ary 


relation symbols P,,...,P,. The table gives the semantics of # in the following sense. 
Suppose that # is one of the temporal connectives in a temporal language so that the 
formulas include #(a1,...,@n) whenever a1,...,Q@, are formulas. Suppose that T = 


(T,<,h) is a temporal structure. As usual we define truth of all formulas at all time 
points in 7 by induction on the construction of the formulas. The semantic clause for 


#(a1,...,@n) is used when we have defined the truth of the a; at every time point. 
First, let S; = {b € T | T,b E a;i}. Then the semantic clause tells us that for any a € T, 
Ta | #(q1,...,Qn) iff T* H Ty (a, S1,...,S,) (where we use the semantics for L* over 


T* defined in Section 3.1 above). 
Some tables of connectives we have already met include: 


Fp  As(t <sA P(s)) 

F<p As(t <sA P(s)) 

Pp As(s <tA P(s)) 

Gp Vs(t < s > P(s)) 

Hp s(s<t— P(s)) 

Xp Js(t< s^ P(s) A7du(t <u < s)) 
Yp  ds(s <tA P(s) A7du(s <u < t)) 


In more philosophical temporal logic work, and especially that motivated by trying to 
give formal semantics to natural language tense constructs, a connective capturing the 
idea of “until” is often seen as U(a, 3). Its table is: 

U(p,q) As((t < s) A P(s) AVul((t < u) A (u < s)) > Q(u)}) 
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This is read as “until p, q”, meaning that until p holds we have q holding: q holds at all 
time points after now until some time at which p holds. There is a mirror image “since” 
connective. Its table is: 

S(p,q)  As((s < t) A P(s) AVul((s < u) A (u < t)) > Q(u)}) 

In many computing applications an “until” connective is also seen. This is commonly 

written aU and read as ‘œ holds until 8 does’. The semantics is: 

pUq As((t < 8) AQ(s) AVul[((t < u) A (u < s)) > P(u)]) 
Thus, pUq is not the same as U(q,p)! The “philosophical” until is sometimes called the 
strict one (as U(p,q) does not hold just because p holds now) while the “computing” 
until is called the non-strict one: qUp holds if p holds now. We will sometimes write 
U< for the former and U< for the latter: otherwise, they will be distinguished by the 
context. A mirror image S> of the S (or “S,”) above can be defined similarly. 

For the most basic computing applications of temporal logic the much favoured lan- 
guage is the (propositional) temporal logic with the next-time X connective and the 
non-strict U connective. This language and/or its logic over the natural numbers flow 
of time is often called PLTL or PTL and it was introduced in the papers [147] and [66] 
which first proposed using temporal logics for reasoning about programs. It is easy to see 
that this logic is equally as expressive as the logic with just strict until over the natural 
numbers. 

The language with X, U<, Y, and Ss, sometimes called TL, was recommended for 
computing applications in [124] as the past-time connectives allow more natural expres- 
sion of certain properties of interest to computer scientists. However, it is not hard to use 
the separation results mentioned in Section 4.6 to show that the past-time connectives 
are not really necessary in order to express any properties of a natural numbers-flowed 
structure (as far as evaluating properties at the zero time is concerned). 

Expressivity concerns also led to the introduction of certain more complicated connec- 
tives for use with dense, in particular non-Dedekind-complete, flows of time. Such flows 
of time may have “gaps” or Dedekind cuts: that is, the flow can be partitioned into two 
non-empty sets A and B, say, with every time in A before every time in B, but A does 
not have a last time and B does not have a first time. These connectives are the Stavi 
connectives U’ and S’ which were mentioned in [66] as having to be added to (strict) 
‘until’ and ‘since’ to achieve expressive completeness over general linear time. U’(a, 8) 
holds if 8 is true from now until a gap in time after which is arbitrarily soon false but 
after which a is true for a while: U’(a, 3) is as pictured 


now a a a 


S’ is defined via the mirror image. Despite involving a gap, U” is in fact a first-order 
connective. Here is the first-order table for U’: 
U'(pi,p2) = 
s(t <sAdu(t <u < sAPo(u)) Adult < u < sAVu(t<v<u— Pa(v))] 
AVu(t < u < s > [v(u < vAVu(t < w < v P2(w)))] 
V [Wulu <v <s => PW) Awun =P,(v))])) 


| 


Roughly, this says that there is some s > t which is on the other (future) side of the gap, 
so that any u between t and s is either before the gap (first disjunct) or after the gap 


674 


Ian Hodkinson and Mark Reynolds 


(second disjunct). Also, po is false before s and true for a while after t. Of course, 9” 
has the mirror image table. 

Note that if (T,<) is Dedekind complete then any formula of the form U’(a, 8) or 
S’(a, B) is everywhere false. 


3.5 Extensions of temporal logic 


Now we very briefly mention a few miscellaneous extensions to temporal logics. 


1. Hybrid logic. 


It has long been an undertaking for temporal logicians to invent more expressive 
languages and one temptation is to import some of non-modal first-order logic’s 
abilities to reason explicitly about the states, i.e. the time points. Examples include 
Prior’s “third grade tense logics” [150], the universal quantifier in [26], the “holds” 
predicate for intervals in [7] and more recent work in [19] and [74]. Temporal 
logics which allow some sort of naming of points within formulas are called hybrid 
logics, and these are discussed fully in Chapter 14. Having names for time points is 
particularly helpful for temporal reasoning tasks and systems of temporal inference 
can be designed to exploit this. 


Metric temporal logic. 


In many applications of complex systems, timing or metric considerations are im- 
portant. Reasoning about the behaviour of safety critical systems [144] and mul- 
timedia specifications [24] are just two examples. A good account of this so-called 
real-time logic area appears in [8]. A formula of the logic TPTL [8], 


x.(p > Oy.(qAy <xz+1)) 


for example, can express that every p-state is followed by a q-state in at most one 
unit of time. Most of the timing work is built on discrete time temporal logics (for 
example via the timed state sequence formalism of [8]) and indeed any move to a 
dense order of times usually results in highly undecidable logics [8]. An alternative 
approach with reasonable complexity and comparable expressiveness is suggested 
in [164] via coding of “ticks” of a timer into the temporal logic with ‘until’ and 
‘since’ over real numbers time. Of course, using abbreviations in terms of ticks as 
above does not allow us to quantify over metric values. However, as pointed out 
in [8] it is just this facility which makes metric temporal logics undecidable. Some 
recent work in metric logics includes [91, 125, 23). 


. Many-dimensional connectives. 


So far, we have concentrated on temporal logics whose formulas are evaluated at 
single time points. They are analogous to first-order formulas with one free variable. 
But first-order formulas can have many free variables, and by the same token it is 
sometimes useful to consider temporal formulas that are evaluated at k time points, 
for any fixed finite k > 1. The first of these points is rather special, and is called 
the evaluation point. The remaining k — 1 extra points are analogous to so-called 
reference points in natural language. 
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For semantics, we use a flow of time as usual, but there is a choice about how to 
evaluate atoms in it. Allowing an atom’s value to depend on k time points leads us 
to true many-dimensional temporal logic, and to the interval logics discussed below. 
Such logics are often computationally intractable, and anyway it is often better to 
treat them as being ordinary one-dimensional evaluation but in a many-dimensional 
structure (cf. Section 2.5, and also Chapter 15). 


Another option is to allow the values of atoms to depend only on the evaluation 
point, not the reference points. In consequence, a temporal structure remains of the 
form T = (T,<,h), where h : L > (T). To formalise the semantics of an n-ary 
connective #, we use a table of the form Ty(21,..., £k, Pi,...,Pn), where Pi,..., 
P,, are now k-ary relation symbols. For time points t1,...,tk E T, we define T, tı, 
... tk H a by induction on formulas a. For atomic a, we set 7,t1,...,th = Qa iff 
tı € h(a). The booleans are as expected. Finally, if a1,...,@, are formulas and 
inductively we have Sı = {(u1,...,up) E TF | T,u1,..., ux = ay} for each | < n, 
then as before we put T,ti,...,te FE #(a1,...,Qn) iff T H re (ti,...,te, S1,-.., 
Sn). 


For some examples of this style of logic, see, e.g., [64, chapter 7]. 


. Interval temporal logics. 
There are two different approaches to interval temporal logics. 


In the approach of Moszkowski [138] and the Duration calculus [221] the proposi- 
tional version of the interval temporal logic is defined on point-based linear tem- 
poral structures. Atoms are evaluated at points but we build up more complicated 
formulas which are evaluated on intervals. A variety of interval temporal logics can 
be defined by considering various linear temporal structures such as the integers, 
or a finite subset of them, or such as the reals (in Duration calculus). A variety 
of operators can be defined such as empty, Oa or a; 3. Consider, for example, a 
linear temporal structure (N,<,h). Formulas are evaluated at intervals o = {t € 
T |o <t<o4} of (7,<): (1, <,h),o = p iff o- € h(p); (T,<,h),o | Oa iff 
(T,<,h),o+ H a where o = {t €T|o_+1<t< 04}; and (T,<,h),o = a;b 
iff there is some z € N such that (T,<,h), {t E€ T | o- <t <z} H a and 
(T,<, h), {tE T |z <t <o,} H 8. The Duration Calculus also allows some 
metric information to be specified, such as the length of intervals, and, via the 
duration operator, the integrated duration of the truth of a proposition during an 
interval. See [220] for more details on the Duration Calculus. 


In the other approach, such as, for example, the interval temporal logics of Halpern 
and Shoham [87] and Venema [197], intervals themselves are the basic temporal 
units of structure and atoms are evaluated on intervals. Generally such logics 
have unary (or 1-place) modal operators corresponding to binary relations between 
intervals. We have seen in Section 2.6 above that there are 13 standard relations 
identified between intervals such as the i precedes j (i.e. i < j) relation. Thus, in 
[192], we have a modal diamond P (for precedes) with semantics: 


T,i — Pp iff there is an interval j s.t. j <i and Z,j = p. 


In [197] we see a more powerful interval logic CDT extending this approach with 
some binary modal connectives inspired by natural language, computation [172] 
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and relation algebra. The chop connective C from this system (corresponding to ; 
of the Duration Calculus) is defined in terms of the accessibility relation A(i, j, k) 
true when the following all hold: ¿į and k begin together, 7 ends where j starts, and 
j and k end together. The semantics of chop is: 


T,k = pCq iff there are intervals i, j s.t. A(i, j, k), Z,i = p and Z,j Eq. 


There is a fuller treatment of interval temporal logics in [193]. See also [77]. 


. Combinations of temporal logic and other modal logics. 


There has been much recent interest in combinations of temporal logic and other 
modal logics. These include temporal-epistemic [48] and spatio-temporal [65] logics 
as well as logics of parallel time [120]. The simplest appropriate structure (from 
[189]) is a set W of classical propositional worlds (h(p) C W) endowed with both 
a temporal ordering wı < w and an accessibility relation R, for each box Oy, 
of the modal language. A combined language can have formulas including the 
atoms, and closed under forming Ga, Ha and Lpa from any formula a. Letting 
M = (W, <, {Ry}, h), the semantic clauses are just: 

M,w = Ga if forall w’ € W, if w < w then M, w E a; 

M,w FE Ha iff forall w’ € W, if w < w then M, w E a; 

M,w | Oa if forall w € W, if wRyw' then M, w = a. 
One common way of constructing such a structure is as the cartesian product of a 
temporal structure and a modal structure. The reader is referred to Chapter 15 or 
[65] for details. 


The 2-dimensional temporal logics of [130] and [49] are similar: we just have to 
distinguish temporal connectives operating in one dimension from those of another 
dimension. 


Predicate temporal logic is a combination (of temporal logic with first-order logic) 
of a different nature. The standard predicate temporal logic with F and P of 
constant domains, rigid terms and rigid variable assignments is defined as follows. 


Recall from Section 2.7 that the atomic formulas of our logic will be classical atomic 
first-order formulas from a signature L, consisting of relation symbols, function 
symbols, and constants. Assume that V is our set of (domain) variable symbols, 
i.e. those standing for elements of the object domain. The set of formulas will 
include all the atomic formulas and also ~a, a A 8, Yxa, Fa and Pa for any 
formulas a and @ and any domain variable symbol zx. 


A temporal structure will have the form M = (T, <, D,(M;:t € T)), where (T, <) 
is a flow of time, D is the domain of M, and for each t € T, M is an L-structure 
with domain D. An assignment to the variable symbols is just a map from V to D 
(with no dependence on T). 


The assignment v combines with the interpretations for the predicate and function 
symbols at time a to give us the interpretation v,(t) € D for any term t at time a. 
In particular, va(x) = v(x) for x € V, va(f(ti,.--,tn)) = f% (vat), ---;Va(tn))- 


For an assignment v, we define truth of formulas at times in M in a straightforward 
way. The more interesting clauses are: 
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M,v,a = p(ti,...,tn) iff (va(tr),...,¥a(tn)) € ps; 

M,v,a = Yra if forallde D, M,v[a ~ d],a = q; 

M,v,a | Fa iff there is b€ T such that a < b and M,v,b Ea. 
Here v[x ~» d] is just the assignment which is the same as v except that x is mapped 
to d. 


It is worth mentioning the variation, called TLA or the Temporal Logic of Ac- 
tions [121] on a predicate temporal logic over natural numbers time. This has 
received much attention in connection with reasoning about specifications of pro- 
grams. The set of allowable formulas is restricted so that they are each stuttering 
invariant. This means that these formulas can not distinguish between behaviours 
(of a program) which only differ by having the same state (i.e. values of externally 
observable program variables) repeated consecutively a different number of times. 


3.6 Temporal logic with second-order operations 


All the temporal logics so far considered involve connectives with essentially first-order 
definitions. As we will soon see, each formula of such a logic can be translated into first- 
order logic in a meaning-preserving way. Sometimes, however, first-order expressivity is 
insufficient. For example, the property that an atom is true at every even number in 
a temporal structure (N,<,h) is not expressible with first-order connectives. We have 
already mentioned monadic second-order logic in the context of time. Now it is the turn 
of modal-style temporal logics to benefit from second-order operations. 


As usual, there are several ways of introducing second-order devices into temporal 
logic. We consider four options in turn. The first two are generally used over natural 
numbers time (N, <), and finite linear flows; the second two can be used with any flow 
of time. 


1. Regular expressions. The addition of these to propositional temporal logic was 
proposed by Wolper [205, 204, 206]. It can be done as follows. A (right-linear) 
grammar is a triple 

G = ((a’, - ia eG: ô), 

where k > 1 is finite, a!,...,a* are distinct objects (the terminals of G), Q is a 

finite non-empty set (the non-terminals of G), and ô is a finite set of rules of the 

form u —> av and u— a, where u,v € Q and a € {a',...,a*}. We write A for the 
set {a}, ..., af}; the order of enumeration of A given in G will be significant below. 


Given G as above, and vg € Q, we define sets S, (n < w) and S(G, vo). Intuitively, 
Sn is the set of words over AU Q constructible from vg by n applications of rules 
in 6; S(G, vo) is the set of finite or infinite words over A constructible from vp by 
< w applications of the rules. The sets are defined formally by induction as follows. 
We let So = {vo}. Given Sn, we let Sn41 = {a1...dnqiv: du E Q(a.... anu E 
Sn AU > Gn41v € 6)}. Finally, we let S(G, vo) = (A*NU,<,, Sn) U {arag...: (Yn < 
w)(Su € Q)ar...anv E Sn}. Here, A* denotes the set of finite words over A; the 
effect of taking the intersection with it is to restrict to words without non-terminals. 
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As an example, if G = ((a,b), {v}, {v — av, v — b}), then 


So = {v}, 
n n-1 
Sn = f{aa...dv, aa...ab}, forO <n <w, 
S(G,v) = {b,ab, aab, aaab,...} U {aaaaa...}. 


We remark that a grammar can be viewed as a finite-state automaton, with al- 
phabet A, state set Q, and transition table 6. It follows that the sets of the form 
‘the set of all finite words in S(G,v)’, for arbitrary G and non-terminal v of G, are 
precisely the regular languages. 


Now let 7 be any propositional temporal logic suitable for temporal structures 
M = (N, <, h) based on natural numbers time, where h : L — p(N). The extended 
temporal logic ETL(T) is then defined as follows. Its atomic formulas are T, L, 
and q for each q € L. More complex formulas are formed in two ways. First, 
given any n-ary connective # of 7, and ETL(T)-formulas @1,...,@n, we can form 
the ETL(T)-formula f(a1,...,Qn); it is evaluated in M in the usual way. Second, 
given any grammar G = ((a!,...,a*),Q,6), any v € Q, and ETL(T)-formulas ay, 
...,Q@z, we can form the ETL(7)-formula G,,(a1,...,a,). Then M, t E G,(a1,..., 
ax) iff there is a word aa’! ... in S(G,v) of length | < w, say, where 1 < ij < k 
for each j < l, such that for all 7 < L we have M,t+ j = a,,. 


J 


For example, if we take the grammar G = ((a, b), {v}, {v > av, v — b}) mentioned 
above, then M,t = G (a,b) iff either there is u > t such that M,u = 8 and 
M,v — a for all v with t < v < u, or else M,u H a for all u > t. Roughly, 
because the words in 5(G,v) are of the form aaa...ab or aaa..., and we associate 
a with a and 8 with b, we require the pattern aaa...af or aaa... to begin 
at t. This is a weak form of the ‘non-strict until’ considered earlier. It is easily 
checked that G,,(a, 1) expresses a non-strict form of Ga, and 7G,,(—7a, L) expresses 
the non-strict eventuality F<a. So G,(a, 8) A =G. (=, L) expresses the non-strict 
aU< 2 seen in Section 3.4. 


In fact, all ‘future-oriented’ connectives examined earlier can be expressed in ex- 
tended temporal logic. Moreover, the logic is decidable over natural numbers time, 
with PspACE-complete validity problem [206]. 


. Gabbay’s fixed point operator [61, 64]. This can be added to the propositional 


temporal syntax with connectives U (Until) and Y (Yesterday), creating a system 
known as UYF. Its syntax is as follows. The atomic formulas are T, L, and q 
for q € L, and if a, @ are UYF-formulas then so are ~q, a A b, Ya, U(a, 3), and 
pqa, for any atom q € L such that a is pure past in q — this means that every 
occurrence of q in a that is not in the scope of a vq is in the scope of a Y and not 
in the scope of an U. 


The semantics of A,=,Y,U are as before. The semantics of y is a little harder to 
define. Suppose that the formula a is pure past in q, and (inductively) that its 
semantics has been defined. In any temporal structure (N, <, h), it turns out (by 
examining the inductively-defined semantics of a) that the truth value of a at any 
time t € N only depends on the values of q at times 0,1,...,t-—1. This means that 
we may define sets S? C {0,1,...,t} (for t € N) recursively as follows: 
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(a) 0 € SÈ iff (N,<,h),0 Fa, 


(b) for t > 0, if u < t then u € SP iff (N, <, h+), u H a, where h; is the same as h 
except that hi(q) = S}. 


Because a is pure past in q, if 0 < t < u then t € SP iff t € S?. This means that 
the SP ‘converge’ to a value S” = {t € N : t € SP}. We then let S” be the set of 
times at which yqa is true: we define (N, <, h), t K yqa iff t € S”. 


Intuitively, what is going on is that we evaluate a at time 0: its value is independent 
of h(q) since @ is pure past in q. Then, we evaluate a at time 1; now the value of 
q at 0 does matter (though its values at 1,2,... do not), and we let it be the same 
value that we obtained for a at 0. Then we evaluate a at 2, giving q the same 
values at 0,1 as a had; and so on. For example, yq-Yq evaluates to true at 0, then 
false at 1, true at 2, and so on: it is true at precisely the even times. We can also 
express S(a, 3), by ygY (a V (q A §)). 

It turns out that pqa defines a fired point of the operator ®” : g(N) > p(N) given 
by 

6": S {t EN: (N,<,hqss),t E a}, 


h(p), ifpeL 5 


This operator is not monotonic, but because of the pure past restriction, it does in 
fact have a unique fixed point. However, the ‘recursive’ view of ọ is also natural. 


The ọ operator was introduced in [61], via a logic called USF expressively equival- 
ent to the UYF just defined. [95] and [64, chapter 8] showed that any UYF-formula 
is equivalent to one with at most two nested ys, and that UYF is decidable with 
PSPACE-complete validity problem. They also prove that UYF is expressively equi- 
valent to monadic second-order logic over (N, <) (see Section 3.2). For any monadic 
second-order formula Y(t, Q1,..-,Qn), where Qi,...,Qn are (free) unary relation 
symbols, there is a UYF-formula a(q1,...,@n) such that for any h : L —> (N), and 
any t € N, we have (N,<,h),t H a iff (N, <) = w(t, h(q),...,R(qn)). This is a 
second-order form of expressive completeness, the first-order form of which will be 
discussed in Section 4. 


. Moving to arbitrary flows of time, we can add the p-calculus to basic temporal 
logic. Over (N, <), this provides expressive power equal to monadic second-order 
logic; but its use is not limited to this flow. We will not consider it in detail here, 
because chapter 12 is devoted to it. 


. Another option is to include second-order quantification. In its simplest form this 
means adding, to propositional temporal logic, an ability to quantify over propo- 
sitional atoms. Given a temporal formula œ and an atom q, we may admit the 
formula Jqa to our logic. In such a formula, q is a ‘bound variable’. The 3q can 
be interpreted in several ways: 


e (T,<,h),t Ea dea iff (T,<,h) Ha a(r/q) for some r € L; here, a(r/q) 
denotes the result of replacing all free occurrences of q by r throughout a. 
This semantics reads Jqa as V,ez a(r/q). We quantify over existing or actual 
values of atoms (hence the ‘a’). 
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e (T,<,h),t H2 dga iff (T,<,g) Ee a for some assignment g : L > p(T) 
agreeing with h except perhaps on q (that is, g(r) = h(r) for all r € L \ {q}). 
This is straightforward monadic second-order quantification (hence the ‘2’). 


e More generally, we can specify a set S C p(T) over which 4 ranges. We 
then stipulate that (T, <, h), t Es 3qa iff (T,<,g) Hs a for some assignment 
g: L = p(T) agreeing with h except perhaps on q and with g(q) E€ S. Setting 
S =rng(h) yields Eq, and S = p(T) yields Ee. 


These systems are very powerful but computationally rather complex. In [64, chap- 
ter 8], an axiomatisation was given for Fa, and =a and F2 were both shown 
undecidable. 


3.7 Branching Time Operations 


Most work on branching time temporal logics, by which we mean those being evaluated 
on tree structures, divides into two schools. The oldest is the philosophical school study- 
ing logics of historical necessity in which arbitrary trees are allowed as flows of time. 
The other is the computing school studying logics of paths through transition systems 
which we have seen is closely related to logics of temporal structures with flows which 
are discrete w-height trees. There are many common issues across the schools but the 
notation is different so we tackle each in turn. 


Historical Necessity 


In the philosophical tradition, temporal logics of branching time are often referred to as 
logics of historical necessity: there are no alternative past histories before any point of 
time. We present here a standard approach called Ockhamist logic with local assignment 
to atoms. 

Recall that a branch (or history) of (T,<) is a maximal linearly <-ordered subset of 
(T,<). Let B(T, <) be the set of all branches of (T, <). 

Fix a countable set L of atoms. Structures T = (T, <, h) will have a tree frame (T, <) 
and a valuation h for the atoms i.e. for each atom p € L, h(p) CT. 

The language HN is generated by the connectives G, H and O along with classical ~ 
and A^. That is, we define the set of formulas recursively to contain the atoms and for 
formulas a and 8 we include ~a, a A 3, Ga, Ha and Ua. 

Formulas are evaluated at points on branches in structures. We write 7, ø, x = a when 
a is true at the point x of the branch ø of the structure 7. This is defined recursively 
as follows. Suppose that we have defined the truth of formulas a and £ at all points of 
all branches of 7. Then for all branches o, for all points x of ø: 

T,o,x p if {x€ h(p), for p atomic; 

T,0o,x H 7a if T,o,x Ka; 

T,o,cE aA iff both T,0,4 | a and 7,0, x H 8; 

T,o,x | Ga iff for all y >a ino we have T,o,y Fa; 

T,o,x } Ha if for ally < zin o we have 7,0,y E a; 

T,o,x } Oa iff for every branch r containing x we have T,7,2 Ea. 

As well as the linear time abbreviations we also have Qa = 7=L-a. 

We say that a is valid in HN iff for all structures 7, for all branches ø in 7, for all 
points x € a, we have T,0,x Fa. Let us write = a in that case. 
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Variations and extensions on this traditional set-up abound. They include the addi- 
tion of (strict) until and since operators [217], allowing the truth of propositions to be 
dependent on branch as well as time point (discussed by Prior in [150] and referred to 
as non-local assignment in [218] and [165]) and the bundled logics of [28] in which the 
modal quantification over branches is restricted to a given set. 

An important class of branching time temporal logics are those termed Peircean 
branching time logics by Prior. These logics are defined so that truth of all formulas 
depends only on a time point of evaluation and not on a branch of evaluation. An exam- 
ple includes the sublanguage of the Ockhamist historical necessity logic above in which 
the branch and temporal modalities are only allowed in the combinations OG, OF, OH 
P, OG, OF, OH and OP. See [150, 151, 216] for details. 


> ? 


POLE CTL*, CTL and QCTL 


A simple branching time temporal logic for computing applications called CTL for com- 
putational tree language was described in [35]. The branching is used to capture inde- 
terminacy, choice or openness to the environment. A much more expressive language, 
CTL*, also called the full computational tree logic, was provided in [46] and [43] to 
extend, in expressiveness, both CTL and the linear PTL. We will work with a further 
extension here. The branching time logic PCTL* [123], [162] extends both CTL* and 
linear time temporal logic augmented with past-time operators. 

The formulas of PCTL* are built from the atomic propositions in L recursively using 
classical connectives ~ and ^ as well as the temporal connectives X, S, Y and U and 
the path quantifier A: if a and 8 are formulas then so are Xa, aS b, Ya, aUG and Aa. 

Formulas are evaluated in transition systems (see definition 11 above). Since w-height 
trees are transition systems this is a generalization of working with a tree shaped model 
of time. 

Truth of formulas is evaluated at indexes in fullpaths in transition systems. We write 
M,b,i = a iff the formula a is true at the index (time) i of the fullpath 6 in the transition 
system M = (S, R, g). This is defined recursively by: 

M,b,i = p if pE g(bi), any pE L 

M,b,i = ~ga if M,b, ia 

M,b,i =a ^8 iff M,b,iH} a and M,b,i = 8 

M,b,i = Xa if M,b,i+1Ha 

M,b,i =aU68 iff there is some j > i such that M,b, j = 8 
and for each k, if i < k < j then M,b, k Fa 
M,b,i | Ya iff t>Oand M,b,i—-1H=qa 
M,bitaS@ iff there is some j < i such that M,b, j = 8 
and for each k, if j < k < i then M,b, k Fa 
M,b,i = Aa if M,b,i} a for every fullpath b’ such that b<; = b; 


We say that a is valid in PCTL*, and write p a, iff for all transition systems M, for 
all fullpaths b in M, for all indexes i, we have M, b, i — a. 

We use the usual past-time linear temporal logic abbreviations plus Ea = ~nA~nga. 

The formulas of CTL* are just those of PCTL* which do not contain the past operators 
S or Y. The past before the index 7 of evaluation is irrelevant for CTL* formulas and so 
the semantics of CTL* on fullpaths through Kripke structures is usually presented with 
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no mention of such an index: truth is evaluated from the point of view of the beginning 
of the fullpath. The semantics of CTL* is defined so that M,b = Aa iff M,b’ | a for 
any fullpath b’ through M starting at the same state as b does. 

Note that formulas of CTL* which are boolean combinations of atoms and formulas 
of the form Ay are often called state formulas. Their truth depends only on the point of 
evaluation independent of any fullpath. This is not true in the PCTL* semantics but it 
is easy to see that for such an a we do have EF a @ Aa. 

The original CTL language actually only consisted of some of the state formulas of 
CTL*. In fact it contains just boolean combinations of the atoms, and for formulas a 
and 8 of CTL, the formulas EXa, E(aU p), AXa and A(aU 6). CTL is a Peircean 
branching time logic. 

There also exist branching time temporal logics which extend CTL* via propositional 
quantification (see for example [57]). The reader should also see Chapter 12 for a full 
coverage of the y-calculus which is a popular extension of CTL*. 


4 EXPRESSIVE POWER OF INTERNAL AND EXTERNAL PARADIGMS 


In the preceding section, we introduced both ‘internal’ (modal style) and ‘external’ (first- 
order style) logics for handling time. Now we wish to compare the two approaches. We 
will consider their relative expressive power, over various kinds of flow of time, and the 
complexity of deciding validity for them. Such comparisons probably began with Kamp 
[112], and they have given rise to a rather rich and interesting field of work. Mainly we 
will restrict our attention to linear flows of time, but we will mention some results for 
trees and for arbitrary flows. 

The most basic observation is that there is a ‘standard’ translation of propositional 
temporal formulas into first-order logic, and we will start with this in Section 4.1. The 
question then arises of how much of first-order logic is captured by this translation. 
Section 4.2 introduces the crucial notion of expressive completeness, whereby all first- 
order properties are expressible by temporal formulas. Expressive completeness is studied 
in Section 4.3 over all flows of time, and in Section 4.4 over linear flows, where we mention 
Kamp’s famous theorem that Until and Since are expressively complete over Dedekind- 
complete linear time. Section 4.5 briefly discusses algorithmic issues. In Section 4.6 we 
discuss separation, an important notion due to Gabbay. 

All this is for one-dimensional propositional temporal logic. In the last two sections, 
we broaden our view. In Section 4.7, we briefly consider expressive completeness for 
many-dimensional connectives. In recent times, expressive completeness for first-order 
temporal logic has also received attention, and we end in Section 4.8 by discussing some 
of this work. 


Notation. We will reserve the phrase ‘temporal logic’ for a modal-style logic. We will 
use ‘first-order style logic’ or ‘first-order logic’ for the other kind. We will generally write 
temporal formulas as a, 3,..., and classical first-order ones as y, %, etc. 

Until the end of Section 4.6, we will restrict our attention to the (one-dimensional) 
propositional case. Recall that L is our set of atoms, and that L* denotes the first-order 
signature {<}U{Q: q € L}, where the Q are unary relation symbols. For a temporal 
structure M = (T,<,h), M* is the L*-structure obtained from M in the natural way: 
see Section 3.1. We will write £ for the class of all linear flows of time, and D for the 
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class of all Dedekind-complete linear flows (see definition 4). 


4.1 Translating temporal logic into first-order logic 


To begin, let us observe that the first-order approach subsumes any temporal logic whose 
temporal connectives have first-order definitions (‘tables’). 

Suppose we have a set 7 of connectives, each { € 7 being defined by a first-order table 
T(t, Pi,..., Pa) written with variables in a fixed set V, say. For each v € V, let (vu, Pi, 
...,P,) denote the result of applying to the variables of 74(t, Pi,..., Pa) a permutation 
m4 of V that takes t to v. Then we may recursively translate each T-formula a(q,..., 
qn) into a first-order L*-formula a” (v, Q1, .--, Qn), with free variable v and written with 
variables in V. The translation is defined by induction, as follows: 


1. For an atom q, and v € V, we set q” = Q(v). 
2. We let T” = T and LY = L. 
3. We define (na)” = 7=(a”), and (a A B)” =a” Ap”. 


4. For each # € T, we define (f(a1,...,Qn))” to be the formula obtained from %(v, Pi, 
..,P,) by simultaneously replacing each atomic subformula P;(u) of it (where 
i < n and u E V) by af. 


As an example, consider the set 7 of connectives F,U, with tables as defined before, 
written with variables in V = {t, u,v}. Then we could let 


(Fq)! = Juu >t^Q(u)), 
U(p,q)* = Av(u>uA Q(v) AVi(u<t<v— P(t))), 
FoU(p,q)" = Ju(u > tA (-U(p, @))") 
= du(u>tArdv(v > uA Q(v) AVt(u <t<v— P(t)))). 


The particular V used is generally unimportant, so long as it is large enough; so we 
will generally abuse notation slightly by writing a*(t, P,,...,P,) or just a*(t) for the 
L*-formula a‘ above, for any variable t. a” will be called the standard translation of a. 

It should be clear that the standard translation is meaning-preserving. Formally, for 
any temporal structure M = (T, <, h), any T-formula a, and any a € T, we have 


M,a = Q M* H a*(a,h(q),---,2(dn)). 


This shows that first-order logic is at least as expressive as 7. Observe that we only need 
a V large enough to write the tables of the connectives of 7. So for example, the two- 
variable fragment of first-order logic is enough to express every formula of the temporal 
logic with F and P, and three variables suffice for U and S. 


4.2 Expressive completeness 


Clearly, the formulas {a” : œ a T-formula, x € V} form, in general, a proper fragment 
of even the V-variable fragment of first-order logic. For example, the formula Jy(y 4 x) 
is not of the form a” for any a of the temporal logic with connectives F and P. This 
suggests that temporal logic is weaker than first-order logic; but to see if this is really 
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true, we have to consider not just equality but equivalence of first-order formulas to 
the translations of temporal ones. Of course, ‘equivalence’ is relative to the underlying 
flow(s) of time. 


DEFINITION 12. Let C be a class of flows of time. 


1. We say that first-order L*-formulas y, ~ are equivalent over C if for every temporal 
structure M = (T,<,h) with (T,<) € C, and every assignment v of the free 
variables of y and ~ to elements of T, we have M*,v = yp © w. Note that p, w 
need not have the same free variables. For example, v = v is equivalent to T over 
any class C. 


2. We say that an L*-formula y(t) is equivalent over C to a temporal formula a, if 
y(t) and a*(t) are equivalent over C. 


3. We will use obvious contractions: two formulas are said to be equivalent over linear 
time if they are equivalent over the class of all linear flows of time, equivalent over 
a flow of time (T, <) if they are equivalent over the class {(T,<)}, and so on. 


Since we are especially curious about whether temporal logic can ever match the power 
of first-order logic, we make the following definition. 


DEFINITION 13. Let C be a class of flows of time, and 7 a temporal logic. We say that 
T is (propositionally) expressively complete over C if for every first-order L*-formula y 
with one free variable, there is a T-formula a that is equivalent to y over C. 


This is somewhat analogous to the boolean connectives A,— being able to express 
any boolean function with any finite number of arguments. Since all temporal logics 
with connectives defined by first-order tables can be expressed in first-order logic, an 
expressively complete temporal logic would be an attractive proposition: it would be able 
to express all first-order-definable connectives. (Of course, it may not be able to express 
connectives defined by second-order tables; but here, we are focusing on the comparison 
of temporal logic with first-order logic. Aspects of second-order expressive completeness 
were discussed in Section 3.6.) Note that any temporal logic that is expressively complete 
over C remains expressively complete over any subclass of C. Also note that if we are 
willing to allow infinitely many temporal connectives, we can add one for each L*-formula, 
yielding a temporal logic that is trivially expressively complete over any class of flows of 
time. So we will concentrate on temporal logics with finitely many connectives. (Another 
possibility would be to impose a bound on the number of variables in the defining tables 
of connectives.) Some natural questions now arise (brief answers are in italics): 


1. Is there a temporal logic that is expressively complete over the class of all flows of 
time? No: see theorem 14. 


2. If not, then for which classes C of flows of time does there exist an expressively 
complete temporal logic? Examples include the linear and Dedekind-complete linear 
flows: see, e.g., theorem 15. That C has finite ‘Henkin dimension’ is a necessary 
but not sufficient condition; see Section 4.7. 


3. How can we tell whether a given temporal logic is expressively complete (over a 
given class C of flows of time)? Separation is useful: see theorem 17. 
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4. If T is expressively complete over C, is there an effective procedure to convert an 
arbitrary first-order formula y(x, P,,...,P,) into a T-formula a whose standard 
translation is equivalent to y over C? How efficient can such a procedure be? 
Sometimes; usually non-elementary. See Section 4.5. 


5. If T is expressively complete over C, what can we say about the minimal length of 
a T-formula equivalent over C to a given first-order formula? This is asking how 
succinct T is, compared with first-order logic. Sometimes there is a non-elementary 
blow-up. See Section 4.5. 


6. If T is not expressively complete over C, is it decidable whether a given first-order 
formula is equivalent over C to the standard translation of some J-formula? With 
what complexity? Not known. See Section 4.5(4). 


Quite a lot of work has been done on questions like these. We now proceed to give some 
more detailed answers than above. 


4.3 The class of all flows of time 


We have seen that given a set 7 of temporal connectives whose tables are written using 
variables in a set V, any T-formula can be translated to a first-order formula written 
with variables in V. For finite 7, a finite set V will always suffice. This means that there 
is a finite bound on the number of variables required to write the standard translation 
a* of any T-formula a. As Gabbay showed in [59], it follows that over any class C 
of flows of time on which the expressive power of L*-formulas with one free variable 
increases infinitely often as the total number of available variables increases, there can 
be no expressively complete temporal logic with finitely many temporal connectives. This 
is so for the class of all flows of time — for example, for flows of the form (T,9), it takes 
n variables to express that |T| > n. The answer to our first question is therefore ‘no’: 


THEOREM 14 (Gabbay, [59]). There is no temporal logic with finitely many connectives 
(with first-order tables) that is expressively complete over the class of all flows of time. 


In Section 4.7, we will say a little more about the connection of expressive completeness 
to numbers of variables. 


4.4 Linear flows — Kamp’s theorem 


Quite remarkably, over linear time the picture is more positive. Recall that we let £ 
denote the class of all linear flows of time. The negative argument sketched above for the 
class of all flows does not apply to £: [148, 106] showed that every first-order L*-formula 
p(t, Pi,..., Py) can be equivalently rewritten over £ using only three variables. This is 
not in itself sufficient to ensure the existence of an expressively complete temporal logic 
over it [93]. Nonetheless, Kamp showed that: 


THEOREM 15 (Kamp, [112]). The temporal logic with Until and Since is expressively 
complete over the class D of all Dedekind-complete linear flows of time. 


This seminal theorem initiated the whole study of expressive completeness, and it 
remains one of the most interesting and distinctive results in temporal logic; very few, 
if any, similar ‘modal’ results exist. Several alternative proofs of it and stronger results 
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have appeared; none of them are trivial (at least to most people). Kamp’s proof is in 
[112]. A second proof uses separation, to be discussed in Section 4.6 below. A third 
line of proof, reminiscent of classical quantifier elimination, began in [66]. Expressive 
completeness of Until and Since over (N,<) was outlined, together with a statement 
that two further connectives can be added to Until and Since to create a temporal logic 
that is expressively complete over £. This second statement was proved by Stavi in an 
unpublished manuscript; the extra connectives are now called the Stavi connectives (see 
Section 3.4). A game-based account of the method appeared in [63, 64]. The proof for 
Dedekind complete time is simpler and appeared in [94]; it was later streamlined further 
by Wilke (unpublished). 


4.5 Computational issues 


Even when we have an expressively complete temporal logic 7 over a class C of flows of 
time, still there are the issues of whether there is an effective procedure (algorithm) to 
obtain a T-formula a,(p1,...,Pn) that is C-equivalent to any given first-order formula 
g(x, Pi,..., Pn), what the algorithm’s complexity might be, and what might be the 
length of ay in terms of the length of y (succinctness). We now make some observations 
on these questions. 


1. If the universal monadic second-order theory of C is decidable — as, for example, it 
is for £ and D [33] — by an algorithm A, say, then there is an algorithm to obtain 
ay. For, given y(x, Pi,...,P,), we may enumerate all T-formulas a(pi,...,pn), 
check using A whether 


CEVP,...P,Vz(a* (x, Pi,...,Pn) © v(x, Pi,...,Pr)), 


and print out a if yes. By expressive completeness, this process will terminate. 


2. However, even over C = {(N,<)}, and with 7 the temporal connectives Until and 
Since, there is no elementary algorithm to obtain an equivalent 7-formula to every 
first-order formula. (An algorithm is elementary if it runs in time bounded by 


E 


I7 on all inputs of length n, for some stack of 2s of arbitrary but fixed height.) 
To see this, we note that the validity problem for T over C is PSPACE-complete 
[184]; in particular, there is a PSPACE algorithm B to decide it. If there were an 
elementary algorithm to translate first-order formulas into equivalent 7 -formulas, 
we could combine it with B, yielding an elementary decision procedure for the 
universal monadic second-order theory of (N,<). This contradicts the result of 
(134, p. 479], [186] that there is no elementary decision procedure for that logic. 


3. This does not rule out the possibility that for every first-order y there is a rela- 
tively short equivalent T-formula a,, even if there is no elementary algorithm to 
construct one. But Etessami and Wilke showed in [47] that there is in general 
a non-elementary gap between the length of a first-order formula and the length 
of any equivalent temporal formula, over (N,<) and with respect to the tempo- 
ral logic with Until and Since. Succinctness is currently a rather active area; see, 
e.g., [5, 82]. 


4. Until and Since are not expressively complete over all linear time. Rabinovich has 
asked if it is decidable whether an arbitrary first-order L*-formula y(t, P1,..., Pn) 
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is equivalent over linear time to a temporal formula written with Until and Since. 
We are not aware of any answer to this question or any of its obvious variants. 


4.6 Separation 


Roughly, a temporal logic has the separation property if each of its formulas can be equiv- 
alently rewritten as a boolean combination of parts depending only on the past, present, 
and future. Surprisingly, separation is often equivalent to expressive completeness, and 
is an important method for proving expressive completeness. 

We have seen temporal logics such as the logic with F and P, and that with U 
and S, suitable for linear time. It is natural to observe that formulas such as Pq and 
S(q, —=S(=~q,r)) depend only on the past; q — r depends only on the present and is not 
temporal at all; FGq and U(qA -U(T,q), ~q) depend only on the future; and F(q A Pr) 
has a mixed dependence on past, present, and future. Let us be more precise. 


DEFINITION 16. (Gabbay, [61]) Let C be a class of flows of time. A formula a of a 
temporal logic T is said to be 


e pure past over C, if for any (T,<) € C, any t € T, and any assignments g,h: L > 
A(T), if u € g(q) — > u € h(q) for all u € T with u < t and all q € L, then 
(T, <,g),t F a iff (T, <,h),t H a; 


e pure present over C, for any (T,<) € C, any t € T, and any assignments g,h : 
L —> (T), if t € g(q) <= t€ h(q) for all q € L, then (T,<,g),t = a iff 
(T,<,h),t = Q; 


e pure future over C, if for any (T,<) € C, any t € T, and any assignments g,h : 
L —> p(T) if u € glq) = we h(q) for all u € T with u > t and all q € L, then 
(T, <, g), t Ha iff (T,<,h), tH a 


e pure over C, if it is pure past, pure present, or pure future over C, 
e separated over C, if it is a boolean combination of formulas that are pure over C. 


T is said to have the separation property over C if every T-formula is equivalent over C 
to a formula that is separated over C. 


So a formula is pure past if its truth value at any time depends only on the values of 
its atoms in the past. This definition is semantic, and couched in terms of atoms. This 
leads to some oddities that should perhaps be borne in mind. For example, over linear 
time, FT is pure present and pure past, as well as pure future; the formula P~U (T, ~q) 
is actually pure past, even though it involves Until, and over dense flows like (Q, <) and 
(R, <), it cannot be equivalently rewritten using only Since. The dependence on the 
underlying flow of time can also lead to surprises. For instance, the formula S(q, L) is 
pure future over (Q, <), since it is equivalent to L over this flow; but it is not pure future 
over (N, <). 

Now we can connect separation to expressive completeness. This is surprising because 
the two conditions seem unrelated. 


THEOREM 17 (Gabbay; see [61] and [64, §9.3]). LetC be a class of linear flows of time, 
and T a temporal logic able to express F and P over C. Then T is expressively complete 
over C iff it has the separation property over C. 
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Proof. ‘=’ is proved by showing that any first-order formula can be separated. The 
details are in [64]. 

For ‘=’, assume that 7 has the separation property. We show that any first-order 
formula y(x, Pi,..., Pn), with one free variable, x, and unary predicates P;,..., Py, is 
equivalent over C to some T-formula, by induction on the quantifier depth k of ọ. 

If k is 0, then y is a boolean combination of formulas of the form P;(x), x = x, and 
x < x, which can be replaced by p;i, T, and L, respectively, to obtain the result. Assume 
the result for k. It suffices to find a T-formula equivalent over C to dyy(x,y, Pi,..., Pr), 
where y has quantifier depth k. We can suppose that x and y do not occur bound in y. 

Our strategy is first to remove the particular variable x from dyy. The atomic subfor- 
mulas of dyy involving x are of the form P;(x), v= x, £ < £, z = £, Z < x, and z > q, 
where z is some variable other than x. We can replace x = x by T and x < x by L. Next, 
we try to remove the occurrences of x in subformulas P;(x). For each S C {1,2,... n}, 
let Y° be the result of replacing each atomic subformula P; (x) of y by T if i € S, and by 
Lifig S. p5 still has the same quantifier depth, k, but has no occurrences of any P;(2). 
(It may of course involve P;(z) for variables z other than x.) Then Jyy is equivalent to 


A (A Pia) A 7Pi(2) > Iyf (r, y, Pi,- -> Pa))- 


SC{l,...n} ies j¢s 


The formulas P;(a) are equivalent to p;, of course. So it is enough if we can express the 
formulas Syp*(a,y, P,,...,Pn) as T-formulas. 

Let w be one of the formulas y’. All occurrences of x in atomic subformulas of 7 are 
of the form x = z, x > z, and x < z. To remove even these, temporarily introduce new 
atoms r=, re, rs, with corresponding unary predicates R=, etc. Replace each atomic 
subformula x = z in w by R_(z). Similarly, replace z > x by Ry (z), and z < x by Re(z). 
We obtain a new formula w’(y, Pi,..., Pn, R<, R=, Rs), of quantifier depth k, in which 
x does not occur at all. If we agree to interpret R= as {x}, Re as {t:t < x}, and R> as 
{t:t> a}, then Ayw(a,y, Pi,..., Pn) is equivalent to dywd'(y, Pi,..., Pn, R<, R=, Rs). 

Now we know by the inductive hypothesis that Y’ (y, Pi,..., Pa, R<, R=, Rs) is equiv- 
alent over C to some T-formula a(pi,...,Pn,T<,;T=,T>). So, as the flows in C are linear, 
sy’ is equivalent over C to 8 = a V Fa V Pa. Thus, under our agreement, the formula 
Jyy(z, y, Pi,..., Pn) is equivalent over C to B(p1,..-,Pn,T<,T=;T>): 

Finally, we remove the r. Separate 3. We obtain a boolean combination 7(p1,..., 
Pn, T<, T=,T>) of pure T-formulas that is equivalent over C to 3. Consider a pure past 
formula ô(p1,..., Pn, T<, T=, T>) from this boolean combination. As 6 is pure past, it only 
‘needs to know’ the values of the atoms at points t < x when we evaluate it at a point 
x. Its truth value is independent of their values at points t > x. So let us replace r= 
and rs in 6 by L, as under our agreement, these atoms are equivalent to L at all t < x. 


Replace r< by T — these are also equivalent before x. We obtain 6*(p1,..., Pn) = 6(p1, 
.-5Pn, T, L, L). Then subject to our agreement, the truth values of 6* and 6 at x are the 
same. We conduct a similar replacement campaign for each pure formula 6 in y. If ô is 
pure present, r= is replaced by T, and the others by L. For pure future 6, rs is replaced 
by T instead. The result is a boolean combination y*(pi,...,pPn), which, subject to our 
agreement, is equivalent to dyw(x,y, Pi,...,Prn). 
But the agreement concerned atoms that do not appear in y* or p. So it is irrele- 
vant. Thus, without any restriction on assignments to atoms, 7* is equivalent over C to 
Jyy(zx, y, Pi,...,P,). This completes the proof. Q 
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THEOREM 18 (Gabbay; see [61] and [64, 10.2.9]). The temporal logic with Until and 
Since has the separation property over (N,<) (i.e., over the class {(N, <)}). 


THEOREM 19 (Gabbay, Reynolds; see [64, §10.3-11]). The temporal logic with Until 
and Since has the separation property over (R, <). The temporal logic with Until, Since, 
and the Stavi connectives has the separation property over the class L of all linear flows 
of time. 


Hence, Until and Since are expressively complete over (N, <) and (R, <), and Until, 
Since, and the Stavi connectives are expressively complete over all linear flows. The 
proofs of theorems 18 and 19 are direct, showing that each formula can be separated. 
They are tough and tougher, respectively. Nonetheless, they are effective, and so, whilst 
not quite providing an algorithm to determine if a set of connectives is expressively 
complete, they do suggest a potential way of telling in practice whether a given set of 
connectives is expressively complete — in Gabbay’s words, try to separate and see where 
you get stuck! The process may suggest additional connectives that are more nearly 
expressively complete. For example, in the temporal logic with F and P, an attempt 
to find a separated formula equivalent over linear time to F(q A Hr) shows the need for 
Until. This formula cannot be separated using only F and P, but it is equivalent to 
Hr ^r A U(r,q), which is separated over linear time. 

Suppose we have a J able to express F and P and with the separation property 
over a class C C £. The proofs of the above theorems can provide an effective way 
of constructing, for any temporal formula a, a separated (over C) T-formula that is 
equivalent to a over C. However, there are some outstanding open questions: 


1. What is the optimal complexity of algorithms that, given a J-formula a, output a 
separated formula equivalent to œ over C? 


The chief concrete instances of this problem are for U,S over (N,<) and over 
Dedekind complete time, and for U, S, and the Stavi connectives over linear time. 
It is known that all such algorithms require at least exponential time; it is likely 
that there is no elementary algorithm even for (N, <). 


2. What can one say about the length of a shortest separated T-formula equivalent 
(over C) to a given T-formula? 


Results in [122] imply that over (N, <), separation causes at least an exponential 
blow-up in length for some formulas. 


We end this section by mentioning some separation and expressive completeness results 
for non-linear time. For w-trees with a bounded number of immediate successors of each 
node, or similar such restrictions, see [10, 11, 12, 13, 106, 175]. For the language XPath 
over trees with a left-right ordering, see [128]. [136] shows that the expressive power of 
the branching time logic CTL* coincides with that of the class of bisimulation invariant 
properties expressible in so-called monadic path logic: monadic second order logic in 
which set quantification is restricted to paths. In order to prove this result, the authors 
first prove a composition theorem for trees. This approach is adapted from the proof 
in [86] that CTL* coincides with the whole of monadic path logic over the class of full 
binary trees. 
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4.7 Many-dimensional temporal logic 


We can generalise the notion of standard translation (Section 4.1) in the obvious way 
to the many-dimensional temporal logics discussed in Section 3.5(3). For a set T of 
k-dimensional temporal connectives, the standard translation a* of a T-formula a is an 
L*-formula with (in general) k free variables. For a class C of flows of time, T is said to 
be (propositionally) expressively complete over C if every L*-formula with k free variables 
is equivalent over C to (the standard translation of) a T-formula. We briefly consider 
now what can be said about this notion. We will say more in the first-order case, in 
Section 4.8. 

How does many-dimensional expressive completeness relate to the one-dimensional 
expressive completeness discussed above? Suppose we have a class C of flows of time. 
If T is a set of k-dimensional temporal connectives that is propositionally expressively 
complete over C, we can very easily construct a finite set of (k+1)-dimensional connectives 
that are also expressively complete over C. [64, theorem 13.3.4] has details of this ‘dimen- 
sion-boosting’ technique. 

On the other hand, there are classes of flows of time for which there is a finite ex- 
pressively complete set of 2-dimensional temporal connectives but no finite expressively 
complete one-dimensional set. An example based on circular time is given in [64, theorem 
13.7.12]. 

There are some partial characterisations of when many-dimensional expressive com- 
pleteness can be expected. A class C of flows of time is said to have the k-variable 
property if every L*-formula y with at most k free variables is equivalent over C to a 
formula written with k variables altogether. For example, the class £ of linear flows has 
the 3-variable property [106, 148]. It was shown in [64, theorem 13.6.7] that if C has 
the k-variable property then there is a finite expressively complete set of k-dimensional 
temporal connectives for C, and if k > 3, there is even a finite expressively complete set 
of (k — 1)-dimensional connectives. (The k-variable property does not imply one-dimen- 
sional expressive completeness, because the circular-time example just mentioned has the 
3-variable property.) 

The related notion of ‘Henkin dimension’ was considered in [59, 93, 99]. A class C of 
flows of time has Henkin dimension at most k if every L*-formula can be equivalently 
rewritten over C to use at most k bound variables. In [64, theorem 13.2.4], it is shown 
that C having finite Henkin dimension is a necessary condition for there to exist a finite 
expressively complete set of finite-dimensional temporal connectives for C. For a rather 
weaker notion of expressive completeness, it is necessary and sufficient. 

Obtaining expressively complete connectives over a class of flows of time with the 
k-variable property or finite Henkin dimension is relatively straightforward. The con- 
nectives are many-dimensional and the dimensions can mimic the variables in first-order 
formulas, of which a bounded number are needed. So their expressive completeness may 
not be so surprising. Obtaining expressively complete one-dimensional connectives is a 
very different matter. Many-dimensional expressive completeness can be useful as a step 
on the road to proving expressive completeness for one-dimensional connectives (e.g., 
[175]), but one-dimensional results such as Kamp’s theorem 15 are generally far more 
profound and difficult than many-dimensional ones, and have very different proofs. 

So far, we have taken our temporal structures to have the form (T,<, h), where h : 
L — ¢(T). In particular, the values of atoms depend on only a single time point. For 
k-dimensional temporal connectives, we can generalise our semantics and allow atoms to 
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depend on k time points: so h : L > g(T*). This is what we called ‘true’ many-dimen- 
sional temporal logic in Section 3.5(3). If we do this, expressive completeness is no longer 
available. Venema showed in [198] that there is no finite set of 2-dimensional temporal 
connectives that is expressively complete over linear flows of time. His example uses a 
single atom, say q; for each n > 1, he defines a temporal structure Mn = (Q, <, hn) in 
which h,,(q) is an equivalence relation with n classes, each of which is dense in (Q, <). 
We know that given any finite set 7 of 2-dimensional temporal connectives, there is 
finite n such that the standard translation of every T-formula can be written with n 
variables. But an Ehrenfeucht—Fraissé game argument shows that no n-variable first- 
order sentence can distinguish between Mp and M,+1. The argument generalises easily 
to higher dimensions. 


4.8 First-order temporal logic 


The study of expressive completeness in the setting of first-order temporal logic probably 
began with Kamp’s [113], and the field is currently quite active. The picture is not as 
nice as in the propositional case: there are a few positive results, but also strong negative 
ones. 

Fix a first-order relational signature L. (We assume for simplicity that L is relational, 
with no function symbols or constants; but our methods are quite general.) Recall from 
Section 2.7 that first-order temporal structures are of the form M = (T,<,D,(M;:t € 
T)), where (T’,<) is a flow of time, and for some first-order signature L, each M; is an 
L-structure with domain D. 

We have seen two ways to describe these structures in logic. The first is to use a 
temporal logic. When we mention a set 7 of temporal connectives here, it will be implicit 
that the connectives in T all have the same finite dimension (perhaps greater than 1) and 
have first-order tables, but there is no implicit assumption that 7 is finite. Given a set 
T of connectives, we know how to form a first-order temporal logic T(L). For example, 
if T contains the unary one-dimensional connective F (‘sometime in the future’), and L 
contains unary relation symbols dog and day, then 


a = Vu(dog(x) — F day(x)) 


(‘every dog will have his day’) is a 7 (L)-formula. 

The second way is to use a two-sorted first-order logic over the L*-structure M* 
obtained from M as in Section 3.3. Recall that the two sorts are t (for time) and d (for 
the first-order domain). The domain of M* is the disjoint union of T (sort t) and D (sort 
d). L* is obtained from L by adding an extra, t-sorted coordinate to each relation symbol 
in L — so, for example, if R € L is an n-ary relation symbol, then we include in L* a 
relation symbol R* of sort t x d”. For a € T and d1,...,dn E€ D, we let M* = R*(a,di, 

.-, dn) iff Ma H| R(di,...,dn). For T, L as above, an example of an L*-formula is 


y = Va(dog* (t,x)  Ju(u > t A day“ (u, x))). 


We wish to compare the expressive power of these two approaches. To help distinguish 
them, we will write 7 (L)-formulas as a,3,..., and L*-formulas as y, %,.... We write 
d-variables as x, y, Z, %1,..., n, etc, and t-variables as t, u, v, t1,...,tm, etc. We will use 
a,b, etc., for time elements, and d,e, etc., for domain elements. 
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Standard translation 


Let us first observe that, analogously to the propositional case, each T(L)-formula has 
a standard translation into two-sorted first-order logic. It can be defined as follows. 
Suppose that 7 consists of k-dimensional connectives # with first-order tables 7(t1,..., 
tk, P,,..., Pn), where tt is n-ary and P,,...,P, are k-ary relation symbols . We regard all 
symbols in 7 as of sort t. We can suppose that in each atomic subformula P;(u1,..., ug) 
of 7, the variables u1,..., ux are distinct. As earlier, for any distinct t-variables u1,..., 
Uk, Te(t1,--.,Uk, Pi,...,P,) denotes the result of permuting the variables in 74(t1,..., 
tk, Pi,..., Pn) by a permutation taking t),...,t, to ui,..., Upg, respectively. Then for 
any T(L)-formula a and distinct t-variables t,,...,t;, we define the L*-formula attr 
by induction on a as follows: 


R(a1,...,¢m)""% = R*(t1,21,...,2m), for each m-ary relation symbol R € L, 

(=p = (2 =y), 

Tarot = T, and similarly for L, 
(aA Byte = atente a ghorote 
(ma) otk = a(aftoth) 
(Aaa) te = Far(attt®) 
Finally, for each n-ary connective # of T, t(a1,..., Qn)" is defined to be the result of 
replacing each atomic subformula P;(u;,..., up) in Ty(ti,..-,th,Pi,..-, Pn) by aft". 
As before, we generally write att=>tx simply as a*(t1,...,tk,%1,--.;%m), and refer to 
a” as the standard translation of a. For example, the standard translation of a (above) 
is y. 
It should be clear that for any temporal structure M = (T,<,D,(M;: t € T)), any 

di,...,dm E€ D, any a1,...,a,% E T, and any T-formula a(zx1,..., £m), we have 


M,ai,... ak = aldi,..., dm) So M* = al (a1,...,ak, di, ..-, dm). 


So the standard translation faithfully represents the meaning of the original temporal 
formula. It is therefore reasonable to generalise definition 12 to first-order temporal 
logic, as follows. 


DEFINITION 20. Let C be a class of flows of time, and let (T, <) be a flow of time. 


1. We say that two-sorted first-order L*-formulas ọ%,% are equivalent over C if for 
every temporal structure M = (T, <, D, (M; : t € T)) with (T,<) € C, and every 
sort-respecting assignment v of the free variables of y and w to elements of TU D, 
we have M*,v H= » © w. Note as before that y,w need not have the same free 
variables. 


2. Let T be a set of k-dimensional temporal connectives, and let (t1,...,t,) be a 
sequence of distinct t-variables. We say that a two-sorted L*-formula y(ti,..., 
tk, @1,---,;%n) is equivalent over C to a first-order T(L)-formula a(x1,..., £n) if 
(t1,..-, tk; %1,---,%n) and a*(ty,...,tk,21,...,;2%n), the standard translation of 
a, are equivalent over C. (This definition implicitly depends on the choice of tı, 


ese) 
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3. For short, two formulas are said to be equivalent over (T, <) if they are equivalent 
over the class {(T,<)}, equivalent over linear time if they are equivalent over the 
class of all linear flows of time, etc. 


Standard translations have a restricted syntactic form. This will be important in the 
analysis to come. Formally: 


DEFINITION 21. For an integer k > 1, let L% be the fragment of L* consisting of all 
formulas ọ such that any subformula of y of the form Jxy, for any d-variable x, has at 
most k free t-variables. 


LEMMA 22. For any set T of k-dimensional temporal connectives, the standard trans- 
lation of any T(L)-formula is in L}. 


Proof. This is proved easily from the definitions by induction on T(Z)-formulas, and 
is essentially because T(Z)-formulas are evaluated at k time points. We leave the details 
to the reader. Q 


Summary of results 


There is a positive result in the first-order setting: Lī is exactly as expressive as one- 
dimensional first-order temporal logic. See theorem 23. 

But in the main, the results are negative. Obviously, Lī C L3 C---, and U„>1 L% = 
L*. It turns out that L* is more expressive than any of the fragments Lt (k = 1,2,...). It 
follows from this and lemma 22 that even using many-dimensional temporal connectives, 
we cannot hope for full expressive completeness, even though we have it for one-dimen- 
sional connectives (Kamp’s theorem 15) in the propositional case. Below we will go into 
this in more detail. 


s * 
Expressive completeness for Li 


[100, 18] showed that in situations where we have propositional expressive completeness, 
we can derive expressive completeness with respect to L{-formulas. This is one of the 
few first-order expressive completeness results. 


THEOREM 23. Let T consist of Until and Since only, and let L be any relational first- 
order signature. 


1. Every T(L)-formula is equivalent to some L| -formula over the class of all flows of 
time. 


2. For every Li -formula p(t, £1,...,£n) with one free t-variable, there is a formula 
(£1, ..., £n) of T(L) that is equivalent to p over the class of all Dedekind-complete 
linear flows of time. 


Proof. Part (1) is immediate from lemma 22. The proof of part (2) is by induction on 
the number of quantifiers Jx (for any d-variable x) in y. Let Y be the (possibly empty) 
set of all L{-formulas with at most one free t-variable and with fewer d-quantifiers than 
p, and inductively assume the result for all formulas in Y. Then y is built from 


1. atomic formulas of the form u < v, u = v, where u,v have sort t as usual, 
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2. atomic L*-formulas of the form y = z and P*(u,y1,---, Yk); 


3. formulas of the form drw(u, £, yY1,..., Ym) for Y E€ Y, 


using only the boolean operations and quantifiers over t-variables. Each formula in (2) 
has at most one free t-variable, so is of the form a(u,yi,..., Ypg) for some t-variable u 
(where y1,..., yx are d-variables). Our strategy is to treat the formulas in (2) and (3) 
as unary relation symbols over the flow of time. Then y turns into a first-order formula 
to which we can apply Kamp’s theorem. What remains can be dealt with by hand/by 
the induction hypothesis. 

Replace each type (2) subformula a(u, yi,.-., Yk) of y by Qalu), where Qa is a new 
unary relation symbol. Similarly, for each w as in (3), introduce a unary relation symbol 
Qy, and replace the subformula 3xy(u, x, y1,-.-, Ym) of y by Qy(u). In this way, we 
obtain a first-order formula y’(¢) involving only time variables, unary relation symbols, 
equality, and <. By Kamp’s theorem (theorem 15 above), there is a propositional US- 
formula 3, whose atoms are qa, qy for a, as above, and whose standard translation 3" 
is equivalent to y’(t) over Dedekind complete time. 

By the inductive hypothesis, for each formula ¢(u,2,y1,---,Ym) E€ W, there is a 
T (L)-formula yy (£, Y1,- --, Ym) Whose standard translation Wy (u, £, Y1,- --, Ym) is equiv- 


alent to ~ over Dedekind complete time. Hence, (Ar7y)*(u, y1,- --, Ym) is equivalent to 
(Saxq)(u, y1,---;Ym). Replace the atoms qy in 8 by dryy(x,y1,--.,Ym), for each such 
w, and similarly replace the atoms qa in 8 by a(yi,..., Yk), for each a(yi,..., yk) as in 
(2). We obtain a T(L)-formula ô(£1,..., £n) which is easily seen to be equivalent to y 
over Dedekind complete time. m) 


We proved this result for the connectives Until and Since, but the approach is more 
general. For example, in part (2) we could capture all linear time by adding the Stavi 
connectives. We do not know whether there are generalisations to L} for k > 1. The 
issues of separation and complexity and succinctness of translations in first-order tem- 
poral logic remain largely unexplored, though one may expect that the lower bounds for 
propositional temporal logic will be inherited by the first-order case. 


Expressive incompleteness 


Without the restriction to L}, the picture is not so rosy. Let us first lay down what we 
would like. 


DEFINITION 24. Let C be a class of flows of time, L a signature, and JT a set of k- 
dimensional temporal connectives. We say that T (L) is first-order expressively complete 
over C if for every two-sorted first-order L*-formula (t1, ...,tk, £1, ---, £n), there is a 
T(L)-formula a(z1,..., £n) that is equivalent to y over C. 


It has long been known that connectives that are expressively complete in the propo- 
sitional case can fail to be so in first-order temporal logic. For example, let L consist of 
a unary relation symbol Q, and let 7 consist of the one-dimensional connectives Until 
and Since. We know by theorem 15 that 7 is propositionally expressively complete over 
(N, <) and over the class of finite linear flows. But consider the L*-sentence 


x = Jwv(u 4 vAV2(Q"(u, 2) = Q*(v,2))). 
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This says that the temporal structure contains two identical first-order structures. A 
somewhat analogous English statement is that all those who get married on some day 
get divorced on some (other) day too. Now x is not in Lī; and since the standard 
translation of any T(L)-formula is in L], we might suspect that x is not expressible in 
T(L). Indeed, it turns out that x is not equivalent to any T(L)-formula over the flow 
of time (Q, <) (proved by Kamp in [113]), nor over (N, <) or the class of all finite linear 
flows [4, 3]. So: 


THEOREM 25 ([113, 4, 3]). The connectives Until and Since are not first-order expres- 
sively complete over any of (Q,<), (N,<), or the class of all finite linear flows of time. 


The context of [4, 3] is temporal databases, and other workers in this area have recently 
been active in temporal expressiveness. We now describe three of their results. 

First, [191] showed that there is no finite set of one-dimensional temporal connectives 
that is expressively complete over temporal structures with dense linear flow of time. 
The proof was again model-theoretic. 

Second, [18] showed that (slightly non-standard versions of) Until and Since cannot 
express x (above) in temporal structures with linear flow of time. Whilst this result is 
implied by that of [113], the proof is novel. It can be summarised as follows. Suppose for 
contradiction that we had an L}-formula xı equivalent to x over linear time. Although 
x does not involve <, xı might: it might use the linear order in some devious way to 
express x. But because y does not involve <, the truth value of x and hence xı in any 
temporal structure M with linear flow of time is invariant under replacing the order on 
the t-sort of M by any other linear order. So x; may use a linear order, but it doesn’t 
care which order it’s given. We can say that xı is ‘order-independent over linear time’. 

Now it can be checked that Ly has the Craig interpolation property. Using this and 
order-independence and the fact that being a linear order is first-order definable, we can 
replace x; by another Lj-formula y in which < does not occur. x4 is still equivalent to 
x over linear time. But the absence of < makes it relatively easy to exhibit two temporal 
structures with linear flows of time that differ on x, but agree on all L{-formulas without 
< and at most as complex as x4. Hence they agree on x4, which is impossible since x4 
is equivalent to x over linear time. So over temporal structures with linear flow of time, 
x is not expressible in Ly, and by theorem 23(1), not expressible by Until and Since. 

To use Craig interpolation to remove < from y1, it was assumed that x1 is equivalent 
to x over the class of all linear flows of time. The argument does not appear to work for 
non-first-order definable classes, such as {(N, <)}. It does not exclude that there is some 
L}-sentence that is not order-independent over a wide range of temporal structures but 
still is equivalent to x over (N, <). ([4, 3] and theorem 23 show that there isn’t!) 

Third, Toman in [190] again used Craig interpolation to show — roughly — that over 
linear time, there is no finite expressively complete set of k-dimensional connectives for 
any finite k. He did this by showing that the Ly (k = 1,2,...) are not eventually constant 
in terms of expressive power. Since the standard translations of temporal formulas always 
lie in some Lj, no first-order temporal logic with first-order-definable connectives of any 
fixed finite dimension can be first-order expressively complete over such a class. As far 
as we know, it is an open question whether there is a set of temporal connectives of some 
finite dimension that is first-order expressively complete over non-first-order definable 
classes such as (N, <) and the class of all finite linear flows of time. 
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5 TEMPORAL REASONING 


There are several reasoning tasks needed for the applications of temporal logic. The 
most fundamental of these tasks is deciding which formulas of a logic are valid, or at 
least enumerating the valid ones, i.e. the formulas which hold at every time point in 
every structure. Being able to decide validity also allows us (in the obvious way) to 
decide whether one formula is a logical consequence of any given finite set of formulas. 
Other important reasoning tasks, which we will not examine in this chapter, include 
model checking (but see Chapter 17), execution of temporal formulas and synthesis of 
models from formulas. 

Many of the techniques for deciding or enumerating validity in temporal logics are 
extensions of methods developed for classical logics, or perhaps other modal logics but 
there are also novel techniques. We shall examine some ten or so different techniques. 
An algorithm which decides the validity of each formula of a given logic is known as 
a decision procedure for the logic, (an encoded version of) a formula is fed as input to 
the algorithm and it eventually halts with a (correct) “yes” or “no” answer, indicating 
whether the formula is valid or not. An algorithm which produces in succession each 
valid formula of a given logic (as output), and outputs no other formulas, is known as a 
semi-decision procedure for the logic. 

Some techniques are quite general and can be modified to work (as decision or semi- 
decision procedures) for a wide range of temporal logics but others are quite specific. 
For a particular logic it is very useful to know of a decision procedure which has the 
best complexity. But this is not necessarily the end of the story. We might, for example, 
choose a different algorithm because we want more information such as a counter-model 
in the case that a formula is not valid. Also, an algorithm with optimal space complexity 
might not be optimal timewise, and vice versa. 


5.1 Hilbert style axiom systems 


Axiom systems have been presented for logics since the work of Frege [56]. Indeed, they 
predate semantic formalizations. The Hilbert style approach is the most common sort of 
axiom system. We assume the reader is familiar with the notions of axioms, rules and 
proofs in this approach. 

In [149], basic axioms and rules are given for the simple propositional temporal logic 
K, of F and P over the class of all flows of time. It turns out to be slightly neater to 
axiomatize the logic with G and H as operators (and F and P as abbreviations), so we 
will do that. The early work in the area of axiomatizations for the most basic temporal 
logics was undertaken by Prior, Kripke, Bull, Cochiarella and Burgess and was to a 
large extent not published. What follows is a distilled mixture that is hard to attribute 
correctly. 

The rules of our system for Ky are modus ponens and temporal generalization, 


a,a— b a Qa 
B Ga Ha 


The axioms (with some redundancy) are all substitution instances of the following: 
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LO any propositional tautology 
LF1 G(a-— 6) > (Ga — Gp) LP1 H(a-— @) > (Ha — HB) 
LF2 Ga— GGa LP2 Ha— HHa 
LF3 a— GPa 
LP3 a— HFa 
A straightforward induction on the lengths of proofs gives us the soundness of the 
axiom system, i.e. that 


LEMMA 26. If there is a proof of a in the above system then a is valid in K;: i.e. a is 
true at every time point in every temporal structure. 


The converse is called the completeness of the logic. 
LEMMA 27. Ifa is valid in K, then there is a proof of a in the above system. 


Proof. By considering negations it is enough to show that if œ is consistent (in the 
system) then it is satisfiable. So suppose that a is consistent. We will build a model 
of a. There are two well known techniques for doing so: the step by step building of a 
perfect chronicle set out very clearly in [32] and via the canonical model as seen in [178] 
and [27]. We will sketch the latter method here. 

By the method of the lemma of Lindenbaum allowing any consistent set of formulas 
(in such a system) to be extended to a maximal consistent set (MCS), it suffices to show 
that we can find a model of any MCS TI. 

The model we find is in fact the canonical model consisting of exactly all the MCS of 
our system. That is, let the set of time points be just the set Tọ of all maximal consistent 
sets. 

We put I <q A iff for all Ga € T we have a € A. It is straightforward to use LF2 
and LP2 to show that this is a transitive relation. Thus (Tọ, <o) is almost a flow of 
time. Unfortunately, (To, <o) may not be irreflexive. To make an irreflexive frame out 
of (To, <o) is slightly complicated and the technique of bull-dozing mentioned below is 
often used. We will skip the details here. 

A valuation hg can be simply put on this frame via ho(p) = {T € To | p € T}. 

Now an induction on the construction of formulas gives us a truth lemma that for all 
T € To, for all formulas 6, 8 € T iff (To, <o, ho), T E 2. 

Thus we have our model and we are done. Q 


Note that the proof of the completeness lemma actually establishes that every consis- 
tent set of formulas, even an infinite one, is satisfiable. This property is known as the 
strong completeness of the axiom system for the logic. If we can only show that every 
consistent formula (or equivalently consistent finite set of formulas) is satisfiable then we 
only have the weak completeness of a system. 

It should also be noted that the axioms for transitivity and the duality of F and P 
above are in the special form known as Sahlqvist axioms which we discuss shortly below. 


1. (a) canonical models, for Ky: 


To axiomatize Prior’s propositional language with G and H over some of the 
other important classes of frames often only involves a sensible choice of an 
additional few axioms and minor (but sometimes tricky) adjustments to the 
canonical model method (or equally the chronicle method). We can axiomatize 


698 


Ian Hodkinson and Mark Reynolds 


linearity, density and the lack of end points in this way. See for example, [72] 
or [64] for details. 
For example, to axiomatize the irreflexive, linear frames we can add 

L4 Fa G(FaVavVv Pa) 
or equivalently L4’ (HaAaAGa) —> GHa 
and the past-time mirror image to K. The canonical model for this system 
will not do as it stands for showing satisfiability of consistent formulas as 
it is not necessarily anti-symmetric or irreflexive. In fact it may well contain 
clusters, which are sets of MCSs such that for every T and A in the set, T <p A 
and A <o T. In order to make a linear irreflexive structure from the canonical 
model we can use a technique of [178] called bull-dozing. This means that we 
replace each cluster by a linear order which is a kind of product of the integers 
with the cluster. 
Note that the case of axiomatizing G and H over rational numbers time can 
be obtained easily (using some basic model theory and Cantor’s characteri- 
zation of the rationals) with a completeness proof using axioms for linearity, 
denseness, and lack of end points. 
N: 
For G and H over the natural numbers N, we can show completeness for 
the system obtained by adding the following axioms to the system for linear 
temporal logic [72]: 

Dp FT 

Zp G(Ga > a) — (FGa > Ga) 

Wp H(Ha) > Ha 
Zr is a version of Dummett’s axiom and allows us to show that between any 
two time points lie only a finite number of other points. 
In attempting to axiomatise this logic one must face its lack of compactness: 
meaning there is an unsatisfiable set [ of formulas such that every finite subset 
of T is satisfiable. For example, [ = {F'p, FF p, FF Fp,...,FG-p} is such a 
set. We are obviously not going to be able to find a point of time in a N- 
flowed structure at which all the formulas in I hold. To show completeness 
of an axiom system for such a non-compact logic we need slightly different 
finitary techniques. 
See [72] for details of the proof which uses the canonical model and a filtration 
followed by intricate “surgery”. We will meet some of the same ideas and some 
alternative approaches shortly below when dealing with more expressive logics 
over natural numbers time. 
R: 
We will not go into details for the logic with G and H over the reals here, but 
essentially one uses the system for the rationals plus an axiom for Dedekind 
completeness 

Cont: HG(Ha— FHa) > (Ha > Ga) 
i.e. that formulas don’t highlight gaps in the flow of time. The completeness 
proof proceeds via the addition of irrational numbers to a rational flowed 
model with the specification of a maximal consistent set of formulas to hold 
at each irrational. See [72] for details. 
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AYa > Wag nX a > Nag 

Ya — Wa Xa— Na 

a—Wxa a — NYa 

W(a > p) > (Wa>WP) Naf) > (Na —> NB) 
~Pa e H-7a aAFa > Gaga 

H(a > b) > (Ha > H6) G(a—> p) > (Ga > GB) 
Ha —Wa Ga —> Na 


H(a—> Wa) — (a —> Ha) G(a—> Na) = (a> Ga) 
asb => BV (aA Y(aSB)) aUB > BV (ad X(aUB)) 
Pstart aUB— FB 


Figure 3. The axiom schemas for TL 


2. U and S: 


If we now consider the more expressive language with U and S then we see two 
traditions in the work on their axiom systems. For the class of all linear flows 
we have the Burgess—Xu axioms of [30, 215]. Extra axioms have been added to 
them to axiomatize U and S over the reals in [157] (interestingly using expressive 
completeness and techniques with lexicographic sums of orders from [62] and [33]) 
and the integers and natural numbers in [159] and [199]. 


Separately, there has been the development of axiom systems for the discrete (i.e. 
natural numbers) time logics of PLTL [66] and the past-time version TL [124] which 
we now describe. 


The rules are modus ponens and temporal generalizations, past and future: 


a,a— bB Q Q 
B Ha Ga 


We also allow any substitution instance of any propositional tautology. This can 
be presented as a rule of inference (called R1 in [124]). Instead we could add all the 
standard axiom schemas for a complete system for classical propositional logic (see 
for example, that in [92]) and allow any TL substitution instance of any of them. 


The axioms are all substitution instances of the schemas given in figure 3 and in 
order to present them at their simplest we have made use of further abbreviations, 
Wa = 7-Y-a for “weak yesterday”, and Na = ~X~a for “weak tomorrow”. So, 
for example, the first axiom is just ~Y a «= ~Y ~~a. 


From [124] we have: 
THEOREM 28. F rz is sound and complete for TL validity. 


Proof. We give a rough sketch of the completeness proof. This style of proof 
is appropriate for weak completeness results where we just need to show that a 
formula which is consistent in the axiom system has a model. 


Suppose we are to find a model of the Frz,-consistent TL formula ¢. We will build 
the model from consistent sets of formulas as in the canonical model construction. 


700 


Ian Hodkinson and Mark Reynolds 


However, the sets will be finite. We specify a particular closure set of formulas 
dependent on ¢ and we make the model from subsets of the closure set. The closure 
set is usually just the set of subformulas of ¢ and their negations and possibly a 
few more formulas. In the TL case we also include, for example, X(a@U3) in the 
closure set for ¢ iff aU £ is in the set. 


Next we define some of the subsets of the closure set to be atoms. The intention is 
for a set A to be an atom iff there “could” be some model M and some point ¢ in 
it such that A contains exactly those formulas from the closure set which are true 
at tin M. The actual definition of an atom is just a set of simple syntactic criteria 
that rule out sets that could not possibly be satisfied in this sense. For example, 
we require an atom to include exactly one of a and ~a for every ~a in the closure 
set. 


Let Wo be the set of atoms. To turn Wo into a graph, we now place a binary relation 
Ro on Wo. The intention is for this to represent a successor relation between a time 
point and the next time. If (A,B) € Ro then we want it to be possible in some 
model for a point satisfying A to be followed by a point satisfying B. Again, we 
actually only use an approximate syntactic test with this aim. For example, if 
Xa € A then we want a € B. 


The construction then proceeds by a series of modifications of (Wo, Ro) to (W1, R1), 
(W2, R2),... until we reach a final graph. The modifications are essentially just 
the removal of parts of W; to get W;,,. We remove a set of atoms under certain 
circumstances reflecting the global behaviour of possible models. For example, we 
look for certain parts of the graph which can not satisfy the eventualities which 
they contain: for example, an atom contains aU 8 and no R,-path from here ever 
reaches an atom containing /. 


When this process stabilizes it can be shown that we have ended up with a graph 
out of which can be read a model for ¢: we find an infinite path of atoms (some 
repeated) through the graph. The steps of the process which justify this are them- 
selves justified in terms of the atoms. For the details see [124]. Q) 


. Branching Time 


The branching time logic CTL was axiomatized in [42] using a few rather intricate 
rules to capture inductive reasoning step by step along branches in a tree. The 
completeness proof is in some ways similar to that for TL above but also follows 
closely a tableau style decision procedure for CTL. 


Axiomatizing CTL* was a much more difficult problem with difficulties raised by 
its limit closure property whereby any increasing sequence of prefixes of paths is 
part of one path. There is an axiomatization presented in [163] which uses a special 
rule motivated by automata-theoretic considerations. 


A neater, more traditional axiomatization was shown to be possible in [162, 167] 
for PCTL*, the expansion of CTL* via past-time temporal operators. Our result 
is to find a Hilbert system capable of deriving exactly the valid formulas of =p. 
We describe that briefly. 
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There are five rules of inference. These include modus ponens (MP), future tem- 
poral generalization (FTG), past temporal generalization (PTG), and branch gen- 
eralization (BG): 

4 2 Q a a 


FTG: =; PTG: —; BG: —. 
B i a Ga’ G Ha’ ie Aa 


MP: 
Finally, there is a special rule, or axiom schema, atomic non-futurity, which says 
that propositional atoms only depend on states and not on fullpaths: 

ANF: p-— Ap, for each atomic proposition p. 


The axioms include all substitution instances of the following. 
TL: the axioms of Fry (including propositional tautologies), 
plus a few which say that A acts as an S5 modality: 
AK A(a— 8) > (Aa — Af) 
AT Aa-a 
AE Ea— AEa 
plus two which allow some interaction between modalities: 
AX AXa— XAa 
AY! YAa— AYa 
and the limit closure axiom from [163]: 
LC AG(Ea > EX((EB)U(Ea))) — (Ea — EG((EB)U(Ea))) 


The completeness proof in [167] is beyond the scope of this chapter but it involves a 
normal form for TL formulas in which the future time operators are much restricted. 
That in turn allows us to control the construction of an infinite model by finite sets 
of formulas from a closure set. 


Axiomatic completeness results for many of the variations on logics of historical 
necessity can be found in [29, 216, 217, 78]. 


4, Predicate temporal logics are generally so highly undecidable (i.e. not recursively 
enumerable) that it is impossible to provide for them complete axiom systems [64]. 
Some rare exceptions include the predicate temporal logic of U and S over linear 
time [160] and monodic first-order temporal logic [214] which we consider further 
below. 


For some of the temporal logics mentioned above and for many others, there exist 
alternative axiomatizations using the Irreflexivity Rule (IRR) of [60, 29] and variations 
on this. The IRR allows 

q\ H(7q) >a 
a 


provided that the atom q does not appear in the formula a. 


A short proof shows that this is a valid rule over irreflexive linear frames. It is very useful 
to have this rule in an axiom system as it allows the construction of something like a 
canonical model which is irreflexive and in which every point has a unique “name” as the 
first time at which a particular atom is true. For some of the classes of frames we have 
seen (including the linear flows) complete axiomatizations can be obtained by using the 


1A different axiom was mistakenly used in [167]. 


702 Ian Hodkinson and Mark Reynolds 


IRR rule along with the intricate and powerful Sahlqvist persistence theorem [173], [174] 
which gives us first-order conditions corresponding to validity of temporal formulas in a 
frame. See [64, chapter 6] for details of this, and of an IRR based axiom system for U 
and S over the reals. 


5.2 Gentzen systems 


Hilbert systems are not at all useful for actually carrying out reasoning. The alternative 
formal reasoning systems proposed by Gentzen in [69] are much better. Gentzen’s sequent 
calculus allows more natural, modular reasoning. A sequent is just a pair consisting of 
a set of formulas, the premises and a formula which is the conclusion. The calculus 
allows us to make deductions about the validity of some sequent in terms of the validity 
of others. The general idea for propositional classical logic is well presented in [92] and 
[187]. These chapters also describe two popular variants on the sequent calculus, natural 
deduction and semantic tableaux which we describe below. 

Traditional Gentzen style sequent calculi for temporal logics can be found in [145], 
[183], [114], [203], [108] and [146]. 

We will not consider sequent calculi in any detail here as the similar tableau systems 
below are of more interest. Note that for efficient automation, the cut rule is problematic. 


5.8 Natural Deduction 


Gentzen also introduced the natural deduction calculus for classical logic in [69]. The 
general idea is that we start at the top with some assumptions, and gradually work down, 
discharging assumptions as we go until we reach the desired conclusions. The calculus 
consists of rules of proof and they usually come in pairs governing the introduction or 
elimination respectively of any given connective. There are close connections to the cut- 
free sequent calculus and to tableau methods. Proofs can be arranged in a tree shape 
(Gentzen style) or they can be shaped in a linear way (Jaskowski style) via the use of 
certain “book-keeping” devices such as boxes and labels. Natural deduction calculi were 
developed for modal logics by Fitch in [53] with the inclusion of “strict subderivations” 
representing a jump to another world in a Kripke structure [54]. 

Indrzejezak [107] contains natural deduction systems for tense logics but a more in- 
teresting recent natural deduction calculus for Prior’s linear tense logic appears in [109]. 
This system only uses analytic cut. By having only elimination rules for the temporal 
operators, by using the structure of labels in the proof to build a model and by generating 
non-branching proofs, it is able to be used as a decision procedure. There is a natural 
deduction system for an interval temporal logic in [197]. 


5.4 Tableaux 


Tableaux, which are also closely related to cut-free Gentzen sequent systems [54], are 
one of the most popular methods for reasoning in modal logics and there has been a 
substantial amount of work on applying them to temporal logics. They can be presented 
in an intuitive way, they are often suitable for automated reasoning and it is often not 
hard to prove complexity results for their use. Tableaux were invented for classical 
propositional logic in [16] and [89] and they were used for modal logics in [103] and [54]. 
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Standard tableau rules for propositional calculus with connectives just ~ and A are: 


Sajna X; Yad E: ~la A p) 
"Sea" Xap? Dza | X; p 


The ‘;’ such as in X; & A 8 represents set union and we omit the braces around singleton 
sets of formulas. To see whether a formula ¢ is satisfiable, i.e. if ~ọ is not valid, we use 
instances of these rules to construct a tree with nodes labelled by sets of formulas (in 
the language of ¢). Start with a node labelled by {¢}. At any stage there may be a 
choice of rules to apply. The first rule tells us that we can end a branch and make a leaf 
node if the label contains a formula and its negation. The second rule says that we can 
extend a branch by one node if it currently ends with a label © U {~~a} containing a 
formula —7@ and add a node labelled by = U {a}. Note that X itself may contain ~~a 
or it may not. The third rule is similar. The fourth rule allows a branch to be formed, 
a node containing —(a A 3) may have two successor nodes, with the indicated labels. 

Certain restrictions on the way we use the rules will guarantee termination of this 
tableau building process and so we have a decision procedure. 

In tableaux for modal logics there are several differences. The labels of nodes can be 
thought of as representing a set of formulae which we know hold simultaneously in one 
“possible” world. Some rules can still be used to add propositional consequences and 
thus tell us more about a particular world. This is called a static rule. However, in 
the modal setting there are other, transitional rules, which represent movement along 
the accessibility relation and tell us what is true at a different world. For example, the 
following rule is appropriate for Prior’s F and G over transitive frames: 


Gai, Gag,...,Gan, FB 
Q1,02,..-,An, Ga,,Gaz,...,Gan, B 


Tableau systems are unfortunately not completely straightforward for most temporal 
logics. The mirror-image past-time modalities and linearity seem to need messy rules. 
Furthermore, transitivity necessitates rules which can allow indefinite lengths of branches 
and temporal tableau systems thus often incorporate rules for checking “looping” and 
specifying that such branches are not closed. There are tableau systems for common 
propositional temporal logics in [39], [114], [176], [80], [177], [110] as well as the future 
only case in [79]. The tableau systems for temporal logics in [109] and [129] both have 
labels on sets of formulas as part of the reasoning process. 

An alternative way of managing tableau generation has become popular for the discrete 
time logics of interest in computing. Instead of arranging the labelled nodes in a tree, a 
more general graph structure allows repetition of labels to be avoided. This can be more 
efficient. To use this technique to decide the satisfiability of a formula ¢ say, one must 
determine from ¢ a finite closure set of formulas of importance to the tableau reasoning. 
The closure set appropriate for many temporal languages is just the set of subformulas 
of ¢ and their negations but it may also include a few extra formulas—it depends on 
the nature of the tableau rules. The tableau initially consists of a graph with one node 
labelled with each of the maximally propositionally consistent subsets of the closure set. 
Directed edges (i.e. tableau transitions) are placed between nodes according to syntactic 
rules which attempt to capture a possible discrete step in time. For example, if Xa and 
GE are in the label at one node then a successor node will have to contain both a and 
6. Depending on exactly the expressiveness of the temporal language, the initial graph 
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is then subjected to a series of checks to remove unsatisfiable arrangements of nodes. A 
trivial example is the removal of a node with Xa in its label if it has no successor at all. 
A more complex example is the removal of a node with Fa in its label if from it can be 
found no path of nodes leading to a node labelled with a. For many useful logics, such 
a process can be defined which eventually terminates with a situation which correctly 
indicates whether ¢ is satisfiable or not. See [207] and [36] for PLTL, [15] for a fragment 
of PLTL, [115] for future and past-time operators over natural numbers time, [81] for 
past-time operators over integers, [42] and [41] for CTL. 

For tableaux for first-order temporal logics see [117] and [132]. For intervals see [75]. 
There are overviews of the use of tableaux for temporal logic in [80] and [40]. See also 
Chapter 2 in this Handbook. 


5.5 Resolution 


Resolution for classical logic, predicate and propositional, was first described by Robinson 
in [170]. The general idea is a complete calculus based on a single rule of inference, the 
resolution rule, able to be used repeatedly. Formulas need to be in a clausal form, which 
involves rewriting them into conjunctive normal form. We start with a formula, @ say, 
the validity of which is in question, and rewrite =@ as an equivalent formula in the clausal 
form. Thus 7¢ is equivalent to the conjunction of a set of clauses, each of which is a 
disjunction of atomic formulas or their negations. Each application of the resolution rule 
should add another clause to the set, it being a consequence of two clauses already in 
the set. If we ever see that the set is inconsistent then we can conclude that 7=¢ is too 
and so ¢ is valid. The resolution rule allows us to deduce a V 8 from a V p and 8 V ap 
for an atomic formula p. 

Resolution for modal logic is discussed in Chapter 4 of this Handbook. Existing 
methods of temporal resolution are mostly for temporal logics of discrete natural numbers 
time. The early approach in [34] is for a restricted sublanguage of PLTL without the 
until operator. There are a whole raft of resolution and transformation rules to be used. 

In [1] a complete system for PLTL is presented. It also involves quite a variety of 
rules, including a “cut” style rule. The system in [202] is a little neater but still involves 
some initial rewriting followed by a choice of rules and operations to apply. 

Perhaps most work has been done on the system first described in [50] and more 
recently in [52]. The PLTL formula is first translated to an essentially equivalent formula 
in what is called Separated Normal Form (SNF), which is a clausal form with only a much 
restricted use of the temporal operators. There are only two resolution rules, the classical 
one as above and one temporal that at its simplest allows something roughly like a => Fy 
to be resolved with G(d — =y) and G(d — Xô) to give a > nô. 

Extensions of these methods to CTL appear in [22], to first order temporal logic in [2] 
and monodic first-order temporal logic in [37]. Implementations of resolution theorem- 
provers perform well, even compared to the latest tableau provers [105]. 


5.6 Automata 


Finite state automata are a popular way of carrying out reasoning about temporal logics. 
We will not give a detailed account here, though, as Chapter 17 in this Handbook is 
devoted to their use. 
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Automata have been used to formalize basic notions in computing since the time of 
Turing but Biichi in [25] was a pioneer of their use with infinite linear structures. Several 
important temporal reasoning tasks can be translated into tasks requiring manipulation 
of such automata. For example, a typical test of validity of a temporal formula, may 
be able to be accomplished by finding an equivalent automaton (to the negation of the 
formula) and checking to see if that automaton is empty. Here we say that an automaton 
is equivalent to a formula if the automaton accepts exactly the models of the formula. 
We say that the automaton is empty if it accepts no structures at all. 

The task of finding automata equivalents to temporal formulas (over natural numbers 
time) is described in [182, 208, 195]. The states of the automaton are basically just nodes 
of the tableau graph for the formula, its transition relation follows the tableau successor 
relation and its acceptance criteria capture the need for eventuality formulas (from the 
closure set) to be fulfilled. Alternative routes for translation proceed via the second 
order logic S15' (and McNaughton’s determinization result [133]) or via the alternating 
automata of [139] and then on to a Biichi automaton. 

The task of determining emptiness of an automaton is described in [45] and [195]. 

By putting together these results in the right way, a PSPACE decision procedure for 
PLTL validity can be obtained [195]. 

Automata are much used to reason about temporal logics on discrete trees—see for 
example, the Rabin tree automata used in [46, 194, 44] with CTL* but, of course, they 
are not suited to use with dense time structures unless special discreteness restrictions 
are imposed on the behaviour of atoms [8], [154]. 


5.7 Translation into first-order logic 


We have seen, in Section 4.1 above, that we can easily translate formulas from many 
temporal logics into equivalent first-order formulas, via the so-called standard translation. 
If a propositional temporal logic has only connectives with first-order tables then we can 
do this. Say that temporal formula a using atoms pj,...,p, translates to first-order 
formula ¢(t) with free variables t and predicate symbols P,,...,P,. The validity of the 
temporal formula over a class of flows of time is thus equivalent to the validity of (t) over 
all structures with a frame (T, <) from that class of flows of time and any interpretation 
for the P;. That is, we want to assess the validity of VP, ...VP,Vx¢, a formula from the 
universal monadic second-order logic over that class of frames. 

One straightforward way to decide such a validity question is to use a first-order 
theorem-prover such as, amongst several other widely-used systems, Otter [111]. Using 
such a theorem-prover will of course require some syntactic formalization of the class of 
frames in question and this may or may not be possible. For example, we can axiomatize 
linearity in order to capture the class of all linear orders. The general validity question 
here, for first-order formulas, is undecidable but modern theorem-provers are impressively 
fast in obtaining results for many interesting theorems and non-theorems. 

More conclusive decidability results have been obtained for many of the common tem- 
poral logics because the universal monadic second-order logic, or even the full monadic 
second-order logic, over the class of frames in question is itself decidable. There are 
many such results and we just list a few. Some more details can be found in [58] and 
(64, chapter 15]. 

Monadic second-order logic over (N,<) is known to be decidable [25]: there is an 
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algorithm to tell whether any given monadic second-order sentence is true on (N, <) or 
not. Gurevich [83, 33] showed the same for the universal monadic second-order theory 
of the class of all linear flows of time and of (R,<). From these results decidability of 
any usual temporal logic over those classes follows, where by a usual temporal logic we 
mean one in which the temporal operators all have first-order tables. The complexity of 
this decision problem is non-elementary (see, e.g., [153]), but since monadic second-order 
logic is so expressive, it is useful for proving bare decidability of other logics, by coding 
them into it. 

Over the tree (<“2,<), we sometimes beef up the expressive power by adding two 
unary function symbols l,r to define the left and right successors of each time point. 
Regarding <“2 as the set of finite sequences of Os and 1s, we let I(s) = s0 and r(s) = s1 
for each s € <“2. The ordering < is definable from /,r alone in monadic second-order 
logic, since 


(<2, <, lr) H Vay(2 < y = VX[V2[X (I(z)) V X(r(2)) > X(2)] A X(y) > X(2))). 


So it suffices to work in (<“2,1,r). Monadic second-order logic over this structure is 
known to be decidable by a theorem of Rabin [152]. It is extremely expressive, and a 
wide range of other logics can be shown decidable by coding them into it. For example, 
monadic second-order logic over (Q, <) can be shown decidable in this way, as can the 
monadic second-order theory of the class of all countable w-trees. Decidability of tempo- 
ral logics over trees was also shown [85] by a translation to a full monadic second-order 
logic of trees, but one in which the set quantifiers range only over branches of the tree. 
Sometimes monadic second-order logic is too strong (for some purposes). For example, 
it was proved by Shelah in [181] that monadic second-order logic over (R, <) is undecid- 
able. Shelah’s use of the continuum hypothesis in this proof was later eliminated with 
Gurevich [84]. It follows quite easily that any class of flows of time containing one in 
which (R,<) is embeddable has undecidable full monadic second-order theory. So, for 
example, the monadic second-order theory of the class of all linear flows is undecidable. 


5.8 Filtration and the finite model property 


Filtration and variants of the finite model property are ideas which can be used together 
to give theoretical decidability or complexity results but they are not commonly used for 
practical reasoning. 

Filtration is a technique used for, amongst other things, finding a second model of a 
formula given one model. The second model can often be made to be much smaller and, 
in particular, of finite size. Filtration is a traditional technique to use with modal logics 
tracing its origins to the work of Kripke, Lemmon and Segerberg [179]. Its importance 
for us here is that it can be used to show that if a formula in a temporal language has 
a model then it has a finite model. If all the formulas of a language have this property 
then we say that the language has the finite model property or fmp. As we will see below, 
the fact of the fmp, or closely related properties, can often be used to give a decision 
procedure for the logic. 

Establishing the fmp is most natural with some non-temporal modal logics. With 
temporal logics, because of the requirement of irreflexivity, it is often the case that 
structures have to be infinite in size. Even if some formulas of a particular temporal 
logic can have finite models, such as with Prior’s temporal language over the class of 
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all linear flows of time, it is often very easy to find a satisfiable formula which only has 
infinite models, such as say Fp ^ G(p —> Fp). 

Luckily, we can step back from a direct use of the fmp here. Temporal languages can 
be given alternative semantics on other classes of Kripke structures. For example, Prior’s 
propositional temporal language with F and P over linear flows of time, which we call 
CL for now, was, in Section 3.4 above, given semantics over any transitive irreflexive 
structure (T,<,h) and the same clauses even give the formulas semantics on any Kripke 
structure (T, <, h). 

Ono and Nakamura [143] use filtrations and the fmp to assess the complexity of (de- 
ciding validity in) CL. Call a Kripke structure (T,<,h) a CL-model of a formula a iff 
the structure is transitive and totally ordered (i.e. that for every x and y in T, either 
z <y, y < xor x = y) and it contains some t € T such that (T,<,h),t H| a. Such a 
structure generally contains clusters of points, each pair of which are related by <, i.e. 
(T,<) is not generally anti-symmetric and so not a linear order. The main theorem is 
that a formula a with n temporal operators is satisfiable in an (anti-symmetric) linear 
model iff it is satisfiable in a finite CL-model containing at most n + 1 points. 

It had been long established that formulas of Prior’s language have linear models iff 
they have C'L-models so the two main new steps in [143] are that if a formula with n 
operators has a CL-model then it has a finite CL-model and, furthermore, it has a model 
of size n+ 1. The first step is via a filtration argument, the second, a clever pruning of a 
finite model down to a bare minimum of size which still preserves truth of the formula. 

As an illustration of filtration let us assume that formula a has a CL-model (T, <, h) 
and we will sketch how to find a finite model. Suppose (T, <, h), to = a. Now define a 
binary relation ~ on T by s ~ t iff for all subformulas 8 of a, we have (T, <, h), s = 8 iff 
(T,<,h),t = 8. This is clearly an equivalence relation so we can define M = T/~ which 
will be a finite set. Now define an accessibility relation R on M by: 

[s]R[t] iff for all subformulas F8 of a, if (T, <, h), s = AFB 

then (T,<,h),t = ~FB 

and (T,<,h),t = 7G; and 

for all subformulas P8 of a, if (T,<,h),t = ~PG 

then (T, <, h), s EF =P 

and (T, <, h), s H =. 
It is not hard to show that R is well-defined, transitive and total. Finally we define 
a valuation g on (M, R) by [s] € g(p) iff p is a subformula of a and s € A(p). This 
is clearly well-defined. The CL-structure (M, R,g) is called a filtration of (T,<,h). 
Now, a straightforward induction on the construction of 8 allows us to conclude that 
(T,<,h),s = 8 iff (M, R, g), [s] | 8. Thus we have a finite model of a as required. 

We have just established the finite model property for the CL logic. As mentioned, 
[143] goes further and establish a bounded model property by giving an upper bound (in 
terms of the construction of the formula) on the minimum size of a finite model of the 
formula. 

The finite model property can give us decidability of the logic. If we have an effective 
proof system, such as a Hilbert-style axiomatization for the logic then there is a way 
of listing systematically the valid formulas in the logic. If we also have the fmp and 
an effective way of determining whether finite structures are models of the logic, then 
we can also systematically consider all the finite structures and eventually list all the 
satisfiable formulas. Running the two algorithms in parallel thus allows us to eventually 
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find whether a given formula is valid or whether its negation is satisfiable. 

The bounded model property gives a decision procedure itself, with no need of an 
axiom system, provided there is an effective way of recognizing finite models of the logic. 
Further, it gives us a complexity measure on a decision procedure. For example, suppose 
that we want to decide whether a of Prior’s language is satisfiable over a linear flow of 
time. The results of [143] allow us to propose a non-deterministic algorithm in which a 
CL-model of a is guessed and checked in polynomial time. We can thus conclude that 
the complexity of satisfiability for CL is NP-complete. 

Sistla and Clarke in [184] use another variation of filtrations and finite model properties 
to prove a PSPACE complexity result for PLTL. The presence of the “Until” operator 
makes the use of the techniques more intricate but we still identify points in a structure 
which agree on all the subformulas of the formula to decide. The main result establishes 
that every satisfiable formula will be satisfied in an ultimately periodic structure with 
bounds on its period and on the length of the non-periodic prefix. See Chapter 17 for 
details. 


5.9 Other modal methods 


We have only a little space to mention a powerful series of results by Wolter [209, 212, 
211, 210, 213], extending to temporal logic deep work of Chagrov, Fine, Zakharyaschev, 
and others about modal logics above K4. The results offer the potential to extend modal 
reasoning (and other) methods to temporal logics with the Priorean F' and P in a uniform 
and systematic way. 

In [213], Wolter remarks that unlike in modal logic, the focus of work in temporal 
logic has been on specific systems such as the theory of (N, <), (Z, <), or (R, <). This is 
inappropriate for building a mathematical theory of the entirety of temporal logics, where 
“we are usually not interested in the properties of a specific system but in results which 
show why a specific system has a property by extracting concepts which allow to map out 
the boundaries of that property.” Wolter investigates the preservation of properties (such 
as Kripke completeness, finite model property, decidability, finite axiomatizability, and 
canonicity) when we ‘temporalize’ a modal logic by adding a converse diamond (in the 
same sense that P is the converse of F’). The frequent failure of the finite model property 
in temporal logics is the chief obstacle to such transfers, even when the corresponding 
modal logic does have the fmp. In fact, [209] proves that the temporalization of a modal 
logic A D K4 whose frames are closed under taking cofinal subframes has the fmp precisely 
when the class of frames for A is elementary. [213] shows that the temporalization 
is decidable if A is finitely axiomatizable, and gives further results on transfer of fmp, 
Kripke completeness, and decidability, though a full characterization of when decidability 
transfers is left open. One of the main methods used is a replacement for the fmp. It 
involves replacing points of a finite frame by ‘blocks’, which in simple cases can be 
irreflexive points, copies of (N, >), and so on, but can also be general frames. Related 
lattice and algebraic results (for example, on canonicity) are presented in [212, 211]. 


5.10 Mosaics 


Mosaics were used to prove decidability of certain theories of cylindric relativized set 
algebras in [140, 141] and have been used since quite generally in algebraic logic and 
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modal logic. Mosaics are small potential pieces of a model: in the temporal logic case, 
a small piece of a temporal structure. The main idea is to show that the existence of a 
model of a given formula is equivalent to the existence of a finite set of these small pieces, 
satisfying certain coherency conditions. The set of mosaics should also satisfy certain 
saturation conditions. This gives us a decision procedure, and, intuitively, a systematic 
procedure to check the theoremhood of a certain formula. It is possible to view some older 
approaches such as in [66] and [30] as specialisations of mosaics. However, recently the 
mosaic method has been applied to prove new decidability, Hilbert-style axiomatizability 
and complexity results for various modal and temporal logics: see, e.g., [90], [135], [161], 
[201], [129] and [166]. 

In [129], temporal mosaics are described which are appropriate for reasoning with 
Prior’s logic with F and P over linear flows of time. To give a flavour of the mosaic 
method we present some of the details here. 

Mosaics, for a particular purpose, are defined with respect to a fixed closure set of 
formulas, say X, which is closed under taking subformulas and such that if a € X then 
either so is na or a= 7G and 8 € X. Let X be such a closure set in the propositional 
temporal language with F and P (and — and A) and some countable set of atoms. 

First the definition of a mosaic, via the coherency conditions: 


DEFINITION 29. A mosaic is a pair (A, B) of subsets of X such that: 
1 Aand B are maximally propositionally consistent; 
2 Ga E€ A implies a and Ga in B; 
3 similarly for Ha € B. 


Next, the so called saturation conditions on the whole set of mosaics: 


DEFINITION 30. A set M of mosaics is a saturated set of mosaics (SSM) iff: 


1 if (A, B) € M and Fa € B then 
there is a mosaic (A’, B’) € M such that B = A’ anda € B’; 
2 if (A, B) € M and Fa € A then 


either a € B or Fa € B or there are mosaics (A’, B’) and (A”, B”) in M 
such that A = A’, a € B’ = A” and B” = B; 
3 and 4 similarly for Pa. 


The main lemma shows that satisfiability of a set I of formulas is equivalent to (either 
there being a one point model of T or) there being a saturated set of mosaics M containing 
one mosaic (A, B) with T C A or I C B. The mosaics from an SSM can be re-used and 
glued together in a very intuitive manner to build a model. 

From this main lemma follows a completeness proof for a Hilbert-style axiomatization 
(using the set of all formulas as X), a completeness result for a tableau system, and (using 
a finite set X) decidability and complexity results. The decision procedure is simply a 
systematic cropping of the set of all mosaics (for that X) down to a saturated set. 

In [166], which contains the first detailed suggestions on how mosaics might be used 
for reasoning with dense time temporal logics, this general approach is used to determine 
the complexity of deciding validity of formulas of the temporal logic with “Until” (but 
not “Since”) over the class of all linear flows of time. The mosaics and their coherency 
and saturation conditions are a little different but they still correspond to pieces of a 
model defined by two points in time. Here, finding an SSM is shown to be equivalent 
to the existence of a winning strategy for one player in a two-player game played with 
mosaics. The search for a winning strategy can be arranged into a search through a tree 
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of mosaics which we can proceed through in a depth-first manner. By establishing limits 
on the depth of the tree (a polynomial in terms of the length of the formula) and on 
the branching factor (exponential) we can ensure that we have a PSPACE algorithm as 
we only need to remember a small fixed amount of information about all the previous 
siblings of a given node. 

The idea is again used in [168] to give a PSPACE complexity result for deciding valid 
formulas in the propositional temporal language with strict U and S over real-numbers 
flows. 


5.11 Monodic fragments of first-order temporal logic 


To end our survey, we look again very briefly at first-order temporal logic. The develop- 
ment of this subject has been slower than for propositional temporal logic, possibly in 
part because of the poor computational behaviour of first-order temporal logic. Unpub- 
lished results of Lindström and Scott in the 1960s showed that even very weak fragments 
of it can be (sometimes highly) undecidable. More results like this have been proved 
over the years. In [100, theorems 2, 73], for example, the two-variable monadic fragment 
and the two-variable guarded fragment of first-order temporal logic were shown to be 
non-recursively enumerable over (N, <) and (Z, <), by encoding a recurrent tiling prob- 
lem. The first-order temporal logic with U and S can be axiomatised over linear time 
[160], but this is one of few positive results. The ‘reason’ for the high complexity is the 
product-like structure of models of first-order temporal logic. They combine a flow of 
time with a first-order structure, and the interaction between the two leads to very high 
expressive power. 

Recently, however, some interesting decidable fragments of first-order temporal logic 
have come to light. One way to obtain such fragments is by limiting the interaction in 
the logic between time and the first-order structure. Lemma 22 gives us a clue how to do 
it. There, we saw that the standard translations of (one-dimensional) temporal formulas 
satisfied the restriction that any subformula dxy, for a domain variable x, had at most 
one free time variable. This reflected the fact that temporal formulas are evaluated at 
a single time point. If we aim for a similar restriction on quantified temporal variables 
as well, we are on the way to obtaining decidable fragments — the so-called monodic 
fragments of [100]. 


DEFINITION 31. A formula a of first-order temporal logic is said to be monodic if every 
subformula of a beginning with a temporal connective has at most one free variable. 


The Barcan formula, VzGy(x) © GVxy(zx), gives an example of a monodic formula. 
Here, G applies to y(x) (one free variable) and to Vry(x) (no free variables). If y is 
monodic then the above Barcan formula will be too. Another example, of Chomicki and 
Toman from databases, is to ‘list all persons who have been unemployed between jobs’: 


Pay WorksFor(ax, y) A —3y WorksFor(x, y) A Fay WorksFor(, y). 


A non-example is the sentence Vry((R(a,y) > GR(z,y)) A (AR(a,y) > GaR(z,y))) 
expressing rigidity of a binary relation. Here, the G applies to formulas with two free 
variables. So the sentence is not monodic. 

The full monodic fragment is in general undecidable, since it contains first-order logic. 
So we need to make further restrictions to obtain decidable fragments. Some restrictions 
that have been found to work for many linear flows of time are: 
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1. The signature must have at most only relation symbols and constants (no function 
symbols). 


2. The ‘first-order part’ of the formulas must come from a decidable fragment of first- 
order logic. Examples include the monadic fragment (i.e., the signature can have 
only unary relation symbols), the two-variable fragment, and the various guarded 
fragments. 


3. Equality (=) must not occur [38], although this restriction is not necessary if we 
choose guarded fragments in (2) [96]. 


We can now obtain several decidable fragments of first-order temporal logic, depending 
on what fragment of first-order logic we pick in (2). For example, we could select the 
monodic monadic fragment, the monodic guarded fragment, etc. Which we choose may 
depend on what application we have in mind for our logic. A formula of one of these 
fragments can describe the evolution over time of only one domain object. But at any 
one time, the full power of the chosen fragment of first-order logic is available. 

Under the above restrictions, it was shown in [100] that satisfiability of monodic for- 
mulas may be determined by combining an algorithm to decide the fragment chosen in 
(2) with a second algorithm to decide monadic second-order logic over the ambient flow 
of time. This procedure can be made to work whenever the flow of time is linear and its 
monadic second-order theory is decidable. This is true for many common flows of time, 
such as (N, <), (Z, <), and (Q, <): see Section 3.2. 

The key idea in the proofs is the quasimodel. A quasimodel is essentially the result 
of filtrating a temporal structure over its first-order domain; the flow of time is left 
untouched. (See Section 5.8 and Chapter 1 for filtration.) Roughly, a quasimodel for 
a given monodic sentence y written with the connectives U and S, say, contains the 
following ingredients: 


1. A type is a description of a single domain point, in terms of which subformulas 
w of p with one free variable are true at it. So a type is a subset of the set of 
subformulas of y with one free variable together with their negations. 


The quasimodel contains, for each time t, a set X+ of types. It is required that X; 
be the set of types of the elements of some first-order structure. For this purpose, 
maximal subformulas of w of the form U(a, 3) and S(a, 3) are regarded as atomic. 
In this way, only the first-order part of the description is kept. 


2. The types in X; are there to describe the domain elements at time t. To recover some 
information about the types of a single domain element over time, the quasimodel 
also contains a set of what are called runs. A run p is simply a choice of type 
p(t) € X; at each time t, subject to the coherence conditions 


e for any subformula of ọ of the form U(a, B), which by monodicity has at most 
one free variable, and for any time t, we have U(a, B) € p(t) iff there is a time 
u >t with a € p(u) and 6 € p(v) for all times v strictly between t and u, 


e a mirror-image condition for S. 


The quasimodel must have enough runs. Formally for each t, each type in ©; must 
be the value at t of some run in the quasimodel. 
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It turns out that a monodic sentence has a genuine model iff it has a quasimodel, and 
that the existence of a quasimodel can be expressed in monadic second-order logic and 
hence is frequently decidable. 


THEOREM 32 ([100, 96]). Let (T,<) be a flow of time with decidable monadic second- 
order theory (examples include (N, <), (Z, <), and (Q, <)). Then for any of the following 
sets of sentences, the problem of whether a sentence from the set has a model with flow 
of time (T, <) is decidable: 


1. the monodic sentences with only unary relation symbols and no equality, 
2. the monodic sentences involving at most two variables and no equality, 


3. the monodic sentences with ‘first-order part’ in the guarded, loosely guarded, packed, 
or clique-guarded fragment of first-order logic (see Chapter 5 and [100] for precise 
definitions). 


We can easily generalise this to any first-order-definable class C of linear flows of time. 
This covers the class of all linear flows, the class of discrete linear flows, the class of dense 
linear flows, etc. 

The case of (R,<) is special and interesting. The monadic second-order theory of 
(R, <) is undecidable, so the method described above does not work directly. As yet, it 
is not known whether monodic fragments are decidable over this flow. However, monodic 
fragments can be shown decidable over (R, <) if we restrict to temporal structures with 
finite first-order domains [100]. This is an interesting case in its own right (in databases, 
for example), and it yields, by reduction, decidability for finite domains over (N,<), 
(Z, <) (Q, <), linear flows, finite linear flows, and so on. 

The complexity of these decision procedures is non-elementary, but in fact the sat- 
isfiability problem for monodic fragments can be shown to be typically the maximum 
of EXPSPACE and the complexity of the underlying first-order fragment — see [98] and 
[97], the second of which extends the mosaic methods in [168] to first-order temporal 
logic. Over (N,<), the full unrestricted monodic fragment has been axiomatised [214], 
and tableau and resolution decision procedures have been developed [117, 37, 116]. 

For branching time, we may want to use the logic CTL*, with temporal connectives 
Until and the path quantifier A (see Section 3.7). However, there are serious problems 
with this. Over w-trees (trees with all branches isomorphic to (N, <): see Section 2.1), 
and even replacing Until by the weaker F< of Section 3.4, the one-variable fragment of 
CTL* is undecidable [102]; this is certainly monodic and its first-order part is decidable. 
Decidable fragments of CTL* can be found by requiring monodicity and that the first- 
order part of sentences comes from a decidable fragment of first-order logic, as above, 
but additionally, either that any subformula beginning with a temporal connective other 
than ‘tomorrow’ must be a sentence [102], or alternatively that first-order quantification is 
only applied to state formulas [14]. Some applications of monodic fragments are discussed 
in [101]. 


6 CONCLUSION 


We have tasted a wide range of topics from half a century of development of temporal 
logic. The reader will now hopefully appreciate that temporal logics come in many forms 
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and that motivations from computing or linguistic applications and philosophical, theo- 
retical or mathematical interests have driven temporal logic research in many disparate 
directions. 


We must admit that owing to space limitations, we have not done justice to some 


topics (consider interval based temporal logics for example), and other topics have not 
even been mentioned — the reader may like to follow up on temporal bisimulations in 
[118] for example. 


Other general references and surveys of the whole field, some of historical interest, 


include [21, 39, 51, 64, 67, 72, 126, 127, 142, 156, 185, 193, 192, 200]. 


The reader may also begin to appreciate that this is an active area of research and that 


there is still much to do. Particular directions of current interest include combinations 
of temporal and other modal logics, and the search for practical logics (or fragments of 
logics) which are amenable to affordable and usable reasoning techniques. 
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1 INTRODUCTION 


Modal mu-calculus is a logic used extensively in certain areas of computer science, but 
also of considerable intrinsic mathematical and logical interest. Its defining feature is the 
addition of inductive definitions to modal logic; thereby it achieves a great increase in 
expressive power, and an equally great increase in difficulty of understanding. It includes 
many of the logics used in systems verification, and is quite straightforward to evaluate. 
It also provides one of the strongest examples of the connections between modal and 
temporal logics, automata theory and the theory of games. 

In this chapter, we survey a range of the questions and results about the modal mu- 
calculus and related logics. For the most part, we remain at survey level, giving only 
outlines of proofs; but in places, determined partly by our own interests and partly by 
our sense of which problems have been — or had been — the longest-standing thorns in 
the side of the mu-calculus community, we go into more detail. 

We start with an account of the historical context leading to the introduction of the 
modal mu-calculus. Then we define the logic formally, describe some approaches to 
gaining an intuitive understanding of formulae, and establish the main theorem about 
the semantics. Following that, we discuss how the modal mu-calculus has the tree model 
property and relates to some other temporal logics, to automata and to games. Next, 
an account of decidability is given — this is one of the thorns, at least for those who 
find automata prickly. We then consider briefly completeness, bisimulation invariance 
and then the concept of fixpoint alternation, which plays a part in several interesting 
questions about the logic. Finally, we look at some generalizations of the logic. 

Before proceeding to the content of the chapter, we take this opportunity to thank 
Yde Venema and Johan van Benthem for extensive and helpful comments on drafts of 
this chapter. 


Notation: Cy means the modal mu-calculus, considered as a logical language (not as a 
theory). In general, the notation follows as much as possible the standards for this book, 
but because Ly is mostly studied in a setting with rather different traditions, and because 
we also need to notate several other concepts, we have made some compromises. Few of 
these should cause any difficulty, but let us note the following. Since — is often used 
to represent the transition relation in models (alias the accessibility relation from modal 
logic), we use = rather than — for boolean implication. Structures, frames and models 
for Lu are usually viewed as transition systems, and so are usually called { with state 
space ©. States within systems (i.e. worlds in the language of modal logic) are typically 
s,t, whereas p,q,r are states in an automaton. Hence we write atomic propositions with 
capital P,Q,... rather than p,q,..., and similarly variables ranging over sets of states 
are written X,Y. 


2 CONTEXTUAL BACKGROUND 


The modal mu-calculus comes not from the philosophical tradition of modal logic, but 
from the application of modal and temporal logics to program verification. In this section, 
we outline the historical context for Dy. 
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2.1 Modal logics in program verification 


The application of modal and temporal logics to programs is part of a line of program 
verification going back to the 1960s and program schemes and Floyd—Hoare logic. Origi- 
nally the emphasis was on proof: Floyd—Hoare logic allows one to make assertions about 
programs, and there is a proof system to verify these assertions. This line of work has, 
of course, continued and flourished, and today there are highly sophisticated theories for 
proving properties of programs, with equally sophisticated machine support for these the- 
ories. However, the use of proof systems has some disadvantages, and one hankers after 
a more purely algorithmic approach to simple problems. One technique was pioneered 
by Manna and Pnueli [48], who turned program properties into questions of satisfiability 
or validity in first order logic, which can then be attacked by means that are not just 
proof-theoretic; this idea was later applied by them to linear temporal logics. 

During the 1970s, the theory of program correctness was extended by investigating 
more powerful logics, and studying them in a manner more similar to the traditions of 
mathematical logic. A family of logics which received much attention was that of dynamic 
logics, which can be seen as extending the ideas of Hoare logic [57]. Dynamic logics 
are modal logics, where the different modalities correspond to the execution of different 
programs — the formula (a)¢ is read as ‘it is possible for a to execute and result in a state 
satisfying ¢’. The programs may be of any type of interest; the variety of dynamic logic 
most often referred to is a propositional language in which the programs are built from 
atomic programs by regular expression constructors; henceforth, Propositional Dynamic 
Logic, PDL, refers to this logic. PDL is interpreted with respect to a model on a Kripke 
structure, formalizing the notion of the global state in which programs execute and which 
they change — each point in the structure corresponds to a possible state, and programs 
determine a relation between states giving the changes effected by the programs. 

Once one has the idea of a modal logic defined on a Kripke structure, it becomes 
quite natural to think of the finite case and write programs which just check whether 
a formula is satisfied. This idea was developed in the early 80s by Clarke, Emerson, 
Sistla and others. They worked with a logic that has much simpler modalities than PDL 
— in fact, it has just a single ‘next state’ modality — but which has built-in temporal 
connectives such as ‘until’. This logic is CTL, and it and its extensions remain some of 
the most popular logics for expressing properties of systems. 

Meanwhile, the theory of process calculi was being developed in the late 70s, most 
notably by Milner [50]. An essential component was the use of labelled Kripke structures 
(‘labelled transition systems’) as a raw model of concurrent behaviour. An important 
difference between the use of Kripke structures here and their use in program correctness 
was that the states are the behaviour expressions themselves, which model concurrent 
systems, and the labels on the accessibility relation (the transitions) are simple actions 
(and not programs). The criterion for behavioural equivalence of process expressions 
was defined in terms of observational equivalence (and later in terms of bisimulation re- 
lations). Hennessy and Milner introduced a primitive modal logic in which the modalities 
refer to actions: (a)¢ ‘it is possible to do an a action and then have ¢ be true’, and its 
dual [a] ‘¢ holds after every a action’. Together with the usual boolean connectives, 
this gives Hennessy—Milner logic [31], HML, which was introduced as an alternative ex- 
position of observational equivalence. However, as a logic HML is obviously inadequate 
to express many properties, as it has no means of saying ‘always in the future’ or other 
temporal connectives — except by allowing infinitary conjunction. Using an infinitary 
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logic is undesirable both for the obvious reason that infinite formulae are not amenable 
to automatic processing, and because infinitary logic gives much more expressive power 
than is needed to express temporal properties. 

In 1983, Dexter Kozen published a study of a logic that combined simple modalities, as 
in HML, with fixpoint operators to provide a form of recursion. This logic, the modal mu- 
calculus, has become probably the most studied of all temporal logics of programs. It has 
a simple syntax, an easily given semantics, and yet the fixpoint operators provide immense 
power. Most other temporal logics, such as the CTL family, can be seen as fragments of 
Ly. Moreover, this logic lends itself to transparent model-checking algorithms. 

Another ‘root’ to understanding modal logics is the work in the 60s on automata over 
infinite words and trees by Biichi [13] and Rabin [60]. The motivation was decision ques- 
tions of monadic second-order logics. Biichi introduced automata as a normal form for 
such formulae. This work founded new connections to logic and automata theory. Later it 
was realised that modal logics are merely sublogics of appropriate monadic second-order 
logic, and that the automata normal forms provide a very powerful framework within 
which to study properties of modal logic. Moreover, automata theoretic algorithms often 
provide very efficient ways to solve problems (such as model-checking) in modal logic 
— see Chapter 17 of this Handbook. A further development was the use of games by 
Gurevich and Harrington [30] as an alternative to automata. 

There is also an older game-theoretic tradition due to Ehrenfeucht and Fraissé, for un- 
derstanding the expressive power of logics. These techniques are also applicable within 
process calculi. For instance bisimulation equivalence can be naturally rendered as such 
a game, and expressivity of modal logics can be understood using game-theoretic tech- 
niques. 


2.2 Precursors to modal mu-calculus 


HML, Hennessy—Milner Logic [31], is a primitive modal logic of action. The syntax of 
HML has, in addition to the boolean operators, a modality (a)¢, where a is a process 
action. A structure for the logic is just a labelled transition system. Atomic formulas of 
the logic are the constants T and L. The meaning of (a)¢ is ‘it is possible to do an a-action 
to a state where ¢ holds’. The formal semantics is given in the obvious way by inductively 
defining when a state of a transition system, or a state of a process, has a property; for 
example, s — (a)@ iff St.s “+ t^t K ¢. We may also add some notion of variable 
or atomic proposition to the logic, in which case we provide a valuation which maps a 
variable to the set of states at which it holds. The expressive power of HML in this form 
is quite weak: obviously a given HML formula can only make statements about a given 
finite number of steps into the future. HML was introduced not so much as a language 
to express properties, but rather as an aid to understanding process equivalence: two 
(image-finite) processes are equivalent iff they satisfy exactly the same HML formulae. 
To obtain the expressivity desired in practice, we need stronger logics. 

The logic PDL, Propositional Dynamic Logic [57, 25], as mentioned above, is both a 
development of Floyd—Hoare style logics, and a development of modal logics. Recently, 
it has been used as a basis for description logics and logics of information. PDL is an 
extension of HML in the circumstance that the action set has some structure. There 
is room for variation in the meaning of action, but in the standard logic, a program is 
considered to have a number of atomic actions, which in process algebraic terms are just 
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process actions, and a is allowed to be a regular expression over the atomic actions: a, 
a; 3, aU B, or a*. We may consider atomic actions to be uninterpreted atoms; but in the 
development from Floyd—Hoare logics, one would see the atomic actions as, for example, 
assignment statements in a while program. 

PDL enriches the labels in the modalities of HML. An alternative extension of HML 
is to include further modalities. The branching time logic CTL, Computation Tree Logic 
[14], can be described in this way as an extension of HML, with some extra ‘temporal’ 
operators which permit expression of liveness and safety properties. For the semantics 
we need to consider ‘runs’ of a system. A run from an initial state or process so is a 
sequence so “+ sı £> ... which may have finite or infinite length; if it has finite length 
then its final process is a ‘sink’ process which has no transitions. A run so => s1 =>... 
has the property ¢ U y, ‘o until w’, if there is an i > 0 such that s; = w and for all 
JESI <4, Sj = o. 


$9 — S84, — ... Sj =S ade 


$ $ 


The formula Fé = (T U ¢) means ‘¢ eventually holds’ and Gọ = ~(T U 74): ‘¢ 
always holds’. For each ‘temporal’ operator such as U there are two modal variants, a 
strong variant ranging over all runs of a process and a weak variant ranging over some 
run of a process. We preface a strong version with V and a weak version with J. If 
HML is extended with the two kinds of until operator the resulting logic is a slight but 
inessential variant of CTL (CTL does not in its standard form mention action labels in 
modalities). The formal semantics is given by inductively defining when a state (process) 
has a property. For instance s = V[¢ U y] iff every run of s has the property ¢ U wv. 

CTL has variants and enrichments such as CTL* [24] and ECTL* [70]. These allow 
free mixing of path operators and quantifiers: for example, the CTL* formula Y[PU JFQ] 
is also a CTL formula, but Y[P U FQ] is not, because the F is not immediately governed 
by a quantifier. Hence extensions also cover the traditional temporal logics described in 
Chapter 11 of this Handbook — that is, literally logics of time — as advocated by Manna 
and Pnueli and others. In this view, time is a linear sequence of instants, corresponding 
to the states of just one execution path through the program. One can define a logic on 
paths which has operators O¢ ‘in the next instant (on this path) ¢ is true’, and oU 4 ‘é 
holds until w holds (on this path)’; and then a system satisfies a formula if all execution 
paths satisfy the formula — in CTL* terms, the specification is a path formula with a 
single outermost universal quantifier. One can also extend PDL with temporal operators, 
as in process logic. 

There are extensions of all these logics to cover issues such as time and probability. 
The introduction of such real-valued quantities poses a number of problems, and such 
logics are still under active development. 


ST 


2.8 The small model property 


A general result about many modal logics is that they have the small model property; 
that is if a formula is satisfiable, then it is satisfiable by a model of some bounded size. 
Provided that model-checking is decidable, which is the case for almost all temporal 
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logics, this immediately gives decidability of satisfiability for the logic, as one need simply 
check every transition system up to the size bound. 

The technique used to establish the small model property for PDL (and therefore 

HML) is a classical technique in modal logic, that of filtration. Let s be a state, satisfying 
property ¢, in a possibly infinite transition system T. Let T be the set of all subformulas 
of ¢ and their negations: in the case of PDL one also counts (a) and (3)w as subformulas 
of (aU B)y, (6) as a subformula of (a; 3) and (a; a*)w, and (a)w as subformulas of 
(a*)a. The size of I is proportional to || (the length of ¢). One then filters T through 
T by defining an equivalence relation on the states of {, s = t if Vy E T.s = Y & t H y. 
We define the filtered model to have states £/= and with atomic action relations given 
by [s] —> [t] iff Ss’ € [s], t € [t].s’ > t. The number of equivalence classes is at most 
2!"l and so is O(2'*!). The rest of the proof shows that the filtered model is indeed a 
model, in that [s] = w iff s = w for y €T. For PDL the only case requiring comment is 
the case (a*)w, which proceeds by an induction on the length of the witnessing sequence 
of a’s. Consequently if ¢ is a satisfiable PDL formula, then it has a model with size 
O(2!%!), and in fact 2!¢! suffices — see [25] for full details. 
In order to obtain an upper bound for satisfiability from the small model property, we 
also need to know the complexity of model-checking, that is, determining whether s = ¢. 
It is straightforward to define an inductive procedure for this, which is polynomial in 
the size of the formula and of the system. For example, to determine the truth of 
(a*)¢, one computes the *-closure of the a relation, and then checks for an a*-successor 
satisfying ¢. These results give an NTIME(c”) (where c is a constant and n the formula 
size) upper bound for the satisfiability problem. By a reduction to alternating Turing 
machines, [25] also gave a lower bound of DTIME(c”/!8”). A closer to optimal technique 
for satisfiability due to Pratt uses tableaux [58]. 

Although CTL, CTL* and Ly all have the finite model property, the filtration tech- 
nique does not Re If one filters { through a finite set [ containing VFQ unintended 
loops may be added. For instance if T is s; —> s;41 for 1 < i < n and Q is only true 
at state s, then s; | VFQ for each i. But when n is large enough the filtered model 
will have at least one transition [s;] > [s;] when i < j < n, with the consequence that 
si] Æ VFQ. The initial approach to showing the finite model property utilized semantic 
tableaux where one explicitly builds a model for a satisfiable formula which has small 
size. But such a technique is very particular, and more sophisticated methods based on 
automata are used for optimal results, as we shall mention later. 


3 SYNTAX AND SEMANTICS OF MODAL MU-CALCULUS 


The defining feature of mu-calculi is the use of fixpoint operators. The use of fixpoint op- 
erators in program logics goes back at least to De Bakker, Park and Scott [56]. However, 
their use in modal logics of programs dates from work of Pratt, Emerson and Clarke and 
Kozen. Pratt’s version [59] used a fixpoint operator like the minimization operator of 
recursion theory; although this is only superficially different, it seems to have dissuaded 
people from using the logic in that form. Emerson and Clarke added fixed points to 
a temporal logic to capture fairness and other correctness properties [21]. Kozen’s [35] 
paper introduced Ly as we use it today, and established a number of basic results. 
Fixpoint logics are traditionally considered hard to understand. Furthermore, their 
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semantics requires a familiarity with material that, although not difficult, is often omitted 
from undergraduate mathematics or logic programmes. Whether for practical purposes, 
or to guide oneself through the formal proofs, it is therefore worthwhile to spend a little 
time on discussing an intuitive understanding of Lu before going on to the definitions. 


3.1 Fixpoints as recursion 


Suppose that G is the state space of some system. For example © could be the set 
of all processes reachable by arbitrary length sequences of transitions from some initial 
process. One way to provide semantics of a state-based modal logic is to map formulae 
¢ to sets of states, that is to elements of p6. For any formula ¢ this mapping is given 
by ||@||’. The idea is that this mapping tells us at which states each formula holds. If we 
allow our logic to contain variables with interpretations ranging over p6, then we can 
view the semantics of a formula with a free variable, ¢(Z), as a function f: p6 > 9G. 
If f(S) C f(S’) whenever S C S9 C G then f is monotonic. If f(S) = S then S is 
a fixed point of f (as repeated application of f leaves S unchanged). If we take the 
usual lattice structure on p6, given by set inclusion, and if f is a monotonic function, 
then by the Knaster—Tarski theorem we know that f has fixed points, and indeed has 
a unique maximal and a unique minimal fixed point. The maximal fixed-point is the 
union of post-fixed points, {S C © | S C f(S)}, and the minimal fixed-point is the 
intersection of pre-fixed points, {S C © | f(S) C S}. So we could extend our basic 
logic with a minimal fixpoint operator ju, so that wZ.¢(Z) is a formula whose semantics 
is the least fixed point of f; and similarly a maximal fixpoint operator v, so that vZ.¢(Z) 
is a formula whose semantics is the greatest fixed point of f (when the semantics of ¢(Z) 
is monotonic). 

A good reason to do this is that it provides a semantics for recursion, and adding re- 
cursion to the usual modal logics provides a neat way of expressing all the usual operators 
of temporal logics. For example, consider the CTL formula VG¢@, ‘always ¢’. Another 
way of expressing this is to say that it is a property X such that if X is true, then ¢ is 
true, and wherever we go next, X remains true; so X satisfies the modal implicational 
equation 

X => 6A[-|X. 


where [—]X means that X is true at every immediate successor (see subsection 3.3). A 
solution to this equation is precisely a post-fixed point of the formula ¢ A [—|X. But 
which solution of the possibly many is appropriate? The only canonical post-fixed point 
is the largest, and this also makes sense, since if a state satisfies some solution, then it 
surely satisfies VG@. Hence the meaning of the formula is the largest post-fixed point, 
which by standard theory is exactly the largest fixed point, vX.¢ A [—]Z. 

On the other hand, consider the CTL property 4F¢, ‘there exists a path on which ¢ 
eventually holds’. We could write this recursively as ‘Y holds if either ¢ holds now, or 
there’s some successor on which Y is true’: 


Y <= @V(-)Y. 


Here we have a pre-fixed point of ¢ V (—)Y; the only canonical such is the least, and if 
a state satisfies JF¢, then it surely satisfies any solution Y’ of the equation. Hence we 
want the least pre-fixed point, which is also the least fixed point, wY.¢ V (—)Y. 


1The mapping can be either given directly (inductively) or indirectly as the set {s € 6 : s = ®}. 
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Finally, we observe that since we want the fixed points, we may replace the implications 
by equalities in the modal equations above, and get the same answers. It is therefore 
usual to cast modal fixpoint logics in terms of equations, rather than of implications. 


3.2 Approximating fixpoints and u as ‘finitely’ 


The other key idea is that of approximants and unfolding. The standard theory tells us 
that if f is a monotonic function on a lattice, we can construct the least fixed point of f 
by applying f repeatedly on the bottom element L of the lattice to form an increasing 
chain, whose limit is the fixed point. The length of the iteration is in general transfinite, 
but is bounded at worst by the cardinal after cardinality of the lattice, and in the special 
case of a powerset lattice 9G, by the cardinal after the cardinality of ©. So if f is 
monotonic on p6, we have the increasing chain Ø C f(0) C f?(0) c... C fe(Ø)... and 
the least fixed point is the limit of this chain 


uf = F0) 


ack 


and similarly as there is the anti-chain, G D f(G) 2 f?(G) 2... 2 f*(6) 


vf = ( FCS) 


ack 


—or in terms of a infinitary logic, uZ.6(Z) = Vc, ¢*(L)—where « is at worst |G| +1 
for finite G, or X; for countable G (and vZ.¢(Z) = Aye, ¢°(7)). So for a minimal 
fixpoint wZ.¢(Z), if a state s satisfies the fixpoint, it satisfies some approximant, say 
for convenience the G+ 1th so that s K ¢°+1(L). Now if we unfold this formula once, 
we get s = ¢(¢9(1)). That is, the fact that s satisfies the fixpoint depends, via ¢, on 
the fact that other states satisfy the fixpoint at smaller approximants than s does. So 
if one follows a chain of dependencies, the chain terminates. This is the strict meaning 
behind the slogan “u means ‘finite looping’”, which, with a little refinement, is sufficient 
to understand Lp. 

On the other hand, for a maximal fixpoint vZ.¢(Z), there is no such decreasing chain: 
s | vZ.d(Z) iff s = d(vZ.¢(Z)), and we may loop for ever, as in the process P = a.P, 
which repeatedly does an a action, and so satisfies vZ.(a)Z. (However, if a state fails 
a maximal fixpoint, then there is a descending chain of failures.) Instead, we have the 
principle of fixpoint induction: if by assuming that a set S = Z, we can show that 
S | $(Z), then we have shown that S = vZ. (compare the recursive formulation of 
VG¢@ in the previous section). 

So in summary, one may understand fixpoints by the slogan ‘v means looping, and 
u means finite looping’. This slogan provides an alternative means of explaining why a 
minimal fixpoint is required in the translation of IF¢. This formula means that there 
is a path on which ¢ eventually holds: that is, on the chosen path, ¢ holds within finite 
time. Hence the ‘equation’ Y = ¢V (—)Y must only be applied a finite number of times, 
and so by the slogan we should use a minimal fixpoint. 

In the case of formulae with alternating fixpoints (which we shall examine a little later), 
the slogan remains valid, but requires a little more care in application. It is essential to 
almost all proofs about Ly: the notion of ‘well-founded premodel’ with which Streett 
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and Emerson [64] proved the finite model property, is an example of the slogan; so are 
the tableau model-checking approaches of Stirling and Walker [62], and Bradfield and 
Stirling [12]. 


38.3 Syntax of Lu 


Let Var be an (infinite) set of variable names, typically indicated by Z,Y,...; let Prop be 
a set of atomic propositions, typically indicated by P,Q,...; and let £ be a set of labels, 
typically indicated by a,b,.... The set of Lu formulae (with respect to Var, Prop, £) is 
defined in parsimonious form as follows: 


e P is a formula. 

e Z is a formula. 

e If ġı and ¢ are formulae, so is ¢; A Q2. 
e If d is a formula, so is [a]¢. 

e If dis a formula, so is 7¢. 


e If ¢ is a formula, then vZ.¢ is a formula, provided that every free occurrence of 
Z in ¢ occurs positively, i.e. within the scope of an even number of negations. 
(The notions of free and bound variables are as usual, where v is the only binding 
operator.) 


If a formula is written as ¢(Z), it is to be understood that the subsequent writing of 
(p) means ¢ with y substituted for all free occurrences of Z. There is no suggestion 
that Z is the only free variable of ¢. 

The positivity requirement on the fixpoint operator is a syntactic means of ensuring 
that ¢(Z) denotes a functional monotonic in Z, and so has unique minimal and maximal 
fixpoint. It is usually more convenient to introduce derived operators defined by de 
Morgan duality, and work in positive form: 


e $1 V d2 means >(7¢4; A 742). 
e (a)¢ means —[a]-¢. 
e uZ.¢(Z) means =VvZ.4¢(7Z). 


Note the triple use of negation in u, which is required to maintain the positivity. A 
formula is said to be in positive form if it is written with the derived operators so that 
= only occurs applied to atomic propositions. It is in positive normal form if in addition 
all bound variables are distinct (and different from free variables). Any formula can be 
put into positive normal form by use of de Morgan laws and a-conversion. So we shall 
often assume positive normal form, and when doing structural induction on formulae will 
often take the derived operators as primitives. 

For the concrete syntax, we shall assume that modal operators have higher precedence 
than boolean, and that fixpoint operators have lowest precedence, so that the scope of a 
fixpoint extends as far to the right as possible. 

There are a few extensions to the syntax which are convenient in presenting examples, 
and in practice. The most useful is to allow modalities to refer not just to single actions, 
but to sets of actions. The most useful set is ‘all actions except a’. So: 
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e s H [K]¢ iff Va € K.s H [a]¢, and [a,b,...]¢ is short for [{a, b,...}]¢. 
e |-K]ọ means [£ — K]¢, and set braces may be omitted. 
Thus [—]¢ means just [L]d. ? 


3.4 Semantics of Lu 


An Ly structure F (over Prop, £) is a labelled transition system, namely a set G of states 
and a transition relation > C G x £ x G (as usual we write s > t), together with an 
interpretation Yprop: Prop > p6 for the atomic propositions. 

Given a structure T and an interpretation %9: Var —> p6 of the variables, the set ||@||¥ 
of states satisfying a formula ¢ is defined as follows: 


IPIS = Wprop(P) 

Zig = DZ) 

l-el = S- lels 
ló A dallas = lela n lels 

[alos = {s|Vis“t>te lly} 
IvZ-4le = L{S S618 C Iblldzz.-5)} 


where U[Z := S] is the valuation which maps Z to S and otherwise agrees with U. If we 
are working in positive normal form, we may add definitions for the derived operators 
by duality: 


Ilr V ball = [Idrll& U [lool 
aol = {s| ats tate llk} 
izak = (\{SC6|S2 Idldz.-s} 


We drop * and y whenever possible; and write s = ¢ for s € |||. 

We have discussed informally the importance of approximants; let us now define them. 
If wZ.¢(Z) is a formula, then for an ordinal a, let wZ°%.¢ and Z<*.¢ be formulae, with 
semantics given, with simultaneous induction on a, by: 


mz = U lez? ols 
B<a 
HZ" blly = [IPllaniz.atjuz<a.63] 
The approximants of a maximal fixpoint are defined dually: 
PZ. = N eZ? ols 
B<a 
lzel = INbllaiz-ajrz<o.ol5) 


?Beware that many authors use ‘| ]¢’ to mean ‘[L]@’, rather than the (vacuous) ‘[0]¢’ that it means 
in our notation. 
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Note that uZ<°.6 = L and vZ<°.6 & T. By abuse of notation, we write Z® or 6% 
to mean /Z°.@; of course this only makes sense when one knows which fixpoint and 
variable is meant. 

We should remark here that most literature on Dy uses a slightly different definition, 
putting uZ’. = L, uZ°+!.6 = o(uZ*.¢), and pZ>.¢ = User uZ®.ġ for limit \—which 
in effect is writing a for our <a. That notation is taken from set theory; its advantage is 
that a limit approximant is the limit of approximants. Our notation is taken from more 
recent set theoretic practice; its advantages are that it sometimes reduces the number of 
trivial case distinctions in inductive proofs. However, the difference is not significant. 

Sometimes, we are interested in rooted structures (F, 50, Uprop) for Lu formulae that 
have a designated initial state so: @ is true of such a structure if sọ = o. We can, 
therefore, examine the set of all rooted structures where ¢ is true which allows comparison 
between Ly and other notations for classifying structures. 


3.5 Examples 


We have seen, both informally and in the formal semantics, the meaning of the fixpoint 
operators, and we have seen some simple examples of Lu translating CTL. We now 
consider some examples of Lu formulae in their own right, which express properties one 
might meet in practice. 

There is a well-known ‘classification’ [42] of basic properties into safety and liveness. 
In terms of Ly, it is not unreasonable to say that p is liveness and v is safety. Consider 
first simple v formulae. For example: 


VZ.P ^ [a|Z 


is a relativized ‘always’ formula: ‘P is true along every a-path’. Slightly more complex 
is the relativized ‘while’ formula 


VZ.QV (PA {a]Z) 


‘on every a-path, P holds while Q fails’. Both formulae can be understood directly via the 
fixpoint construction, or via the idea of ‘v as looping’: for example the second formula is 
true if either Q holds, or if P holds and wherever we go next (via a), the formula is true, 
and ..., and because the fixpoint is maximal, we can repeat forever. So in particular, if 
P is always true, and Q never holds, the formula is true. 

p formulae, in contrast, require something to happen, and thus are liveness properties. 
For example 

uZ.P V [alZ 


is ‘on all infinite length a-paths, P eventually holds’; and 
uUZ.QV (PA (a)Z) 


is ‘on some a-path, P holds until Q holds (and Q does eventually hold)’. Again, these 
can be understood by ‘u as finite looping’: in the second case, we are no longer allowed 
to repeat the unfolding forever, so we must eventually ‘bottom out’ in the Q disjunct. 
This level of complexity suffices to translate CTL, since we have uZ.Q V (P A (—)Z) 
as a translation of 4[P U QJ, and uZ.Q V (PA [—]Z A (—)T) as a translation of V[P U Q] 
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(the conjunct (—)T ensures that Q is actually reached, since [—]Z is true at deadlock 
states); and obviously we can nest formulae inside one another, such as 


vZApY.PV (-)Y)A[-]Z 


‘it is always possible that P will hold’, or VG(AFP). Equally obviously, we can write 
formulae with no CTL translation, such as 


uZ.ja] L V (a)(a)Z 


which asserts the existence of a maximal a-path of even length; a formula which is, 
incidentally, expressible in PDL. This is, however, a fairly simple extension; much more 
interesting is the power one gets from mixing fixpoints that depend on one another. 
Consider the formula 

UY.vZ.(P A [alY) V (AP A [a] Z). 


This formula usually gives pause for thought, but it has a simple meaning, which can be 
seen by using the slogans. wY.... is true if vZ.... is true if (P A [a]Y) V (AP A [a]Z), 
which is true if either P holds and at the next (a)-states we loop back to wY...., or P 
fails, and at the next states we loop back to vZ..... By the slogan ‘u means finitely’, we 
can only loop through yY.... finitely many times on any path, and hence P is true only 
finitely often on any path. 

We shall see in a later section that this so-called alternation of fixpoint operators does 
indeed give ever more expressive power as the number of alternations increases. It also 
appears to increase the complexity of model-checking: all known algorithms are expo- 
nential in the alternation, but whether this is necessarily the case is the main remaining 
open problem about Ly. 


3.6 Fixpoint regeneration and the ‘fundamental semantic theorem’ 


In the informal description of the meaning of fixpoints, we used the idea of the dependency 
of s at @ on t at p. We now make this precise. Assume a structure T, and a formula 
ġ. Suppose that we annotate the states with sets of subformulae, such that the sets are 
locally consistent: that is, s is annotated with a conjunction iff it is annotated with both 
conjuncts; s is annotated with a disjunction iff it is annotated with at least one disjunct; 
if s is annotated with [aly (resp. (a)w), then each (resp. at least one) a-successor is 
annotated with W; if s is annotated with a fixpoint or fixpoint variable, it is annotated 
with the body of the fixpoint. We call such an annotated structure a quasi-model. 

A choice function f is a function which for every disjunctive subformula %1 V we 
and every state annotated with Yı V Y2 chooses one disjunct f(s, Yı V we); and for 
every subformula (a) and every state s annotated with (a) chooses one a-successor 
t= f(s, (a)y) annotated with %. 

A pre-model is a quasi-model equipped with a choice function. 

Given a pre-model with choice function f, the dependencies of a state s that satisfies a 
subformula w are defined thus: sayı A Y2 > s@y; for i = 1,2; s@la]w > t@w for every t 
such that s > t; sayı Vy > s@f(s,y1Vy2); salap > f(s, (a)y)@y; sQ! Z.p > sQy; 
sQ@Z > sQy where Z is bound by ?Z.y. A trail is a maximal chain of dependencies. 

If every trail has the property that the highest (i.e. with the outermost binding fix- 
point) variable occurring infinitely often is a v-variable, the pre-model is well-founded. 
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(Equivalently: in any trail, a -variable can only occur finitely often unless a higher 
variable is encountered.) 
The fundamental theorem on the semantics of Lu can now be stated: 


THEOREM 1. A well-founded pre-model is a model: in a well-founded pre-model, if s 
is annotated with w, then indeed s — yw. 


The theorem in this form is due to Streett and Emerson in [64], from which the term 
‘well-founded pre-model’ is taken. Stirling and Walker [63] presented a tableau system 
for model-checking on finite structures, and the soundness theorem for that system is 
essentially a finite version of the fundamental theorem using a more relaxed notion of 
choice; the later infinite-state version of [12, 7] is the fundamental theorem, again with 
a slight relaxation on choice. 

A converse is also true: 


THEOREM 2. Ifin some structure s  ¢, then there is a locally consistent annotation of 
the structure and a choice function which make the structure a well-founded pre-model. 


The fundamental theorem, in its various guises, is the precise statement of the slogan 
‘u means finite looping’. To explain why it is true, and to define the term ‘locally 
consistent’, we need to make a finer analysis of approximants. 

Assume a structure T, valuation Y, and formula ¢ in positive normal form. Let 
Yi,..., Yn be the p-variables of ¢, in an order compatible with formula inclusion: that 
is, if wY;.W; is a subformula of yY;.y;, then i < j. If Y; is some inner fixpoint, then 
its denotation depends on the meaning of the fixpoints enclosing it: for example, in 
the formula Yj.(a)uY2.(P V Yı) V (b) Yo, to calculate the inner fixpoint Y> we need 
to know the denotation of Yı. We may ask: what is the least approximant of Yı that 
could be plugged in to make the formula true? Having fixed that, we can then ask what 
approximant of Y> is required. This idea is the notion of signature. A signature is a 
sequence 0 = Q1,...,@n of ordinals, such that the z least fixpoint will be interpreted by 
its a;th approximant (calculated relative to the outer approximants). 

The definition and use of signatures inevitably involves some slightly irritating book- 
keeping, and they appear in several forms in the literature. In [64], the Fischer—Ladner 
closure of @ was used, rather than the set of subformulae. The closure is defined by 
starting with ¢@ and closing under the operations of taking the immediate components 
of formulae with boolean or modal top-level connectives, together with the rule that if 
"Z.W(Z) € cl(¢), then Y(% Z.p) € cl(¢). The signatures were defined by syntactically 
unfolding fixpoints, rather than by semantic approximants. In [63] and following work, a 
notion of constant was used, which allows some of the book-keeping to be moved into the 
logic. Although all the notions and proofs using them are interconvertible, the ‘constant’ 
variant is perhaps easier to follow, and has the advantage that it adapts easily to the 
modal equation system presentation of Lu, which we shall see below. Indeed, it arises 
more naturally from that system. 

Add to the language a countable set of constants U,V,.... Constants will be defined 
to stand for maximal fixpoints or approximants of minimal fixpoints. Specifically, given 
a formula ġ, let Yj,..., Yn be the p-variables as above, let Z1,..., Zm be the v-variables, 
let o = Q1,...,Qy be a signature, and let Uj,...,Un,Vi,...,; Vm be constants, which will 
be associated with the corresponding variables. They are given semantics thus: if Y; is 
bound by uY;.Yi, then ||Uil|, is | uY; -pil|o, where wi is obtained from p; by substituting 
the corresponding constants for the free fixpoint variables of uY;.w;. If Zi is bound by 
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vZ;.;, its semantics is ||vZ;.04||,. Given an arbitrary subformula w of ¢, we say a state 
s satisfies w with signature g, written s EK, W, if s € ||v’||,, where Y’ is y with its free 
fixpoint variables substituted by the corresponding constants. 


Order signatures lexicographically. Now, given a pre-model for ¢, extend the annota- 
tions so that each subformula at s is accompanied by a signature — write sQ@y[o]. Such 
an extended annotation is said to be locally consistent if the signature is unchanged 
or decreases by passing through boolean, modal, or v-variable dependencies, and when 
passing through s@Y; it strictly decreases in the ith component and is unchanged in the 
1,...,i — 1’th components. 

It can now be shown, by a slightly delicate but not too difficult induction on w and 
a, that if sQ@v[o], then s E, Y. The proof proceeds by contradiction: suppose that 
sQ@y|o] and s £o wv. If Y is Yı V we (Yı A we) then for some i € {1,2}, s@yı[o] and 
s o uj. If y is [a] ((a)y’) then for some s’, s = 8’, s‘@u[o] and s’ KK, Y. If y is 
a least fixpoint variable Y;, then we pass through the unfolding rule to sQ@w,;[o’] where 
o’ < o and s (A, pi. (Hence we can only pass through least fixpoints finitely often.) 
The key case is when w is a greatest fixpoint variable Z;. In this case, the hypothesis 
is that s@Z;|o] and s o Zi. Then s fails some approximant ae (and sQZ?[o]); and 
then passing through the unfolding rule gives s fails we " for Bb’ < B (and sQy? [o}). 
Continuing to chase the falsehood down the pre-model, we eventually arrive at a state 
failing the zero’th approximant of a greatest fixpoint formula, which is impossible. 


Furthermore, given a well-founded pre-model, one can construct a locally consistent 
signature annotation—essentially, the Y; component of ø in s@yw|[o] is the maximum 
‘number’ (in the transfinite sense) of Y; occurrences without meeting a higher variable in 
trails from s@w, and so on; the well-foundedness of the pre-model guarantees that this 
is well-defined. This gives the fundamental theorem. 

The converse is quite easy: given a model, annotate the states by the subformulae 
they satisfy; for sQ@w assign the least o such that s =o wv; and choose a choice function 
that always chooses the successor with least signature. It is easy to show that this is a 
well-founded pre-model and signature assignment. 


3.7 Modal equation systems 


The presentation of Ly so far is a traditional logical formulation. However, in several 
circumstances it can be useful to think in terms of systems of recursive equations for the 
fixpoint variables, as follows. 

A modal equation system comprises a sequence Bo;...; Bn of blocks; each B; may be 
a p-block (we write BM) or a v-block (we write BY). Each block Bi/” is a sequence of 


equations Xio uiv Dios caia Kik mv dik, Where each $j; is a modal formula which may 
contain any of the variables X; j; positively. 

Thus each block B; defines a functional on vectors (Sio,..., Sik;) E€ (p6). This 
functional is relative to valuations of the variables in earlier blocks, and refers to the 
solutions of later blocks. If B, then take the least fixpoint (in the componentwise 
ordering) of this functional, and if BY, take the greatest. Conventionally, the solution of 
the entire equation system is taken to be the solution for the first variable Xoo. 

There is an obvious transformations from Ly to modal equation systems: for example, 
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pX.PV VY [alY A [b]|X translates to 
Xo £ PV Xio ; Xio = [alX10 A [b] Xoo. 


Similarly, there is a reasonably obvious reverse transformation: for example, the equation 
system 


Xoo £ (a) X40 Vv [b] X10 ; X10 = PA [a](Xoo Vv X10) 


translates to uX.(a)(vVY.P A [a](X V Y)) v [b](vY.P A [a](X V Y)). These translations, 
known from finite model theory, show that modal equation systems and Dy are equi- 
expressive. Note that in the second example, the formula duplicates the second equation: 
by extending such examples, one can see that the translation from equation systems 
to formulae may introduce an exponential blow-up. However, this blow-up results in 
formulae with many identical sub-formulae, which can in any case be optimized away 
during model-checking, and in general problems in modal equation systems are of the 
same complexity as in Lu. 

A block in a modal equation system is to be understood as a simultaneous fix- 
point. Ly could be directly presented with simultaneous fixed points: for instance, 
s H UZ1...Zn.(d1,---,¢n) iff s € Sı where (S1,..., Sn) = N{( Lee) lees = 


llPsllasizi:=s%,...,2n-<s1]h° 

One of the main applications of modal equation systems is in the development of fast 
model-checking algorithms: modal equation systems can be easily translated to boolean 
equation systems (defined as above, but with boolean variables and just propositional 
equations) by having one boolean variable for each (modal variable, state) pair. Then 
graph-theoretic or matrix-theoretic techniques can be employed to solve the boolean 
equation systems. For more on this topic, see [46]. 


4 EXPRESSIVE POWER 


As we noted earlier in this article, there are many temporal logics used in practice, some 
of which are also historical precursors to Lu. We said that most of them could be seen as 
fragments of Dy. In this section we consider questions of expressivity and related topics, 
and start by showing how a number of other logics can be translated into Ly. 


4.1 CTL and friends as fragments of Lu 


PDL can be easily translated into Lu by unpacking the modal operators (a): (aU 8) = 
(a) v (By, (a; By = (a)(B)b and (a*)y) = pZ.V (a)Z. The logic CTL is one of 
the simplest temporal logics, and its translation is also simple. Recall the syntax and 
semantics of CTL from 2.2. The two basic operators are V[6U y] and 3[¢Uy]. Assuming 
that there are no deadlocked states, these can be simply translated as: 


uZ V [-]ġ and uZ v (—-)d 


with the proof of the equivalence being a straightforward application of the semantics. 
For both PDL and CTL, only a fragment of Lu is necessary where there is no essential 
alternation of fixpoints (as described in 7). 
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A much less trivial case is the logic CTL*. CTL* is the logic obtained by removing the 
syntactic constraint of CTL that requires every U to be immediately quantified by V or J, 
so that in CTL* one can write formulae such as V[(¢pU w) V-=(¢’ Uy’)]. Consequently, not 
all CTL* formulae have meanings purely in terms of states, and the question of translation 
into a purely state-based logic like Lu becomes problematic. However, one can ask the 
question, is every state formula of CTL* (that is, boolean combinations of atoms and 
quantified formulae) equivalent to an Ly formula? The answer is ‘yes’, but it is a harder 
problem. Wolper, in an unpublished note from the early 1980s, noted that state formulas 
of CTL* can be translated via automata theory into PDL over a single label with looping 
(which, in turn, is directly translatable into Ly). The first explicit translation was given 
by Dam [17], but the translation is very difficult, and gives a doubly exponential blowup 
in the formula size. The latter means that the translation is of no use for model-checking, 
as existing CTL* algorithms are much faster than a double exponential blowup of Du 
model-checking. A few years later, Bhat and Cleaveland [6] gave a single exponential 
translation into the equational variant of Lu. Although still quite complex, utilising a 
so-called Büchi tableau automaton as an intermediary, this translation is efficient enough 
to give competitive model-checking of CTL* via translation. 


4.2 Bisimulation and tree model property 


Bisimulation or back-and-forth equivalence or zig-zag equivalence is the equivalence as- 
sociated with modal logic. In our setting, a bistmulation between two Ly structures T: 
and Tə over the same proposition set Prop and label set £ is a relation R such that for 
all propositions P, if P(s,) and s;Rs2, then P(s2), and conversely; and if s;Rs2, and 
sı —> sl, then for some sh, s2 > sh and s| Rsh, and conversely. Two states sı and s2 
are bisimilar if there is some bisimulation R such that sı Rsə. 

Recall that HML is the fixpoint-free part of Lu. The following is easily shown by 
structural induction on formulae: 


THEOREM 3. If two states (in the same or different systems) are bisimilar, they satisfy 
the same HML formulae. 

By an induction on approximants, it is also straightforward to extend this to 
THEOREM 4. If two states (in the same or different systems) are bisimilar, they satisfy 
the same Dy formulae. 

A system is image-finite if for all states s and labels a, the set { s’ | s + s‘} is finite. 
The following theorem holds: 

THEOREM 5. If two states in image-finite systems satisfy the same HML (or Ly) for- 


mulae, then they are bisimilar. 


To prove this, one observes that bisimulation itself is a maximal fixpoint, namely the 
maximal fixpoint of the map R +> {(s1,82) | (s1 > s1 => 48.82 > s A (s4, 85) € 


R) A (s2 > sh = As}.s1 > s54 A (s1:52) € R)} (ignoring the propositions, which 
can be dealt with by an additional clause); shows that in an image-finite system the 
approximants to this fixpoint close at w; and then deduce that if two states are not 
bisimilar, there is a finite modal formula distinguishing them. The latter theorem does 
not hold for general systems: there are systems which satisfy the same Du formulae, 
but are not bisimilar. The following example is based on one by Roope Kaivola. Let 
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1, $2,... be an enumeration of all Lu formulae over some finite label set £L. Let {;, 
with initial state s;, be a finite model for ¢,, with all Z; disjoint. Let Lp be constructed 
by taking an initial state sọ and making sọ > s; for all i > 0. Let T} be To with the 
addition of a transition sọ —> so. To and Zo are clearly not bisimilar, because in 3% 
it is possible to defer indefinitely the choice of which T; to enter. On the other hand, 
suppose that w is a formula, and w.l.o.g. assume the topmost operator is a modality. If 
the modality is [b], % is true of both Tp and F9; if it is (b), w is false of both; if w is (a)y", 
then ~ is false at both To and Tọ iff w’ is unsatisfiable, and true at both otherwise; if ~ 
is [a]’, then ~ is true at both Zo and { iff y’ is valid, and false at both otherwise. 
A simple corollary of theorem 4 is that Lu has the tree model property. 


Proposition 6. If a formula has a model, it has a model that is a tree. 


Just unravel the original model, thereby preserving bisimulation. This can be strength- 
ened to the bounded branching degree tree model property (just cut off all the branches 
that are not actually required by some diamond subformula; this leaves at most (number 
of diamond subformulae) branches at each node). 

For a more detailed look at bisimulation, see Chapter 5 of this Handbook. 


4.3 Lu and automata 


Ly is intimately related to automata theory, and the equivalence between various au- 
tomata, particularly alternating parity automata, as described in section 5, and Ly is a 
key technique in many results. The first connexion between Lu and automata was tree 
automata, which we now briefly review. 

Let us start with the notion of an automaton familiar from introductory computer 
science courses. A finite automaton A = (Q, £, ð, qo, F) consists of a finite set of states 
Q, a finite alphabet ©}, a transition function 6, an initial state qo € Q and an acceptance 
condition F. Classical nondeterministic automata recognise languages, subsets of X“, 
where the transition function 6: Q x X — pQ. Given a word w = ao...an € D a run 
of A on w is a sequence of states qo . . . qn that traverses w, so gi+1 E€ 6(qi, @i41). The run 
is accepting if the sequence qo... qn obeys F: classically, F C Q and qo... qn is accepting 
if the last state qn € F. There may be many different runs of A on w, some accepting 
the others rejecting, or no runs at all. The language recognised by A is the set of words 
for which there is at least one accepting run. A simple extension is to allow recognition 
of infinite length words. A run of A on w = a ...a;... is an infinite sequence of states 
T = qo- --qi... that travels over w, so qi+1 E (qi, ai+1) and it is accepting if it obeys 
the condition F. Let inf(z) C Q contain exactly the states that occur infinitely often in 
m. Classically, F C Q and z is accepting if inf(r) N F 4 Ø which is the Biichi acceptance 
condition. 

Biichi automata are an alternative notation for characterizing infinite runs of systems. 
Assume Prop is a finite set. The alphabet © = Prop. If 7 = so —> sı £ ... is an 
infinite run, then 7 — A if the automaton accepts the word Prop(s9) Prop(s1)... where 
Prop(s;) is the subset of Prop that is true at s;. For example, if Prop = {P}, Q = {p,q}, 
6(p, {P}) = {a}, 9(p,0) = {p}, (a, {P}) = {a} and ô(q, Ø) = {q}, qo = p and F = {q}, 
then this automaton is equivalent to the temporal formula FP. (In fact, Biichi automata 
coincide with the linear-time p-calculus where fixpoints are added to simple next time 
temporal logic that has the sole modality ©.) 
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When formulae are equivalent to automata, satisfiability checking reduces to the non- 
emptiness problem for the automata: that is, whether the automaton accepts something. 
If A is a Biichi automaton, then it is non-empty if there is a transition path qo —*“ qEF 
and a cycle q —* q (equivalent to an eventually cyclic model). 

The notion of bounded branching tree automaton extends the definition of automaton 
to accept n-branching infinite trees whose nodes are labelled with elements of X. Pre- 
viously, states q’ belonged to ô(q,a); now it is tuples (qj,...,q),) that belong to ô(q, a). 
A tree automaton traverses the tree, descending from a node to all n-child nodes, so the 
automaton splits itself into n copies, and proceeds independently. A run of the automa- 
ton is then an n-branching infinite tree labelled with states of the automaton. A run is 
accepting if every path through this tree satisfies the acceptance condition F. In the case 
of Rabin acceptance F = {(G1, Ri),...(Gx, Rk)} where each G;, Ri C Q and m obeys F 
if there is a j such that inf(7)NG,; # 0 and inf(z) NR; = 0. A variant definition is parity 
acceptance first introduced (not under that name) by Mostowski [52] where F maps each 
state q of the automaton to a priority F(q) € N. We say that a path satisfies F if the 
least priority seen infinitely often is even. It is not hard to see that a parity condition 
is a special case of a Rabin condition; it is also true, though somewhat trickier, that a 
Rabin automaton can be translated to an equivalent parity automaton. 

Assuming Prop is finite, tree automata characterize rooted n-branching infinite tree 
models (T, so, Uprop) for Lu formulae where so is the root of the tree: (T, so, Wprop) = A 
if A accepts the behaviour tree T’ that replaces each state s € Y with Prop(s). For 
example, let Prop = {P}, Q = {p,q}, 5(p, {P}) = {(v, p)}, 6(p, 9) = (a4, OD}, O(a, {P}) = 
{(p,p)} and 6(q,0) = {(q,q)} and qo = p. This automaton A with parity acceptance 
F(p) = 1 and F(q) = 2 is equivalent to wY.vZ.(P A [a]Y) V (=P A [a]Z) over infinite 
binary-tree models: the fixed point uY is ‘coded’ by p and vZ is coded by q. 


The use of priorities looks very much like the definition of well-founded pre-model from 
section 3.6, if we assign priorities to the subformulae of an Lu formula in such a way that 
the priority of a fixpoint formula is lower than any of its subformulae (and the priority 
of a least fixpoint is odd). Indeed, it is essentially the same thing. Tree automata and 
Ly are equivalent [64]: 


THEOREM 7. A family of n-branching infinite tree models is defined by some tree 
automaton iff it is the set of n-branching infinite tree models of some corresponding 
Ly formula. Consequently, determining whether a system satisfies an Lyu formula is 
equivalent to determining whether its behaviour trees are accepted by the corresponding 
automaton. 


Decidability of satisfiability of Lu formulae reduces to the non-emptiness problem for 
tree automata. This problem is more difficult than for Buchi automata. However, there 
is an exponential decision procedure that is inductive in the index of the automaton 
(which is the number of parities or pairs in F, in the case of a Rabin automaton). 

This illustrates the potency of the automata-theoretic approach to temporal logic 
that has become popular in recent years. Satisfiability of formulae is reduced to the 
non-emptiness problem for a class of automata. There is also the virtue that automata 
sustain combinatorial transformations, such as determinization, and closure operations, 
such as intersection, that are not in the logical repertoire. Occasionally, logics are easier: 
one of the hardest automata-theoretic proofs is that tree automata are closed under 
complementation. We shall see more of automata in later sections. 
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4.4 Lu and games 


Ly is also intimately related to games, as are automata. We can view the relationship 
at different levels. 

The fundamental semantic theorem can be presented as a simple two player model- 
checking game. Assume a rooted model (F, so, V) and formula Øo in positive normal 
form. The game G(so, o) is defined on an arena that is a set of pairs (s,w) where s 
is a state of T and w is a subformula of ġo. The initial position is (so, o). There are 
two players, whom we will call simply V and J. (Other popular names include Player 
II/Player I, Abelard/Eloise, Opponent /Proponent, Refuter/Verifier.) V is responsible for 
making a move from a position (s, Aw), the available choices are {(s, 4), (s,w)}, and 
from a position (s,[a]@) whose available choices are {(t,¢)|s — t € T}. Similarly, 3 
is responsible for (s,¢ V w) and (s,(a)¢). There are final positions (s, Y) where 7 € 
{P, AP, [a]d, (a)¢}: (s,[a]W) and (s, (a)) are only final if there is no state t such that 
s = t. A final position (s, Y) is winning for J if s K Y; otherwise it is winning for V. 

A play of G(so, ġo) is a finite or infinite sequence of positions starting with (so, do). 
J wins a finite play if the final position is winning for 4. She wins an infinite play if the 
outermost fixed point variable Y that occurs infinitely often in the play is a v-variable. 
Otherwise, V wins. There may be many different plays; 3 may win some and lose others. 
A strategy for a player is a function which, given a play so far and a position where there 
is a choice, returns a specific choice and so tells the player how to move. A history-free 
(positional or memoryless) strategy only depends on the current position and not on the 
previous history of the play: for 3 it is just a choice function. A winning strategy is one 
which, if followed, guarantees that the player will win all plays of the game. Now the 
fundamental semantic theorems, theorems 1 and 2, are equivalent to the following. 


THEOREM 8. s} ¢ iff J has a history-free winning strategy for the game G(s, ¢). 


The model checking game on finite structures can be abstracted into a simple two 
player graph game, called the parity game. The state set Q of the graph are the positions 
and are partitioned into Qy and Qs. There is an initial state qq E€ Q. Edges decide 
possible next positions; for instance, 4 chooses a successor from a vertex q E€ Q3 and to 
ensure play is always infinite winning positions have self-loops. The acceptance condition 
F is just given as a parity condition: F maps each state q of the automaton to a priority 
F(q) € N and 4 wins an infinite play if the least priority that occurs infinitely often 
is even. The model-checking problem for Ly over finite structures, whether sọ H= ¢o, is 
equivalent to solving the parity game (does 4 win qo ?). Parity games are determined (i.e. 
either 4 or V has a winning strategy), and a winning strategy is history-free. However, 
the exact complexity of solving a parity game is a significant open problem. 

There is a more intimate connection between Lu and parity games. An Ly formula, 
itself, is a parity game as we shall see in section 5; alternating automata are games. Tree 
automata are games following Gurevich and Harrington [30]. Consider a run of a tree 
automaton on an n-branching infinite tree whose nodes are labelled with elements of X. 
It starts at the root of the tree with the initial automaton state. If the automaton is 
in state q examining a node v of the tree labelled with a € © then 3 chooses a tuple 
(qi,---,@,) that belong to ô(q,a). Now V chooses a direction 7: 1 < i < n so the next 
position is the ith child of v in state qj. The play continues forever. The play is won by 3 
if it obeys the acceptance condition. Clearly, 3 has a winning strategy, iff the automaton 
accepts the tree. (If the acceptance condition is a Rabin condition, this strategy is not 
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history-free; however, it only depends on the ‘latest appearance record’, an ordering 
of the automaton states capturing the last time each automaton state occurred in the 
current play.) 


5 DECIDABILITY OF SATISFIABILITY 


As with any logic, a key question is decidability of satisfiability, that is, deciding whether 
a closed formula has a model. A connected property is the finite model property (fmp), 
that is, if a formula has a model, then it has a finite model. If a logic has the fmp (and 
the size of the finite model for a formula is effectively bounded), then decidability follows, 
since one can just check all models up to the size bound. Ly, as we have seen, has the 
tree model property. 

A direct approach to proving decidability of satisfiability is to employ semantic tableaux, 
to begin with an initial closed formula ¢ in positive normal form and then to build a tree 
model for it whose states are labelled with locally consistent subsets of the Fisher-Ladner 
closure of ¢, cl(#): for instance, if Y A y € s then Y% € s and y € s. Children of a node 
s are generated using modal successor principles. For each (a)wW € s create a child node 
t such that s = t and w € t: in turn, s — t when [a]7) € s implies y € t and Y € t 
and (a)w € cl(¢) implies (a)q € s. This guarantees that the tree has bounded branching 
degree because cl(¢) is finite. Fixed point formulae are “unfolded”: X. € s implies 
Y(EX. Y) € s. The valuation Yprop is then defined: s € Yprop(P) if and only if P € s. 

If ¢ is satisfiable then the construction will generate a finite tree model or an infinite 
tree that is a pre-model. In the latter case, the problem is how to ensure that it is 
well-founded. So far, there is no distinction between least and greatest fixed points. 
As mentioned, an important semantic principle is Park’s fixed point induction rule, if 
= (Y) > w then H wX.6(X) = y: it follows directly from the semantics because ju 
is indeed the least pre-fixed point. A question is how to use this semantic principle to 
guide the tableau construction in such a way that if the starting formula is satisfiable 
then a model is generable. The following proposition is useful. 


Proposition 9. If y^uX.y(X) is satisfiable and X is not free in y, then yAy(uX. =y ^y) 
is satisfiable. 


Proof. Assume that 7A uX.w(X) is satisfiable but = w(uwX.77 A Y) = ~y. Therefore, 
= w(x myn) > nyny uX. nyny). Using the fact that = o’(uxX.¢'(X)) > uX. (X) 
and propositional reasoning, = w(uwX.77 A Y) = uX.~y Aw. By fixed point induction, 
= ux. = uX.7ay Aw and consequently E uX .p = ~y which is a contradiction. m) 


5.1 The aconjunctive fragment 


The tableau approach was employed by Kozen [35] to decide satisfiability. Unfortunately, 
he could only prove the result for a sublogic of Lu, when the starting formula ¢ is 
aconjunctive: that is, if wX.w is a subformula of ¢ and Yı A we € cl(uX.v) then for at 
most one Ņ; is it the case that wX.w € cl(y;). For instance, vZ.uX.([a] X V (b)Z) A (a)Z 
is aconjunctive: the subformula y = wX.([a]X V (b) Z) A (a)Z has one conjunction in 
its closure ([a]y V (b}Z) A (a)Z and y is only in the closure of the first conjunct. In 
contrast, y = uX.vZ.([a]X V (b)Z) A (a)Z fails to be aconjunctive: 7 is in the closure of 
both conjuncts ([a]y V (b)(vZ.[a]7 A (a) Z)) A (a) (vZ. [aly A (a) Z). Aconjunctivity restricts 
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how a formula uX. € cl(ġ) can regenerate itself in the tableau construction: there 
can only be a linear pattern of regeneration (as opposed to the more general branching 
pattern for full Lu). In the case of y = vZ.uX.(|a] X V (b)Z) A^ (a)}Z, the relevant formula 
y = pX.([a]|X v (b)y) A (a)y can only regenerate itself through the the subformula fa] X: 
so, multiple regenerations of y” happen only as part of a linear sequence. On the other 
hand, y = uX.vZ.([a]X v (b)Z) A (a)Z can regenerate itself through both subformulae 
([la]X v (b)Z) and (a)Z: so, multiple regenerations of y form a tree. 

Given the aconjunctive restriction, one can guide the construction of the tree model by 
applying proposition 9 to wX.w € s: as it is unfolded its interpretation is strengthened to 
w(X.4sA) where s abbreviates the conjunction of all formulas in s. The strengthening 
interpretation is extended as pX. regenerates itself in descendent states t of s, so that 
an unfolding in t is re-interpreted as w(wX.78 A... A at A w) thereby ensuring that a 
descendent state within which uX. is regenerated cannot have the same labelling as 
the ascendent state (and because the starting formula is aconjunctive this will guarantee 
a well-founded pre-model). To do this, one needs a careful ordering on fixed point 
subformulae (in terms of which are more outermost) to ensure that the set of labellings 
remains finite. Kozen showed that the decision procedure for this fragment (that contains 
PDL and CTL) works in exponential time and at the same time the proof delivers the 
finite model property. In fact, the construction works for a more generous fragment of 
the logic, called the weak aconjunctive fragment in [71]. One only needs to guarantee 
that there is a linear pattern of regeneration of least fixed point subformulae relative to 
each individual branch in the tree model. The formula y = wX.vZ.(a)X A (a)Z belongs 
to this more generous fragment because the regenerations of y through the subformulae 
(a)X and (a)Z happen in different branches: the formula uX.vZ.([a]X v (b)Z) A (a)Z 
does not belong to it. In fact, every closed formula of Ly is semantically equivalent to 
a weak aconjunctive formula (which follows from results below). However, it is an open 
question whether the tableau technique can be made to work directly for all formulae. 


5.2 Towards automata 


The first decision procedure for full Lu reduced the problem to SnS, the second-order 
theory of n-successors, [38]. The structure for SnS is the transition system (tree) with 


state space {0,...,n — 1}" and transition relations w —> wi for each i < n. Biichi 
showed that the monadic second-order (MSO) theory of S15 is decidable [13]: besides 
first-order constructs, MSO has quantifiers over sets of states. S15 is a weak form of 
arithmetic where, in this presentation, the number n is 0” and 2, is the +1 function. 
Rabin extended Biichi’s result by showing that the MSO theory of SnS is decidable for 
any n > 0 [60]. Kozen and Parikh’s proof of decidability of satisfiability for full Lu 
uses the tree model property with bounded branching degree. Given a formula ¢ the 
maximum required branching degree n can be calculated from cl(¢). The formula ¢ can 
then be translated almost directly into SnS by examining its semantics: for instance, 
\|VX.Allag = AS.S C léllvix:=s] and ||X||g = V(X). Elements of Prop are treated 
as variables (and are existentially quantified over). Labels in diamond modalities are 
judiciously mapped to “directions” i < n and labels in box modalities to sets of directions. 
For example, vX.(a)(X A ~P) A (a)(X A P) is translatable into the S2S formula 


JP.3S.Vx.3y.3z.(x E S >a 1 y^nyE SNYE P)AlrES >r 2 ZNZESAZ P) 
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The formula ¢ is satisfiable if and only if its translation is true in SnS: for instance, the 
S2S formula above is true. The key feature in the MSO decidability proofs is that in a 
formula 41X.¢, quantification can be restricted to “regular” sets of states which leads to 
quantifier elimination when the normal form is a nondeterministic finite state automaton. 
In the case of S15 it is a Butchi word automaton and in the more general setting of SnS 
it is a Rabin tree automaton: these automata are defined in section 4.3. The automaton 
normal form for VX.¢, that is ~1X—¢, involves an exponential increase in size because 
of complementation. Consequently, the decision procedure for SnS, n > 0, is (and must 
be) non-elementary. Because 1X 1.VX9....uUXmUXm41-V is translated into the MSO 
formula VS1.4$9 ...VSm-4Sm41.~’, Kozen and Parikh’s decision procedure for Ly is also 
non-elementary. 

MSO formulae with second-order quantification, unlike fixed point formulae, are ex- 
pressively succinct. A direct translation of Lu formulae into finite state automata, with- 
out intervening MSO formulae, could lead to a more efficient decision procedure. With 
this technique Streett provided an elementary time decision procedure for PDL with 
looping and converse [65]. With Emerson he employed the same technique for Lu and 
obtained a decision procedure for satisfiability and a proof of the finite model prop- 
erty at once [64]. The procedure is in elementary time. The central ingredient (besides 
the tree model property) is the relationship between Lu and Rabin automata, which 
is established using the fundamental semantic theorem. For, the constraint on fixpoint 
regeneration and infinite repetition is expressible as a Rabin acceptance condition. Now 
we can construct an automaton that accepts such bounded-branching tree models, by 
combining a finite-state automaton to check the local consistency (that is, to check that 
the putative model is a pre-model), and a Rabin automaton to check that the pre-model 
is well-founded. Thus the formula is satisfiable if this product automaton accepts some 
tree. Now automata theory, see for instance [66], tells us that (a) this question is decid- 
able (b) if such an automaton accepts some tree, it accepts a regular tree, that is, one 
that is the unravelling of a finite system; this gives the results. Later, Emerson and Jutla 
provided an exponential time decision procedure (which is optimal) using an improved 
determinization construction and an improved tree automata emptiness test [22]: there 
is an exponential (in the size of the formula) bound on the size of the model. 


5.8 Alternating parity automata 


There is a slight mismatch between Ly models and SnS models because of the fixed 
branching degree and the explicit indexed successors. However, it is possible to define 
automata that can directly recognise Ly models by navigating through their transition 
graphs. We define alternating parity automata for this purpose following, for example, 
[40]. The only restriction is that we assume that Prop is a finite set (those propositions 
that appear in a starting formula ¢). A rooted model for a closed formula ¢ is a triple 
(T, SO; GW). 

Recall the notion of automaton A = (Q, £, ô, qo, F) as defined in section 4.3. Now think 
of the transition function of an automaton as a logical formula. For a word automaton, 
if 0(q,a) = {q1,---,@m} then it is the formula qı V ... V qn. For a tree automaton if 
ôlq, a) = 4 (ahs ..-,q}),---, (7, --, 2)} then it is (1, af VA... A(n, g})) V- -.V (1,02) A 
...A(n,@")): here the element (i, q’) means create an ith-child with label q’. A word or 
tree is accepted if there exists an accepting run for that word or tree; hence, the disjuncts. 
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However, for a tree, every path through it must be accepting; hence the conjuncts. 
In alternating word automata, the transition function is given as an arbitrary boolean 
expression over states: for instance, ô(q,a) = q1^(q2Vq3). In alternating tree automata it 
is a boolean expression over directions and states: for instance, ((1, q1) A (1, q2)) V (2, q3). 
Now the definition of a run becomes a tree in which, successor transitions obey the 
boolean formula. In particular, even for an alternating automaton on words, a run is 
a tree, and not just a word. The acceptance criterion is as before, that every path of 
the run must be accepting. An alternating automaton is just a game too where V is 
responsible for A choices and J for V choices (as in section 4.4). 

The idea now is to replace pairs (7, q’) with simple modal formulae. We define modal 
automata whose transition functions appeal to a modal language (similar to modal equa- 
tion systems). Formally, a modal automaton A = (Q, £, ô, qo, F) where Q is a finite set 
of states, X is the set gProp and F is the parity acceptance condition. The transition 
function 6: Q x & — B where B is the following set of positive modal formulae (with 
modal depth at most 1). 


e T, Larein B 


e IfgeQanda€ CL then (a)q and [alg are in B 
e If Bı and Bə are in B then Bı V Bə and Bı A Bə are in B 


The automaton traverses the modal model, starting at sọ and moving from a state 
s to successor states t such that s —> t for some a € L, according to the transition 
function. However, not every successor may be included and some successors may be 
included multiple times: for instance, if q is the current automaton state for s and 
6(q,Prop(s)) = (a)p1 A [e]p2? and s = sı, s + 82, s — sı and s —> s then the 
automaton changes state to pı and moves to sı in the model, changes to pọ and also 
moves to sı in the model and changes to pọ and remains at s. As with tree automata, a 
run of A on a model is a a labelled tree (N, —, L’) where N C w” that obeys the tree 


property that if wi € N then w € N and w — wi: a node x € N may have infinitely 
many successors xi € N, as models have no bound on their branching degree. Unlike tree 
automata, there is no requirement that complete branches should have infinite length. 
In more detail, a run of A on a modal model is a projection of an intermediate 
structure, a tree with composite labels (N,—>, L). The labelling L : N —> S x Q where 
S is the state space of the model: for the root of the tree, L(e) = (s9,qo). The labels 
of a node and its successors have to obey the transition function. First, given a state s 
of the model let M, range over mixture subsets {(t, q’) |s —> t for some a and g’ € Q}. 
Next, we define when a subset M, satisfies a modal formula B, which we write M, = B. 


M,=— 7 M, E L 
M, — (a)p iff Jt.s = t and (t,p) € Ms 
M, H [alp iff Vt. if s “+ t then (t, p) € M, 


M, = Bı V Bo iff M, | Bı or M, = Bo 
M, = Bı A Bo iff M, = Bı and M; — Bo 


Given A and a rooted model, one grows a labelled tree from the root e with L(e) = (so, qo). 
If L(x) = (s,q) and 6(q, Prop(s)) = B then there is a (possibly empty) set Ms such that 


3Prop(s) is the subset of Prop true at s. 


744 Julian Bradfield and Colin Stirling 


Ms | B. A child of x is produced for each element of M,: that is, Ms = {L(xi) | ai € N}. 
For example, if L(x) = (s,q) and 6(q, Prop(s)) = (a)qi A [a]q2 A (a)q3 and in the model 
s —*> s; for all i > 0 then a candidate Ms is {(so,q1), (51, 43), (50; d2),---5(8i,42),---}: 
here there are infinitely many such candidates. The required run is the projection of the 
tree to states in Q, the tree (N, —, L’) whose labelling L’(x) = q if L(x) = (s,q) for 
some s. A run is accepting if all (labellings of) infinite branches starting from the root 
obey the parity acceptance condition F. 

Given a rooted model (T, so, Y), so H= A if there is an accepting run of A on that 
model. The following is relatively straightforward (and is reminiscent of translating to 
and from boolean equation systems). 


THEOREM 10. For each modal automaton there is an equivalent closed formula of Lp, 
and for each closed formula of Ly there is an equivalent modal automaton. 


5.4 Automaton normal form 


We can now extract a semantic normal form for Lu due to Walukiewicz [71, 32]. If 
T is a finite set of formulae, (a)l abbreviates A ycp(a)¢ A la] Vger ¢ Every modal 
automaton is equivalent to a restricted modal automaton. Let © = {a1,..., an}. The 
transition function is restricted: formulae of B are disjunctions of conjuncts of the form 
(a1)B1 A... A (an)Bn where each B; C QU{T}. The proof of the following is far from 
trivial and depends on the combinatorial features of automata, especially determinization. 


THEOREM 11. For each modal automaton there is an equivalent restricted modal au- 
tomaton. 


A formula is in automaton normal form (anf )*, if it belongs to the following sublogic, 
where 


e P, =P and Z are anfs 
e If ¢; and ¢2 are anfs, so is @1 V ¢2 
e If dis an anf, then so are vZ.¢, uZ.ġ 


e If each T; is a finite set of anfs and a; # a; when i # j and a* is a finite set of 
atomic propositions and their negations, then (a1)[1 A... A (an)In A at is an anf 


Anf formulae are the characteristic formulae for restricted automata. For instance, a 
clause {(a)p, (a)q} with respect to labels a, b becomes the formula (a)p A (a)q A [a] (p V 
q) A (OL. 

Proposition 12. For each restricted automaton there is an equivalent anf formula. 


Therefore, anfs are semantic normal forms for Lu. We can effectively construct the 
anf normal form for a formula ¢ in positive normal form. First, use Theorem 10 to build 
an equivalent modal automaton Ag for ¢. Next, use Theorem 11 to transform Ag into 
an equivalent restricted automaton Aj. Finally, use Proposition 12 to convert A; into 
an equivalent anf formula ¢’. 

An anf formula is weakly aconjunctive (although not necessarily aconjunctive). After 
simplification, the anf normal form of the earlier formula ~X.vZ.([a]X v (b)Z) A (a)Z 


4Walukiewicz terms them “disjunctive formulae”. 
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that is not aconjunctive is uX.vZ.(a){X} V ((a){Z, T} A (b){Z, T}). In fact, conjunction 
is even more constraining in anf formulae. Consider, the semantic tableau construction 
for an anf formula ¢. The only time we need to apply A decomposition is just before the 
application of modal successors: assume a state s is labelled with the formula (a1)I'1 A 
...A(Gn)PnAat € cl(¢). At s it reduces to its components (a1)T1,..-,(@n)En, at. If at 
is consistent then modal children s > t are created: however, by the definition of (a) 
each modal successor t is labelled with a single anf formula in cl(¢). Therefore, as shown 
by Walukiewicz, ¢ is satisfiable iff all its fixed point subformulae wX.w(X) are replaced 
with ¢(L) and all subformulae v.X.W(X) are replaced with (T). To illustrate this, 
assume ¢ = 1X.v is satisfiable. Consider a rooted model and a least ordinal o such that 
So FE uX°.w. Consider its semantic tableau with initial state sọ labelled with ¢. If there 
is a descendent state t that is also labelled with ¢ then t = uX o ap with o' < o which 
contradicts that o is least. Therefore, there is a model for ¢ such that no descendent state 
is labelled with ¢, which is, therefore, also a model for (L). Consequently, satisfiability 
checking for an anf formula can be done in linear time [32]. To obtain the fmp for anf 
@, replace each subformulae wX.1(X) with y(L) and build a semantic tableaux for it. 
For modal successors, if at state s, vX. € T and (a)l € s and some state t is on the 
path from the root to s and t is labelled with vX. then let s > t: in this way, a finite 
model for ¢ is constructed. 


6 COMPLETE AXIOMATIZATION 


A related problem to decidability is the question of providing an axiomatization of the 
theory of the modal mu-calculus. In his original paper, Kozen presented the axiomatiza- 
tion as an equational theory which is equivalent to the following. 


1. axioms and rules for minimal multi-modal logic K 
2. d(uX.o(X)) = wX.6(X) 


dy) > 
© pX.9(X) > Y 


Axiom 2 is the axiom for a least fixed point that its “unfolding” implies it and rule 3 
is Park’s fixed point induction rule. The duals of this axiom and rule for greatest fixed 
points are; vX.¢(X) > o(uX.¢(X)) and if Y > (Y) then Y > vX.d(X). 

However, despite the naturalness of this axiomatization, Kozen was unable to show 
that it was complete. He was, however, able to show completeness for the aconjunctive 
fragment. In fact, a proof works for weak aconjunctive formulae using the consistency 
version of proposition 9: if y A uX.y(X) is consistent? and X is not free in y, then 
yAw(uX.77yAw) is consistent. The proof is similar to the tableau construction described 
in section 5.1. Given an initial consistent formula in positive normal form one builds a 
tree model: the construction is guided by the proposition above as in the satisfiability 
proof. 


5A formula ¢ is consistent with respect to an axiom system if ¢ > L is not derivable within the 
axiom system. Completeness of an axiom system is equivalent to the statement that every consistent 
formula has a model (is satisfiable). 
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Completeness for the full language remained open for more than a decade, until it 
was finally solved by Walukiewicz in [71], who established that Kozen’s axiomatization 
is indeed complete. The proof is very involved and, in effect, internalises the automata 
theoretic satisfiability proof described earlier. It utilises automata normal form and weak 
aconjunctivity. It is more straightforward (as with satisifiability) to show using tableaux 
that if an anf formula is consistent then it has a model. Much harder to prove is that 
every (closed) formula is provably equivalent within the axiom system to an anf formula. 
Walukiewicz utilises games on infinite tableaux to show this. 

The following are valid fixpoint principles (which, by duality also are true for v). 


pX.uY.d( X,Y) = > wx.d(X, X) = > wy wX.o(X,Y) 


Arnold and Niwinski call these “the golden lemma” of p-calculus [5]. Other interest- 
ing valid fixpoint principles include uX.¢(X) => vX.¢(X), by monotonicity, and the 
following, due to Niwinski, that generalises that ‘almost always’ implies ‘infinitely often’. 


pX.VY.O(X,Y) > vY.wx.d(X, Y) 


Deriving these principles deductively from Kozen’s complete axiom system is by no means 
easy (as opposed to their derivations using the semantics). 


7 ALTERNATION 


As we said earlier, the alternation of fixpoints is what gives Lu its expressive power, 
and also what appears to generate the computation complexity of model-checking. In 
this section, we study alternation in more detail. As we have said, the idea is to count 
alternations of minimal and maximal fixpoint operators, but to do so in a way that only 
counts real dependency. The paradigm is ‘always eventually’ versus ‘infinitely often’: the 
‘always eventually’ formula 


VY.(uZ.P V (a)Z) A (aY 


is, using a straightforward model-checking algorithm, really no worse to compute than 
two disjoint fixpoints, since the inner fixpoint can be computed once and for all, rather 
than separately on each outer approximant; on the other hand, the ‘infinitely often’ 
formula 

VY. uZ(PV (a)Z) A (aY 


really does need the full double induction on approximants. 

The definition of Emerson and Lei takes care of this by observing that the ‘eventually’ 
subformula is a closed subformula, and giving a definition that ignores closed subfor- 
mulae when counting alternations. The stronger notion of Niwiński, which also has the 
advantage of being robust under translation to modal equation systems, also observes 
that, for example, uX.vY.[—]Y A uZ.[—](X v Z) although it looks like a u/v/ formula, 
is morally a u/v formula, since the inner fixpoint does not refer to the middle fixpoint. 

The alternation depth referred to in the complexity of model-checking is a measure of 
alternation that is symmetric in u and v. It is possible to give algorithms that compute 
the alternation depth of a formula [24, 1, 34], and this is how the notion was presented by 
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Emerson and Lei. However, for our purposes it is easier to start from a definition of classes 
for formula, formalizing the idea of ‘a w/v/ formula’ etc.; such a definition is analogous 
to the usual definition of quantifer alternation for predicate logic, an analogy which will 
be exploited later. This was how Niwiński [53] presented the notion of alternation, and 
we follow his presentation. 

Assuming positive form, a formula ¢ is said to be in the classes ze £ and Ty. t iff it 
contains no fixpoint operators. To form the class Di (resp. e; take XF U INP, 
and close under the following rules: 


1. if d1,¢2 € UNM, (resp. IAH), then $1 V 2, 61 A ¢2, (a)¢ı,[a]ġı € EFH, (resp. 
Tin); 
2. if ¢@E DN", (resp. IDH), then pZ.6 € U4, (resp. vZ.¢ € IN, ); 


3. if ọ(Z), y € S (resp. TNH), then ¢(w) € ae (resp. TAH), provided that no 
free variable of ~ is captured by a fixpoint operator in ¢. 


If we omit the last clause, we get the definition of ‘simple-minded’ alternation 9", 
that just counts syntactic alternation; if we modify the last clause to read ‘... provided 
that w is a closed formula’, we obtain the Emerson—Lei notion U2". (We write just 
uf? when the distinctions are not important, or when we are making a statement that 
applies to all versions.) 

To get the symmetrical notion of alternation depth of ¢, we can define it to be the least 
n such that ¢ € f1 N Hpi To make these definitions clear, consider the following 
examples: 


e The ‘always eventually’ formula is TIS” , but not ys. , and so its simple alternation 
depth is 2. However, in the Emerson-Lei notion, it is also PA , since VY.W ^ (a)Y 
is 17“ and so 03, and by substituting the closed zg“ (and in fact =?) 
formula uZ.P V (a)Z for W we get ‘always eventually’ in De M. hence its Emerson- 
Lei (and Niwiński) alternation depth is 1. 


e The ‘infinitely often’ formula is US but not II}, in all three definitions, and so has 
alternation depth 2. 


e The formula uX.vY.|-]Y AwZ.[-](X v Z) is 53", but not IP"; it is also 52 but 
not mg , since there are no closed subformulae to bring the substitution clause 
into play. However, in the Niwiński definition, it is actually INA : vY.|—-]Y AW is 
IL" and so ©)"; we can substitute the ©) formula uZ.[-](X v Z) for W without 
variable capture, and so vY.|-]Y A pZ.[—](X v Z) is =)"; and now we can add the 

$ P eee : Nu 
outer fixpoint, still remaining in X3”. 


A natural question is whether the hierarchy of properties definable by X# formulae 
is actually a strict hierarchy, or whether the hierarchy collapses at some point so that 
no further alternation is needed. This problem remained open for a while; by 1990, it 
was known that XA” 4 TI" [4]. No further advance was made until 1996, when the 
strictness of the hierarchy was established by Bradfield [8, 9, 11]. 


THEOREM 13. For every n, there is a formula ¢ € 4 which is not equivalent to any 
Il? formula. 
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Bradfield established this for SN“, which implies the result for the other two notions. 
At the same time, Lenzi [43] independently established a slightly weaker hierarchy theo- 
rem for DEM, 

Lenzi’s proof is technically complex, and the underlying stratagem is not easy. Brad- 
field’s proof appears technically complex, but most of the complexity is really just routine 
recursion-theoretic coding; the underlying stratagem is quite simple, and in some ways 
surprising. If one takes first-order arithmetic, one can add fixpoint operators to it, and 
one can then define a fixpoint alternation hierarchy in arithmetic. A standard coding 
and diagonalization argument shows that this hierarchy is strict [9]. The trick now is to 
transfer this hierarchy to Lu. Simply by writing down the semantics, it is clear (give or 
take some work to deal with the more complex notions of alternation) that if one takes a 
recursively presented transition system and codes it into the integers, then for a modal 
formula ¢ € X#, its denotation ||¢|| is describable by an arithmetic X# formula. However, 
it is also possible, given any arithmetic fixpoint formula x, to build a transition system 
and a modal formula ¢, of the same alternation depth as x, such that ||ġ|| is charac- 
terized by x. If we take x to be a strict X#E arithmetic formula, then no II* arithmetic 
formula is equivalent to it, and therefore no II? modal formula can be equivalent to ¢. 
The transition system that is constructed is infinite, but by the finite model property, 
the hierarchy transfers down to the class of finite models. 

Both proof techniques construct explicit examples of hard formulae. Bradfield’s ex- 
amples have the form 


Xn VXn—1....X1.[c]X1 V (a1) X1 V... V (an) Xn. 


There are further questions one can ask about the alternation hierarchy. For example, 
is it still strict even on the binary tree? The answer is yes, given independently by 
Bradfield [10, 11] and Arnold [3] — the latter also gives a nice alternative proof of the 
main theorem, using topological methods rather than computability methods. 

A more interesting question, and one that is still open, is: given a formula, what is 
its ‘semantic’ alternation depth? That is, what is the least alternation depth of any 
equivalent formula? Otto [55] showed that it is decidable whether a formula is equivalent 
to an alternation-free formula, and then Ktisters and Wilke showed [41] it for alternation 
depth 1. Decidability is not known for higher levels. 


8 BISIMULATION INVARIANCE 


A hallmark of modal logic is bisimulation invariance: if s = ¢ and s and s’ are bisimu- 
lation equivalent then s’ = ¢. As we have seen, this remains true for Lu formulae. In 
logic, in general, structures are viewed as equivalent when they are isomorphic. However, 
in computation when structures represent behaviour of systems weaker forms of equiv- 
alence, such as automata acceptance equivalence or bisimulation equivalence, are more 
appropriate; see, for example, Milner [51]. 


8.1 Lu and MSOL 


A modal formula can be translated into an equivalent bisimulation invariant first-order 
logic formula (over transition graphs) with one free variable. The translation is merely 
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the semantics. Let ¢[2] be the translation of ¢ with free variable x: for instance, P[a] = 
P(x) and (a)¢[2] = Sy.2 — yA gly]. Clearly, s H ¢ iff ¢[s] holds. Van Benthem proved 
the converse: a bisimulation invariant first-order logic formula with one free variable is 
equivalent to a modal formula. Modal logic is the bisimulation invariant fragment of 
first-order logic. 

The question is whether there is a similar result for closed formulae of Lu. As we 
have seen, there is an intimate relationship between Dy and automata, games or SnS. 
None of these notations provide an obvious semantics for Lu formulae. Monadic second- 
order logic (MSOL) of transition graphs extends first-order logic with quantification over 
monadic predicates. With this addition we can translate Ly. 


vZ.e\t] = 3Z.(vy.Z(y) > dyl) > Ze) 


So, an Ly formula is translated into an equivalent bisimulation invariant MSOL formula 
with one free variable. Remarkably, the converse is also true, as proved by Janin and 
Walukiewicz [33]. 


THEOREM 14. A bisimulation invariant MSOL formula with one free variable is equiv- 
alent to an Ly formula. 


In other words, Dy is the bisimulation invariant fragment of MSOL. 

The proof of this theorem is intricate and again illustrates the potency of automata. 
The authors define an w-expansion of a rooted model which is like the usual unravelling 
of the system into a tree, with the addition that the tree contains w-many copies of every 
successor node. If (x) is a bisimulation invariant MSOL formula and ¢(s) holds where 
s is the root of a model then ¢(s) remains true for the w-expanded model. 

The proof uses modal automata from section 5.3. The transition function is de- 
fined using a simple modal language. If the automaton is in state q and at state s 
in the modal model and 6(q, Prop(s)) = B then there is a mixture set M, = B where 
M, C {(t,q’)|s — t for some a and q’ € Q}. Instead of simple modal formulae B, 
the automaton could employ first-order formulae with one free variable B[x]. Now, for 
instance, M, H dy.c > y A ply] iff (t,p) € Ms for some t such that s = t. Critically, 
there is also a similar automata characterisation of MSOL formulae on trees. The tran- 
sition function 6 : Q x X — B’ where B’ is very similar to B|x] except that it involves 
inequalites. When in CNF, formulae B’|a] have the form 


Iyi- Yn( N yi + yj No y ApilyA...A\c E> yn Apnr[yn] V2. N 2 4 yi ngle, x) 
ižj 


where w(z,x) captures the “box” formulae. The inequalities are effectively redundant in 
an w-expanded model. The formulae B'[zx] collapse to B|x] with respect to these models. 

Van Benthem’s theorem also holds for finite models: modal logic is the bisimulation 
invariant fragment of first-order logic with respect to finite models. It is an open question 
if this is true for Lu and MSOL. 


8.2 Multi-dimensional Lu and Ptime 


A major interest is classifying logics according to their expressive power. Computation- 
ally, we can ask whether there are logics that characterize complexity classes. A classic 
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result is that existential second-order logic exactly captures NP properties of finite struc- 
tures. A key open problem is whether there is such a logic for PTIME properties. (For 
finite structures with a linear ordering the PTIME properties are exactly captured by 
least fixed point logic of section 9.2.) However, Otto shows that bisimulation invari- 
ant monadic PTIME properties (of modal structures) is logically characterizable by a 
multi-dimensional Lys [54]. 

For simplicity, assume finite Du rooted structures whose label set is a singleton and let 
Prop be finite. Formulas of Lu are interpreted with respect to a single state. Consider 
instead k-tuples of states (s1,..., 5%). Given such tuples we can define transition relations 
—+,foreahi:1<i<k: (S1,---, Sk) ey (t1,...,th) if si —> ti and sj = tj 
for all j # i. Otto defines the logic Lu* (with Lu = Lut). Formulae may contain 
variables z; 1 < i < k. Atomic formulae have the form Pgri: (s1,...,8%) = Pa; iff 
P € Prop(s;). Modal formulae have the form ()¢ and [é]¢. Formulae are closed under 
boolean connectives. There is a substitution operation a: {1,...,k} — {1,...,k}: ġo is 
the formula ¢{£0(1)/£1, -- -, Lo(k)/£k}- Finally, fixed points are k-ary: UX (x1,..., £k) 
(and are interpreted as in section 9.2). Formulae of Ly” are bisimulation invariant. The 
logic that characterizes bisimulation invariant monadic PTIME are the monadic formulae 
of Wiss Crucially, for k > 1, bisimulation equivalence is definable in Ly*. 


VX (z1,..., £k). \ Px, & Paz A [1] (2)X(a1,..., £k) A [2](1) X(a11,..., £k) 
PeéProp 


For canonical finite rooted models (rooted models quotiented with respect to bisimulation 
equivalence) one can define a linear ordering on states via bisimulation inequivalence. 
So, each PTIME property is definable in least fixed point logic and, in fact, in some Lu". 


8.8 Bisimulation quantifiers and interpolation 


In previous sections, a number of standard logical questions about the Lu have been 
covered, such as satisfiability, completeness, etc. These were all addressed, if not solved, 
early in the history of the logic. There are other standard questions about logics which, 
perhaps surprisingly, were not addressed until quite recently. In this subsection, we 
describe briefly work on interpolation theorems and related issues. A key ingredient in 
these proofs is again alternating parity automata; another ingredient is an interesting 
notion of ‘bisimulation quantifier’. 

A logic enjoys the Craig interpolation property if whenever ¢ = y, then there is a 
third formula x, using only those atomic symbols occurring in both ¢ and w, such that 
ġo => x = y. The uniform interpolation property requires further that to find x, it 
suffices to know only one of ¢ or y and what the common language is. (That is, one can 
construct the strongest formula implied by ¢ in a given language, or the weakest formula 
implying w in a given language.) Maksimova showed [47] that most common temporal 
logics do not have interpolation. In [16], d’Agostino and Hollenberg show that Lu has 
interpolation, and even uniform interpolation, as we now sketch. 

Let ¢ be a sentence, and P an atomic proposition occurring in ¢. The aim is to 
construct a formula 3P.ġ which is the strongest implicate of ¢ in the language omitting 
P. This can be done by using results of the Janin-Walukiewicz paper discussed earlier: 
translate ¢ into an MSOL sentence ¢, quantify it (in MSOL) to form JP. d, and then apply 
the construction mentioned to produce again an Ly formula (3P.ġ)“, which is true in 
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any rooted structure whose w-expansion satisfies 5P.¢; but if a structure satisfies ¢, then 
its w-expansion satisfies 4P.¢, since the original valuation of P provides a witness. With 
some more technical lemmas, it is shown that (4P.¢)” is indeed the uniform interpolant 


of @ with respect to the vocabulary omitting P, and this is the definition of 4P.¢. A 
similar definition and construction also works for action labels: da.¢ is the strongest 
implicate of ¢ in the language omitting the label a. 

The reason for the notation 4P.¢ is that from the construction, it can be seen that 
a rooted structure satisfies 4P.¢ iff there is a bisimlation equivalent rooted structure in 
the vocabulary excluding P that satisfies œ. 

In the above, 4P.¢ was, by definition, an Dy formula. It is natural to ask whether 
bisimulation quantifiers can give the same expressive power as the fixpoint operators. It 
turns out to be not sufficient to add J to modal logic; but [16] does show that adding 3 
to PDL gives Lu. 

The techniques used here also give further results. One of the most satisfying is a 
Lyndon theorem: if an Lu sentence is monotone in a proposition P, then it is equivalent 
to a sentence positive in P. The proof is intricate. 


9 GENERALIZED MU-CALCULI 


We have seen that Lu has many nice properties. One interesting thread of research in 
recent years has been the investigation of why it enjoys these properties — is it because 
it is a modal fixpoint logic, because it is a fixpoint logic, or what else? In this section, 
we will briefly survey some of these investigations, and some of the more interesting 
generalizations of Dy. 


9.1 Ly with past 


A simple extension of Ly is to include converse labels @: t —*> s iff s “+ t. Modalities 
can now include converses. Ly with converse fails to have the finite model property: 
vX.(a)(X A pY.[@]Y) is only satisfiable in an infinite state model. However, it retains 
both the tree model property and decidability of satisfiability (without an increase in 
complexity). The decidability proof uses two-way automata, alternating parity automata 
of section 5.3 whose modal language is extended with converse modalities [69]. 


9.2 Least fixpoint logic 


Modal logic is a monadic fragment of first-order logic. Dy is such a fragment of least 
fixpoint logic, or LFP, obtained by adding fixpoint constructors to first order logic. It is 
primarily studied in the field of finite model theory; in the realm of infinite models, it is 
relatively little used, though occasionally used by set theorists as part of the theory of 
inductive definability. Finite model theorists use various notations, but usually do not use 
u and v, preferring to write LFP/GFP or lfp/gfp. We shall stick to a mu-calculus-like 
notation. 

Assume the usual apparatus of first order logic over some structure S. LFP is obtained 
by adding relation variables X,Y,... of given arities, and a least fixpoint operator u which 
forms relation terms X,Z.d, where 7 is a tuple of arity(X) individual variables, and the 
relation variable X occurs only positively in ¢. Assuming a valuation for the other free 
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variables of ¢, the semantics of uX, Z.¢ is the least fixpoint of the map S” — S”, where 
n is the arity of X, given by Th {7 : o[X := T]}. 

LFP has the following properties (refer to a textbook such as [19] for proofs, and for 
details of results mentioned in this section without citations): 


e On finite models with a built-in linear order, LFP captures polynomial time, which 
makes it useful for complexity theorists. (A logic L captures a complexity class C 
if every set in C can be defined by a formula of L, and conversely every [-definable 
set is in C.) 


e On finite models, the fixpoint alternation hierarchy collapses, so that any LFP 
property can be expressed with a single fixpoint; provided that the arity of relation 
symbols is not bounded. If the arity is bounded, then the fixpoint hierarchy does 
not collapse. 


e LFP does not have the finite model property. 
e Satisfiability is undecidable. 


LFP retains a fundamental semantic theorem which can be presented as a model- 
checking game as in section 4.4. The game is now played on an arena of formulae 
¢[81,---,8n] with elements s; of the model for individual variables. The initial posi- 
tion is the starting closed formula ¢ 9 in positive normal form. V is responsible for 
making a move from a position (¢ A w)[s1,...,8n], where the available choices are 
{¢[s1,..-, Sn], U[s1,---,5n]}, and from a position Vrnj+41.¢[81,...,5n], where the avail- 
able choices are the set {¢[51,.--,n,8]|s € G}. J is responsible for V and existential 
quantification. Final positions are of the form P[s1,...,8,] and ~P[s1,..., Sn]. 4 wins 
such a position if it is true. Again, J wins an infinite play if the outermost fixed point 
variable Y that occurs infinitely often in the play is a v-variable. 3 has a history-free 
winning strategy iff the initial formula is true of the structure. 


9.8 Finite variable fixpoint logics 


One of the topics studied in finite model theory is the finite variable fragments of FOL. 
These are the fragments FOL* where the number of distinct variable names in a formula 
is restricted to a finite value k. Ordinary modal logic is obviously embeddable in FOL?; 
there are several features of modal logic that are generalizable in some sense to FOL?; and 
by adding certain operators to modal logic, one can regain FOL?, albeit less succinctly 
[45]. Moreover, FOL? is reasonably tractable, and the decidability of modal logic follows 
from the decidability of FOL?, which in turn follows from the fact that, like modal logic 
and Ly, it enjoys the finite model property. 

It is therefore natural to wonder if the good properties of modal mu-calculus might be 
explained by considering the finite variable fragments of LFP. 

However, in a well-known paper ‘Why is modal logic so robustly decidable?’ [68], Vardi 
analysed the relationship between modal logic and FOL? more carefully, and argued that 
it does not adequately explain the good properties of modal logic. Furthermore, when 
one passes to the fixpoint version, it is even more inadequate: for example, although Lu 
is decidable, LFP? (and Lp?) is not decidable. 

It appears, then, that finite variable fixpoint logics have little to say about Ly. So 
what are the more useful related logics? 


Modal Mu-Calculi 753 


9.4 Guarded fragments 


In [68], Vardi argued that the tree model property is responsible for the good behaviour 
of Lu, and CTL. FOL? does not have this property. However, it turns out that there are 
fragments of FOL which do retain the tree model property or some suitable generalization 
of it. The discovery of these fragments needed a new perception of the characteristic 
features of modal logic seen as a fragment of FOL. 

The fact that modal logic lies in FOL? is obvious. Somewhat less obvious is another 
property of the FO translations of modal logic formulae: guardedness. A FO quantifi- 
cation is guarded if it has the form Vy¥.a(z,¥) > (7, Y) or Iy.a(z, Y) A (z, y), where 
a(...) is an atomic formula (i.e. œ is a relation symbol or the equality symbol), and g 
includes all the free variables of ¢. That is, when a quantified variable is introduced, its 
values must be connected by some relation to the values of the other variables mentioned 
in the formula. In the case of modal logic, the guards are the edge relations. 

Guardedness was proposed by Andréka, van Benthem and Németi [2] as a better 
explanation of the robust decidability of modal logic. The guarded fragment GF of 
first-order logic has many of the nice properties of modal logic, for example 


e GF is decidable. 
e GF has the finite model property. 


e GF has the appropriate generalization of the tree model property, namely that if 
a formula has a model, it has a model of ‘bounded tree-width’. (Tree width is a 
graph-theoretic definition which measures how far a graph is from being a tree.) 


e GF-equivalence can be characterized by a guarded bisimulation, as modal equiva- 
lence is characterized by bisimulation. 


Gradel and Walukiewicz [29] studied the guarded fragment GFP of LFP. The syntactic 
formation rule for fixed points is: if ọ(Y, 7) is a guarded formula, Y occurs positively and 
not in the guards and all free variables of (Y, #) are contained in # then uY (Z).0(Y, Z) is 
a formula of the guarded fragment of LFP. This fragment retains the tree model property 
but not the finite model property, making it a better meta-language for Lu than LFP?. 
An interesting first result concerned the complexity: satisfiability for GFP is 2EXPTIME- 
complete. Gradel had earlier shown [27] that GF itself has 2EXPTIME satisfiability, so 
this is a situation where adding fixpoints does not increase complexity - a surprising 
result. However, it turns out that this depends on the unbounded width of formulae - 
the number of free variables in subformulae. If the width is bounded, then satisfiability 
drops to EXPTIME-complete, which agrees with that of Lu. The decidability proof uses 
two-way alternating parity automata. 


9.5 Inflationary mu-calculus 


In finite model theory, as well as to some extent in classical definability theory, extensions 
of LFP have been studied which relax the requirement for the body of a fixpoint operator 
to be monotone. One such is inflationary fixpoint logic (IFP). In IFP, the semantics of 
the fixpoint operator (usually written ifp in the finite model theory literature, but here 
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written ur) is modified. Rather than being defined as a fixpoint, it is defined in terms of 
approximants; and then at each approximant, the previous approximant is unioned in: 


Il Z* lq = Z<* U lellbiz:=z<a] 


On finite structures, IFP and LFP have long been known to be equi-expressive, and re- 
cently Kreutzer showed [39] that indeed they are equi-expressive on arbitrary structures. 
In [18] Dawar, Grädel and Kreutzer define inflationary modal mu-calculus, by using the 
above definition for fixpoints, and show that it is more powerful than Lu, and complex 
in many ways. It does not have the finite model property, and it can express non-regular 
properties. Satisfiability is undecidable and even non-arithmetic, since it is possible to 
interpret arithmetic, by using the height of nodes in a well-founded tree as numbers. On 
the class of finite models, the increased power results in a model-checking complexity of 
PSPACE. 
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1 INTRODUCTION 


Description logics (DLs) [12] are a family of knowledge representation languages which 
can be used to represent the terminological knowledge of an application domain in a 
structured and formally well-understood way. The name description logics is motivated 
by the fact that, on the one hand, the important notions of the domain are described 
by concept descriptions, i.e., expressions that are built from atomic concepts (unary 


predicates) and atomic roles (binary predicates) using the concept and role construct 


ors 


provided by the particular DL. For example, the concept of “a man that is married to a 


doctor, and has only happy children” can be expressed using the concept description 


Man M Amarried.Doctor M Vchild.Happy. 
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On the other hand, DLs differ from their predecessors in that they are equipped with a 
formal, logic-based semantics, which can, e.g., be given by a translation into first-order 
predicate logic. For example, the above concept description can be translated into the 
following first-order formula (with one free variable x): 


Man(a) A Sy(married(x, y) A Doctor(y)) A Vy(child(x, y) + Happy(y)). 


The motivation for introducing the early predecessors of DLs, such as semantic networks 
and frames [133, 125], actually was to develop means of representation that are closer 
to the way humans represent knowledge than a representation in formal logics, like first- 
order predicate logic. Minsky [125] even combined his introduction of the frame idea 
with a general rejection of logic as an appropriate formalism for representing knowledge. 
However, once people tried to equip these “formalisms” with a formal semantics, it turned 
out that they can be seen as syntactic variants of (subclasses of) first-order predicate 
logic [83, 144]. 

The immediate precursors of DLs, Brachman’s structured inheritance networks [42], 
were an attempt to define a formalism that allows for a structured representation of 
knowledge in the spirit of semantics networks and frames, but nevertheless is equipped 
with a formal semantics. The original description logics used in systems that imple- 
mented these ideas in the 1980ies [45, 132, 124, 123] turned out to correspond to rather 
inexpressive and somewhat unusual subclasses of first-order predicate logic. On the one 
hand, none of them was propositionally closed since they did not allow for disjunction 
or negation. On the other hand, they were equipped with certain other complex con- 
structors (like number restrictions and role-value-maps), which, though expressible in 
first-order predicate logic, are not considered as atomic constructors there. For example, 
the number restriction (> 5 child) describes people having at least five children, and the 
role-value-map childofriend C know describes people that know all their children’s friends. 

The main inference problem to be solved in description logics is the subsumption prob- 
lem, i.e., deciding whether one concept is a subconcept of another one. The early DL 
systems cited above employed so-called structural subsumption algorithms, which first 
normalise the concept descriptions, and then recursively compare the syntactic structure 
of the normalised descriptions. These algorithms are usually very efficient (polynomial), 
but they have the disadvantage that they are complete only for rather inexpressive DLs, 
i.e., for more expressive DLs they cannot detect all the existing subsumption relation- 
ships. To overcome this problem, Schmidt-Schau8 and Smolka [143] made DLs into “real” 
logics by introducing negation. Their main motivation for this was that they wanted to 
reduce the subsumption problem to the satisfiability problem. They introduced a basic 
propositionally closed DL, which they called ALC, developed a tableau-like algorithm 
for satisfiability in ALC, and showed that the subsumption and satisfiability problem in 
ALC are PSPACE-complete. 

A reader of the Handbook of Modal Logic who followed us so far may rightfully ask: 
And what has all this to do with Modal Logic? The answer was given by Schild, who 
noticed that ALC is just a syntactic variant of multi-modal K, i.e., the basic modal logic 
of Kripke frames with several accessibility relations (and thus several pairs of box- and 
diamond operators). In fact, the translations of ALC and of K into first-order predicate 
logic yield exactly the same class of first-order formulae. This connection between DLs 
and modal logic was used by Schild and others (see, e.g., [139, 140, 54, 55]) to transfer 
decidability and complexity results from modal logic to DLs, but also to extend these 
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results to logics with other DL constructors. At the same time, tableau-based algorithms 
were developed for more and more expressive DLs (see [30] for an overview), and highly- 
optimized implementations of these algorithms [92] turned out to behave quite well on 
artificial benchmarks from modal logic [131] and also in practice [78]. 

Though there is a very close connection between DLs and modal logics (MLs), the 
underlying intuition as well as the intended applications differ significantly. As a conse- 
quence, the focus of research in DL and in modal logic also differs. While mentioning 
the similarities, this chapter will focus on topics that are specific for DLs. 

Section 2 formally introduces syntax and semantics of the basic DL ALC, and shows 
its relationship to multi-modal K. It then introduces additional DL constructors, and 
describes their ML counterparts. In addition to these constructors, DLs provide their 
users with a terminological formalism, which (in its simplest form) allows to introduce 
names for complex concepts, and an assertional formalism, which allows to state facts 
about specific individuals/objects. Though these components are usually not available in 
ML, there are some connections to things known in ML (such as nominals, the universal 
modality, fixpoint operators, etc.). 

In Section 3, we introduce the standard inference problems in description logics, show 
how they can be reduced to each other, and how they relate to inference problems in 
ML. The standard way of solving these problems in propositionally closed DLs is using 
tableau-based algorithms. Since these algorithms are treated in other chapters, we only 
give some references to the relevant chapters. 

Section 4 considers DLs that are not propositionally closed, and where consequently 
subsumption cannot be reduced to satisfiability. We review the known complexity results 
for such DLs, and then describe (complete) structural subsumption algorithms for some 
of them. In addition, we mention bi-simulation characterizations of the corresponding 
ML fragments. 

Section 5 is concerned with so-called non-standard inferences in DLs, like computing 
the least common subsumer and the most specific concept, and rewriting, unification, and 
matching of concepts. These inferences have been introduced with the goal of supporting 
the user when building and maintaining large DL knowledge bases. With the exception 
of unification, none of them have been investigated in ML. 

Finally, Section 6 introduces means of expressiveness that do not have immediate ML 
counterparts. 


2 BASIC DEFINITIONS AND CONNECTION TO MODAL LOGIC 


In this section, we introduce the basic components of description logics: concept lan- 
guages, terminological formalisms, and assertional formalisms. 


2.1 Concept Languages 


We first define the basic propositionally closed concept language ALC introduced by 
Schmidt-Schau8 and Smolka [143], and then describe a number of natural extensions 
that are important for many applications and offered by modern DL reasoners. Assume 
that a countably infinite supply of concept names, usually denoted A and B, and of role 
names, usually denoted r and s, are available. Concept descriptions in ALC are formed 
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Name Syntax Semantics 

top concept T At 

bottom concept L 0 

negation =C AFNOR 

conjunction CnD C7 A D7 

disjunction CuD C7 U D7 

value restriction Yr.C {d € A7 | Ve.(d,e) € r? +e € C7} 
existential restriction Jr.C {d € At | Je.(d,e) E r7 ^e € C7} 
transitive role r r? transitive 

inverse role rT {(d,e) | (e,d) € r7} 

nominal I I7 singleton 

qualifying number <nrcC | {dE A? | #{(d,e) er? |dE C7} <n} 
restrictions >nrC | {de A7 | #{(d,e) er? |e € C7} >n} 
number Snr {d E€ A7 | #{(d,e) E€ r7} <n} 
restrictions Snr {d € A7 | #{(d,e) € r7} > n} 


Figure 1. Semantics of concept and role constructors 


according to the following syntax rule: 


C,D— A|T|L|7C|CND|CUuD|Yr.C | arc 


where A ranges over concept names and r ranges over role names. In examples, we will 
usually use uppercase names for concept names and lowercase names for role names, thus 
obtaining ALC concept descriptions such as the one given in the introduction: 


Man M Amarried.Doctor M Vchild.Happy. 


The semantics of ALC is based on interpretations, i.e., pairs T = (A7,-7) where A? is a 
non-empty set (the domain of T), and -7 is the interpretation function, assigning to each 
concept name A a set A? C A? and to each role name r a binary relation r? C A? x A7. 
The interpretation function is inductively extended to concept descriptions as shown in 
(the upper part of) Figure 1, which also lists the names that we use for ALC constructors. 
An interpretation Z is a model of a concept description C if C? Æ Ø. In the following, we 
will sometimes call concept languages “description logics”, ignoring further ingredients 
to DLs such as the terminological formalism. 

As first observed by Schild [138], ALC is a notational variant of the multi-modal 
logic K. Syntactically, concept names can simply be viewed as propositional variables 
and role names can be viewed as names for accessibility relations. Then, interpretations 
of ALC are obviously just Kripke structures with A? the set of worlds and -7 providing 
both the accessibility relations and the valuation of the propositional variables. With 
this reading, the value restriction Vr.C_ becomes a box operator OC referring to the 
accessibility relation denoted by r, and Jr.C becomes a diamond operator $C. This 
connection is also witnessed by the usual translation of ALC to first-order predicate 
logic [37, 38], which is identical to the standard translation for modal logic presented in 
Chapter 1. 
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The concept language ALC is only one member of a large family of concept lan- 
guages. These languages can be obtained from ALC by disallowing certain constructors 
(thus obtaining the sub-Boolean description logics discussed in Section 4) and/or adding 
various combinations of additional constructors. Such additional constructors can be 
concept constructors, or they can be role constructors allowing to construct compound 
role descriptions to be used in place of role names. We now discuss several additional 
constructors that are related to expressive means common in modal logic. Construc- 
tors that have been considered in the context of description logics, but lack a modal 
counterpart will be discussed in more depth in Section 6. 

When the connection between DLs and modal logic was discovered, one of it’s first uses 
was to transfer results from propositional dynamic logic (PDL) to description logics [138, 
139, 54]. The description logic counterpart of PDL is called ALCreg, which stands for 
“ALC with regular expressions on roles” [3, 138]. ALCreg extends ALC by allowing 
compound role descriptions inside value restrictions and existential restrictions. Such 
role descriptions are built using the binary constructors for union (“U”) and composition 
(“;”) and a unary constructor for reflexive-transitive closure (“.*”). The semantics is 
given in the straightforward way by interpreting the constructors using the corresponding 
relational operations. For example, the additional constructors could be used in the 
concept description 


Man M Achild. Human M V(child; child*).Happy 


where (child; child*) describes the transitive closure of the role child, i.e., the descendant 
relation. The work on ALC reg has led to several variants and extensions whose expressive 
power goes beyond that of PDL [54, 56, 57]. However, many of today’s most used concept 
languages do not include the role constructors of ALCre,. The main reason is that 
applications demand an implementation of description logic reasoning, and the presence 
of the reflexive-transitive closure constructor makes obtaining efficient implementations 
much harder. 

Another important family of description logics is obtained by considering fragments of 
the concept language SHOTQ [94, 98, 95], which extends ALC with several expressive 
means that are discussed in detail below.1 The importance of SHOTQ stems from the 
fact that it and its fragments are used in two of the most influential application areas of 
description logics: reasoning about conceptual database models [52] and reasoning in the 
semantic web [19]. In the latter application, the fragment SHOZN roughly corresponds 
to the ontology language OWL-DL [93], which was recommended by the W3C as the 
standard web ontology language. The fragment SHZQ is the concept language supported 
by modern description logic systems such as FaCT and RACER [91, 79]. A tableau 
algorithm for full SHOT Q was introduced in [97], and optimized implementations of this 
algorithm are under development. 

Compared to ALC, the additional expressive means provided by SHOT Q are transitive 
roles, role hierarchies, inverse roles, qualifying number restrictions, and nominals. With 
the exception of role hierarchies, the formal semantics of these extensions can be found in 
the lower part of Figure 1. Below, we discuss each means of expressiveness in more detail. 
Before that, a remark on the naming scheme used to describe fragments of SHOTQ is 
in order. To avoid long sequences of letters, the abbreviation S was introduced for ALC 


1The naming of description logics is historically grown, and there are several naming schema in use; 
see the Appendix of [12]. 
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| Symbol Syntax SHIO | SHOTO | SHIN | SHOIN 
| H rUs x x x x 

| T r x x x x 

| N (<nr),(2nr) x x x x 

| Q (< nr C), (> nr cC) x x 

| O I x x 


Figure 2. Some members of the S family of DLs. 


with transitive roles. The additional presence of role hierarchies is indicated by the letter 
H, of inverse roles by Z, of (qualifying) number restrictions by M (Q), and of nominals 
by O (see Figure 2). 

Transitive roles. ALC can be extended with transitive roles by adding a new sort of role 
names whose interpretation is required to be transitive [135]. The resulting description 
logic is a notational variant of the fusion of multi-modal K and multi-modal K4. One of 
the most important uses of transitive roles is for the representation of knowledge about 
parts and wholes by means of a transitive role part-of [136]. 


Inverse roles extend ALC with a unary role constructor -~. Roles of the form r~ cor- 
respond to “backwards modalities” as known from temporal logic and converse PDL 
[154]. They allow, for example, to define the converse parent of the relation child, and 
the converse has-part of part-of. 


Role hierarchies are not a part of the concept language, but rather “external” to it [91]. 
Formally, a role hierarchy is a finite set of inclusion statement r E s with r and s role 
descriptions. Intuitively, the presence of a role hierarchy puts constraints on the class of 
accepted interpretations: if r E s is in the hierarchy, then we only accept interpretations 
in which r? C s?. Thus, role hierarchies are much closer in spirit to TBoxes (see below) 
than to concept or role constructors. The connection between role hierarchies and modal 
logics will be discussed in a more general context in Section 6.2. 


Nominals are an additional sort of concept names that are required to be interpreted as 
singleton sets. The name has been adopted from modal logics, where nominals appear 
e.g. in the context of hybrid logic, c.f. Chapter 14 and [1, 74]. There are several natural 
concepts, such as Pope, that require nominals for an adequate modelling. In description 
logics, nominals sometimes occur in the form of two concept constructors called “one of” 
and “fills”, see [44] for more details. 


Qualifying number restrictions. Corresponding to graded modalities in modal logic [70, 
71, 153], qualifying number restrictions allow to put counting constraints on the number 
of domain elements that are related via a certain role and belong to a certain concept 
[88]. This constructor allows, e.g., the formulation of concepts such as Father N (< 
1 child Female) describing fathers that have at most one daughter (but arbitrarily many 
sons). Number restrictions also appear in a non-qualifying variant < n r and > n r, in 
which the third argument implicitly is the top concept. They are a very important means 
of expressivity that appeared already in early description logic systems such as KL-ONE 
[45]. In the case of SHOTQ and its fragments, number restrictions are usually restricted 
to simple roles, i.e. roles having no transitive subroles according to the role hierarchy. If 
this syntactic restriction is not adopted, reasoning in SHOTQ is undecidable [98]. 


For the sake of brevity, the list of concept and role constructors given above is not 
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Woman = Person M Female Man = Person M —Woman 
Mother = Woman M dchild.Person Father = Mann dchild.Person 
Parent = Mother U Father 


Figure 3. An example TBox formulated in ALC. 


exhaustive. For example, ALC has also been extended with Boolean role constructors, 
which corresponds to going from multi-modal K to Boolean modal logic [101, 122, 121]. 


2.2 Terminological Formalisms 


The concept language is only one part of description logics. To capture the terminologi- 
cal knowledge of application domains in a structured way, it is not sufficient to formulate 
single concept descriptions. Additionally, we must be able to organize and interrelate 
multiple concept descriptions in a suitable way. This is achieved through the termino- 
logical formalism. Just like concept languages, terminological formalisms come in several 
flavors. One of the most fundamental variants is the following: a TBox (terminological 
box) T is a finite set of concept definitions 


A=C 


with A a concept name and C a concept description, such that no concept name appears 
on the left-hand side of two different concept definitions in 7. An example of a TBox 
formulated in ALC is displayed in Figure 3. A concept name is called a defined concept if 
it appears on the left-hand side of a concept definition, and a primitive concept otherwise. 

When defining the semantics, we face the difficulty of treating terminological cycles 
which may occur in the kind of TBoxes considered here. We say that a concept name A 
directly uses a concept name B w.r.t. a TBox T if there is a concept definition A = C € T 
with B occurring C. Let uses be the transitive closure of directly uses. Then a TBox 
T contains a terminological cycle if there is a concept name that uses itself w.r.t. T; 
otherwise 7 is called acyclic. For example, the TBox displayed in Figure 3 is acyclic, 
whereas the following concept definition induces a terminological cycle (Adam and Eve 
are nominals): 


Human = Adam U Eve U Sparent.Human. 


In the following, we sometimes call the general form of TBoxes introduced above cyclic 
TBozes to distinguish them from acyclic ones. However, this does not imply that the 
TBoxes in question necessarily contains a terminological cycle. 

For acyclic TBoxes, the natural semantics is descriptive semantics: an interpretation 
T satisfies a concept definition A = C if A? = C7, and Z is a model of the TBox T if it 
satisfies all concept definitions in 7. Intuitively, acyclic TBoxes merely state that defined 
concepts are abbreviations for certain compound concept descriptions. These compound 
concepts can be made explicit by expanding the acyclic TBox T: exhaustively replace 
all concept names A on the left-hand side of concept definitions A = C by their defining 
concept descriptions C. After this expansion, the compound concept abbreviated by a 
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defined concept can simply be read off from the corresponding concept definition. For 
example, the defined concept Father in Figure 3 abbreviates the compound concept 


Person M —(Person M Female) M dchild.Person. 


A primitive interpretation for a TBox T is an interpretation that interprets only the 
primitive concept names and role names, but not the defined concepts. A (full) interpre- 
tation Z is called an extension of a primitive interpretation J if it agrees with J on the 
domain and the interpretation of the primitive concepts and role names. We say that 7 
is definitorial if every primitive interpretation has exactly one extension that is a model 
of T. Since we can expand them, acyclic TBoxes are clearly definitorial: if 7 is an acyclic 
TBox and 7’ = {A; = Ci,..., Ay = Ck} has been obtained from T by expansion, then 
the unique extension of a primitive interpretation J that is a model of T is obtained by 
setting At = gT forl<i<k. 

If we do not require TBoxes to be acyclic, then TBoxes are no longer definitorial under 
descriptive semantics. For example, the TBox 


T = {Human = Vparent.Human} 


has no primitive concept, and the primitive interpretation J with AY = {d} and 
parent’ = {(d,d)} can be extended to two different models of T. Thus, the above TBox 
does not provide an unequivocal definition of Human. To obtain definitorial TBoxes in 
the presence of terminological cycles, two steps are necessary [129]: first, descriptive se- 
mantics is changed to a (least/greatest) fixpoint semantics; and second, the syntax of 
TBoxes is restricted to ensure that least and greatest fixpoints indeed exist. To illustrate 
why fixpoints are a natural choice for defining TBox semantics, we note that they can be 
used to characterize models of a TBox in a straightforward way. Let 7 be a TBox and J 
a primitive interpretation for T. We write T(A) to denote the concept description C if 
A=C€ET. With Ertz, we denote the set of all extensions of J. Let T7 : Extz —> Extz 
be the mapping that maps the extension Z of J to the extension T.7(Z) of J defined 
by setting A77) := (T(A))? for each defined concept A. It is trivial to verify that an 
interpretation Z is a model of T if and only if Z is a fixpoint of 77 with J the restriction 
of Z to a primitive interpretation. 

To make the TBox formalism definitorial in the presence of terminological cycles, we 
restrict the set of fixpoints of 7y that are intended as models. Let Z be a model of 
T and J the restriction of Z to a primitive interpretation. Then Z is a least fixpoint 
model (greatest fixpoint model) of T if A? C AZ (AT D AZ’) for every defined concept 
A and every fixpoint Z’ of TJ. We obtain the least fixpoint semantics (greatest fixpoint 
semantics) by admitting only the least fixpoint models (greatest fixpoint models) of T 
as intended models. However, the obtained semantics is still not definitorial, at least not 
for all TBoxes: let T = {A =Vr.7A} and J the primitive interpretation with AY = {d} 
and r? = {(d,d)}. Then J has no extension that is a model of 7. The usual way 
to get around such a problem, as e.g. used in the modal p-calculus [104], is to adopt a 
syntactic monotonicity restriction. In the setting of cyclic TBoxes, this restriction can be 
formulated as follows: a TBox T is called monotone if, on the right-hand side of concept 
definitions in 7, defined concepts appear only under an even number of negations. It 
is easy to show that, according to least or greatest fixpoint semantics every monotone 
TBox is definitorial: every primitive interpretation can be uniquely extended to a least 
or greatest fixpoint model of the TBox. 
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Whether least fixpoint semantics or greatest fixpoint semantics is preferable depends 
on the concept definition at hand: for the concept definition Human = Adam U Eve U 
dparent.Human from above, we should use the least fixpoint semantics to avoid that 
individuals on cyclic or infinite parent-paths have to be Humans. In other cases, greatest 
fixpoint semantics can be more appropriate: say we want to define top researchers (in a 
somewhat incestuous way) as researchers who are renowned and collaborate only with 
top researchers: 


TopResearcher = Researcher M Renowned M YVcollaborates-with. TopResearcher. 


Then least fixpoint semantics is not convincing since two renowned researchers who 
collaborate mutually (but not with anybody else) will not be classified as top researchers. 
In contrast, greatest fixpoint semantics yields the intended models. These two examples 
illustrate that the most flexible solution is to use a mixed semantics: least fixpoints for 
some defined concepts, and greatest fixpoints for others [140]. Note that, in the case of 
an acyclic TBox, least fixpoint semantics, greatest fixpoint semantics, and descriptive 
semantics coincide in the sense that they admit exactly the same models. 

It is also possible to use descriptive semantics for cyclic TBoxes. As discussed above, 
this implies that TBoxes will no longer be definitorial. While this is inappropriate if the 
goal is to define concepts, it poses no problem if we view TBoxes simply as formulating 
constraints on the intended models. This view of TBoxes, which is rather natural in a 
number of applications, leads to the idea of general concept inclusion axioms (GCIs). A 
GCI is an expression of the form 


CED, 


where both C and D are (possibly compound) concept descriptions. An interpretation T 
satisfies the GCI C E D if C? C D?. When working with GCIs as constraints on models, 
no syntactic restrictions such as unique left-hand sides, acyclicity, or monotonicity needs 
to be adopted. For example, we could use a GCI to state that all persons having an 
uncle who is a father also have a cousin:? 


Person M Juncle.Father C dcousin.Person 


Since the concept definition A = C can be rewritten as the pair of GCIs A C C and 
CCA, GCIs strictly generalize acyclic TBoxes as well as cyclic TBoxes with descriptive 
semantics. It should be noted that GCIs are the terminological formalism that is usually 
supported by modern description logic systems. 

We now discuss the relation between terminological formalisms and modal logic. In 
the case of descriptive semantics, there is a close relationship to the universal modality: 
let T be a set of GCIs and U the universal role, i.e. U? = A? x A7 for all interpretations 
T. Then we can translate 7 into a concept Cr by setting 


Cr := VU. [d -DU EF. 
DUCEET 


Then we have the following: if an interpretation Z is a model of 7, then CE := A7; 
and if C4 Æ 0, then Z is a model of T. We will see in Section 3.1 that this translation 
can sometimes be used to reduce reasoning with TBoxes to reasoning without TBoxes. 


?This could be modelled in an even better way using role value maps, c.f. Section 6. 
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Logician(DAVID) supervisor( DONALD, VAUGHAN) 
supervisor(VAUGHAN, DAVID) (Man N Schild.Woman)(DONALD) 


Figure 4. An example ABox formulated in ALC. 


In a weaker sense, we can also do the converse translation, i.e. simulate the universal 
modality using GCIs—see Section 2.2.1 of [112] for more details. 

In the case of fixpoint semantics, Schild [140] observed that there is a direct corre- 
spondence between TBoxes and (an alternation-free fragment of) Vardi and Wolper’s 
version of the propositional p-calculus [155]. In contrast to the standard p-calculus as 
proposed by Kozen [104], this variant provides for multiple fixpoints that correspond to 
constructing fixpoints for all defined concepts of a TBox simultaneously. 

Finally, there is an intimate connection between our notion of definitorial TBoxes and 
the Beth definability property as known from modal logic [72]. Roughly, a description 
logic has the Beth definability property if and only if every TBox that is definitorial 
under descriptive semantics is equivalent to an acyclic TBox (see also [29]). 


2.8 Assertional Formalisms 


Apart from the concept language and the terminological formalism, there is one more 
important ingredient to description logics. This is the assertional formalism, which allows 
to describe (a snapshot of) the world by means of individuals populating the world, 
conceptual memberships of individuals, and roles relating individuals. The combination 
of a TBox and an ABox is commonly called a knowledge base. Assume that a countably 
infinite supply of individual names, usually denoted by a,b,c, is available. An ABoz 
(assertional box) is a finite set of assertions of the form 


C(a) (concept assertion) 
r(a, b) (role assertion) 


where a and b are individual names, C is a concept description, and r is a role description. 
An example of an ABox is given in Figure 4. We us all-uppercase words to denote concrete 
individual names. 

To assign a semantics to ABoxes, we have to extend interpretations to individual 
names: interpretations Z are now required to map, additionally, every individual name a 
to a domain element a? € A’. Usually, the unique name assumption (UNA) is adopted, 
which requires that different individual names are mapped to distinct domain elements, 
i.e., a Æ b implies a? 4 b?. The interpretation Z satisfies the concept assertion C(a) if 
a? € C7, and it satisfies the role assertion r(a, b) if (a7,b”) € r7. An interpretation is a 
model of an ABox A if it satisfies all assertions in A. Often, we are interested in models 
of an ABox A w.r.t. a TBox T, i.e. common models of A and T. 

There is an obvious connection between ABoxes and nominals which provides a link 
between ABoxes and modal logic: if a concept language providing for nominals, con- 
junction, and existential restrictions is used, then we can simulate an ABox A using the 
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concept description 


CA := [] Ju.(a n D) N [] Ju.(a N r.b) 


D(ajeA r(a,b)EA 


where u is a role name not used in A, and we assume that, for each individual name, there 
exists a nominal of the same name.? This is a simulation in the sense that every model 
for C4 is a model for A, and every model Z for A can be extended to a model for CA 
by setting u? = A? x A?. However, nominals are strictly more expressive than ABoxes. 
For example, this is reflected by the complexity of reasoning in ALCI, the extension of 
ALC with inverse roles: while reasoning in ACCT with ABoxes but without TBoxes is 
PSpaceE-complete, reasoning in ACCT extended with nominals is ExP'TIME-complete.* 
The latter is due to the possibility of defining “spy-points” in ACCT with nominals (see 
Chapter 14), which is not possible using ABoxes. 


3 STANDARD DESCRIPTION LOGIC INFERENCES 


Reasoning has always been a major emphasis of description logic research. The main 
purpose of reasoning in DLs is to explicate knowledge that is contained only implicitly in 
a given concept description, TBox, or ABox. This inferencing capability can be used by 
applications to infer new knowledge when needed, and it helps knowledge engineers to 
construct and structure complex knowledge bases. In this section, we introduce the infer- 
ence problems for description logics that have direct counterparts in modal logic. Because 
these inference problems have played an important role since the very beginnings of de- 
scription logic, they are often referred to as “standard inference problems” —in contrast 
to the more recent “non-standard inference problems” that are discussed in Section 5. 
We also give a brief survey of the most important results and techniques concerning the 
decidability and computational complexity of the standard inference problems. In doing 
so, we concentrate on description logics that have close counterparts in modal logics and 
defer the treatment of logics that are less common from the modal logic perspective to 
Section 6. Our discussion of results and techniques will be brief as these or very similar 
issues are covered in more detail in other chapters of this handbook. 


3.1 Terminological Reasoning 


The inference problems introduced here operate on concept descriptions and TBoxes, 
without reference to ABoxes. The basic such inference problems are the following: 


Satisfiability. A concept description C is satisfiable with respect to a TBox T if there 
exists a common model of C and T. 


Subsumption. A concept description C is subsumed by a concept description D with 
respect to a TBox T if C? C D7 for every model Z of T (written C Ez D). 


In both cases, we simply drop the reference “with respect to 7” (and the index T from 
C Er D) if we are interested in reasoning w.r.t. the empty TBox. In this case, we also 
talk about reasoning with concept descriptions. Intuitively, satisfiability is important to 


3The additional role can be omitted if the “@,” operator of hybrid logic is used, c.f. Chapter 14. 
4With “reasoning” we refer to ABox consistency, c.f. Section 3.2. 
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(automatically) verify whether a concept description makes sense from a logical perspec- 
tive, i.e., whether it is contradictory in itself or to a given TBox. Satisfiability also plays 
an important rôle because many other inference problems can be reduced to it. Sub- 
sumption can be used to check whether a concept D is more general than a concept C, 
i.e., whether each instance of C also is an instance of D. For example, the concept name 
Parent is subsumed by the concept description Man U Woman w.r.t. the TBox shown in 
Figure 3: by the semantics, every Parent is also a Man or a Woman. As we will discuss in 
more detail later, subsumption defines a hierarchy of the concept names occurring in a 
TBox w.r.t. their generality. There are some additional terminological inference problems 
such as the equivalence of concept descriptions: C and D are equivalent with respect to 
a TBox T (written C =y D) iff C? = D7? for all models Z of T. We will not consider 
such additional inference problems in this chapter since they can clearly be reduced to 
subsumption and satisfiability in a trivial way. 

There is a straightforward connection between satisfiability and subsumption: if a 
concept language provides for negation and conjunction, we can polynomially reduce 
subsumption to unsatisfiability: C Ey D if and only CN—D is unsatisfiable w.r.t. 7. We 
can also do the converse reduction if the concept language provides for (or can express) 
the bottom concept: C is satisfiable w.r.t. 7 if and only if C Zz l. Because of this 
close connection, many description logic systems concentrate on providing algorithms for 
solving satisfiability, and treat subsumption by means of the above reduction.® Another 
important group of reductions is concerned with reducing satisfiability with respect to 
TBoxes to satisfiability w.r.t. the empty TBox. Whether such a reduction can be done 
depends on the concept language and the chosen TBox formalism. Here we discuss the 
two most important cases. 


Eliminating acyclic TBozes. As already mentioned in Section 2.2, acyclic TBoxes merely 
define abbreviations for compound concept descriptions. This suggests the following re- 
duction: to decide whether a concept description C is satisfiable w.r.t. the acyclic TBox 
T, first expand T (c.f. Section 2.2), then replace all defined concepts in C according to 
their definition in the expansion of 7, and finally decide satisfiability of the resulting 
concept description without reference to a TBox. As observed by Nebel [128], this re- 
duction may yield an exponential blowup even for the concept language F£Lo that only 
provides for the concept constructors conjunction and value restriction. For example, 
expanding the following TBox of size O(n) yields a TBox of size 2”: 


Cy = Vr1.CoNVre.Co 


Ch = Vri Ch-1 p Yro.Cn—1 


This exponential blowup can sometimes be avoided by devising satisfiability algorithms 
that explicitly take acyclic TBoxes into account. For example, satisfiability of ALC 
concept descriptions w.r.t. acyclic TBoxes is PSPACE-complete, and without TBoxes 
this problem is of exactly the same complexity [142, 110]. However this is not always the 
case: in Sections 4 and 6, we will discuss DLs for which reasoning w.r.t. acyclic TBoxes 
is considerably more difficult than reasoning without them. 


Eliminating GCIs. In several expressive description logics, it is possible to reduce sat- 
isfiability w.r.t. GCIs to satisfiability without reference to GCIs. Two examples are the 


5An important exception are sub-Boolean DLs that do not provide for general negation; c.f. Section 4. 
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description logics ALCreg and SHOTQ. It is not difficult to prove that, in ALCreg, a 
concept description C is satisfiable w.r.t. T if, and only if, CN V(r1 U---Urg)*.Cr is 
satisfiable, where r,,...,r% are the role names used in C and 7, and Cy is defined at 
the end of Section 2.2. Similarly, it has been observed in [94] that, in SHOTQ, a con- 
cept description C is satisfiable w.r.t. a TBox T and a role hierarchy H® if and only if 
CnrVr.Cyz is satisfiable w.r.t. the role hierarchy HU{r1 E r,..., rk E r}, where r1,..., Tk 
are the role names used in C and 7, and r is a transitive role not occurring in C and T. 
Reductions like the ones sketched above are often called internalizations of TBoxes, and 
have first been proposed in [11]. However, implemented reasoning systems usually treat 
GCIs in an explicit way for efficiency reasons [90, 99]. 


We now give a brief survey of the results and techniques for terminological reasoning. 
The main driving force behind the research on DL reasoning is the following trade- 
off between expressivity and computational complexity: on the one hand, non-trivial 
applications require a high expressivity of the concept language and of the terminological 
and assertional formalism; on the other hand, applications need an implementation of 
DL inference algorithms in an actual knowledge representation system that exhibits an 
acceptable run-time behavior on “realistic” inputs, i.e. on inputs that stem from an 
application and have not been artificially crafted to make reasoning hard. 

It is generally agreed upon that an implemented DL system should be based on al- 
gorithms that are sound, complete, and terminating, i.e., decidability of the relevant in- 
ference problems is indispensable. Fortunately, satisfiability and subsumption is indeed 
decidable for almost all possible combinations of concept language and TBox formalism 
that we have introduced up to this point, including ALC with cyclic TBoxes and fix- 
point semantics [140], ALCreg with GCIs [54], and SHOTQ with GCIs [150].” However, 
decidability of reasoning is usually only a necessary, but not a sufficient condition for 
the usefulness of a description logic. Additionally, it is important that the computa- 
tional complexity of reasoning is within acceptable bounds, and that there exist practical 
reasoning algorithms, i.e. algorithms that have the potential of being implemented in a 
system that behaves well on realistic inputs as demanded above. 

The general opinion on the (worst-case) complexity that is acceptable has changed 
dramatically over time. Historically, the early times of DL research have been concen- 
trating on identifying formalisms for which reasoning is tractable, i.e. can be performed 
in polynomial time.8 Obviously, demanding tractability means that we cannot include 
all Boolean operators in the concept language, and thus are in the realm of sub-Boolean 
DLs. The complexity of satisfiability and subsumption in this family of DLs is laid out 
in detail in Section 4, ranging from tractable to ExPTIME-complete depending on the 
choice of constructors and TBox formalism. Around 1990, the KRIS system showed 
that tableau algorithms for satisfiability and subsumption in ALC w.r.t. acyclic TBoxes, 
two PSPACE-complete inference problems, can be implemented in a system with accept- 
able run-time behavior on realistic inputs [17]. A step towards even more expressive 
DLs has been made around 1997 by Ian Horrocks and his FaCT system, which origi- 
nally implemented satisfiability and subsumption for an EXPTIME-complete fragment of 


6C is satisfiable w.r.t. 7 and H if there is a model Z of C and T with r? C s7 forall rE s€ H. 

T An exception is satisfiability of SHOT Q-concepts w.r.t. TBoxes with least fixpoint semantics, which 
was shown to be undecidable by Bonatti [35]. 

8Curiously, it was found later that reasoning in the description logic supported by the very first 
description logic system KL-ONE is undecidable [141]—c.f. Section 5. 
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SHOTQ with GCIs. The complexity of most description logics extending ALC is be- 
tween PSPACE-complete and NEXPTIME-complete. Some important landmarks are the 
following: 


e satisfiability of ALC concept descriptions without reference to TBoxes is PSPACE- 
complete [142]; this also holds in the presence of acyclic TBoxes [110]; 


e satisfiability of ALC concept descriptions w.r.t. cyclic TBoxes or GCIs is EXP- 
TIME-complete; this holds for fixpoint semantics as well as for descriptive semantics 
[138, 140]; 


e satisfiability of SHOZQ concept descriptions w.r.t. GCIs is NEXPTIME-complete, 
with the lower bound applying to all extensions of ALC that provide for (qualifying 
or non-qualifying) number restrictions, inverse roles, and nominals [150]. 


All these bounds transfer to subsumption with the exception of the last one, where NEXP- 
TIME-completeness of satisfiability flips to co-NEXPTIME-completeness of subsumption. 
It should be mentioned that the exact meaning of an “acceptable run-time behavior” of 
course also depends on the concrete application at hand. As argued e.g. in [51], there are 
applications that require “real” tractability and therefore research in tractable DLs is an 
ongoing endeavour [51, 46, 10]. Since our survey of the complexity of reasoning in DLs 
is by no means exhaustive, we refer the interested reader to [61] for more information on 
the complexity of DLs. 

The issue of practicability is not only related to computational complexity, but also 
to the techniques that are used to obtain decision procedures for DL reasoning. A large 
number of such techniques have been proposed and investigated. For sub-Boolean DLs, 
so-called “structural algorithms” play the most important role, and we describe them 
in detail in Section 4. For ALC and its many extensions, the following approaches 
are most important: tableau algorithms [30], reduction techniques [54], automata-based 
approaches [122, 50], and resolution calculi [101, 100]. With respect to practicability, 
tableau algorithms are the most successful approach so far: they proved to be amenable 
to a number of powerful optimization techniques (see Chapter 4 and [92]), and highly- 
optimized implementations of tableau algorithms in DL systems have performed extraor- 
dinarily well in system comparisons. As a result, nowadays almost all state-of-the-art 
DL reasoners, such as FaCT and RACER [91, 79], are based on tableau algorithms. 

From the perspective of modal logic, satisfiability of concept descriptions clearly cor- 
responds to standard formula satisfiability, whereas a subsumption C E D corresponds 
to the validity of the implication C — D. For this reason, the discussion of tableau- 
and resolution-based algorithms for modal logics provided in Chapter 4 of this handbook 
applies to description logics as well, and we omit further details. 


3.2  Assertional Reasoning 


The inference problems discussed in this section operate on knowledge bases, i.e. on pairs 
(A,T) with A an ABox and 7 a TBox. The fundamental inference problems are the 
following: 


Consistency. An ABox A is consistent w.r.t. a TBox T if there exists a common model 
of A and T. 
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Instance Checking. An individual name a in an ABox A is an instance of a concept 
description C w.r.t. a TBox T if a? € C7 for all models Z of A and T (denoted with 
A =r C(a)). 

Consistency is the ABox-analogue of satisfiability, i.e., it can be used to check whether a 
given knowledge base is contradictory. The purpose of instance checking is also obvious: 
it is used to derive concept memberships of individuals that are not stated explicitly. For 
example, the individual DONALD in the ABox shown in Figure 4 is an instance of Father 
w.r.t. the TBox in Figure 3. 

As in the previous section, there is a close connection between the two fundamental 
inference problems if certain Boolean constructors are available. First, consistency can 
be polynomially reduced to (non-)instance checking if the bottom concept is available: 
an ABox A is consistent w.r.t. a TBox T if and only if A Az L(a) with a an arbitrary 
individual name. And second, we can do the converse reduction if full negation is avail- 
able: A Ez C(a) if and only if AU {=C(a)} is inconsistent w.r.t. 7. It is sometimes 
also possible to eliminate acyclic TBoxes and GCIs as discussed in the previous section. 
In the presence of nominals, it is possible to polynomially reduce consistency (and thus 
also instance checking) to the satisfiability of concept descriptions using the simulation 
sketched at the end of Section 2.3. 

The techniques used to devise decision procedures for consistency and instance check- 
ing are essentially the same as those employed for concept satisfiability and subsumption. 
In the case of tableau algorithms, there are two approaches for reasoning with A Boxes: 
first, ABox consistency can sometimes be reduced to concept satisfiability using the pre- 
completion technique described in [87]; and second, tableau algorithms can be extended 
to treat ABoxes in a direct way (see e.g. [86, 15, 77]). Regarding practicability, it should 
be noted that some optimization techniques fail or become significantly more complex in 
the presence of ABoxes. 

Concerning the decidability and computational complexity of assertional reasoning, 
one should distinguish sub-Boolean DLs from ALC and its extensions. In the sub-Boolean 
case, there are some description logics for which instance checking is harder than concept 
subsumption (see Section 4.3). If all Boolean constructors are available, the complexity 
of instance checking coincides with the complexity of subsumption for all such descrip- 
tion logics investigated so far. For example, instance checking in ALC ABoxes without 
reference to TBoxes is known to be PSPACE-complete [18], and instance checking in 
ALC ABoxes w.r.t. GCIs is EXPTIME-complete [54]—just as the corresponding cases of 
subsumption. 


38.8 Compound Inference Problems 


Some of the most important inference problems in DLs are of a compound nature in the 
sense that, in principle, they can be reduced to multiple invocations of the more basic 
inference problems mentioned above. However, when the goal is to achieve an efficient 
implementation, it is vital to consider compound inferences as first-class citizens [13]. 
Here we discuss the three most important such problems. 


Classification. Given a TBox T, compute the restriction of the subsumption relation 
‘Cy” to the set of concept names used in T. 


Realization. Given an ABox A, a TBox T, and an individual name a, compute the set 
Ra,r(a) of those concept names A that are used in 7, satisfy A z A(a), and are 
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minimal with this property w.r.t. the subsumption relation “Ey”. 


Retrieval. Given an ABox A, a TBox T, and a concept C, compute the set L4,r(C) of 
individual names a used in A and satisfying A =y C(a). 


Compound inferences are a very important interface to description logics reasoners and 
are offered by almost all systems. The purpose of classification is to construct a hi- 
erarchy of concept names w.r.t. their generality, with more general concepts higher up 
in the hierarchy: B is above A if and only if A Ey B. Such a hierarchy can then be 
presented to a knowledge engineer for browsing and structuring the TBox. Realization 
also facilitates browsing and understanding of the knowledge base, and is a precursor to 
certain operations on knowledge bases that presuppose knowledge of the concept mem- 
berships of individuals. The main use of retrieval is database-like querying of description 
logic knowledge bases: in some applications, it is natural to define ABoxes with a huge 
number of individual names, and to query such ABoxes like a database with deductive 
capabilities [78]. 

By definition, compound inferences can be reduced to more basic inference problems. 
For classification, we may simply check whether A Ey B for all concept names A, B 
used in 7. In the case of realization, we can obviously just use multiple invocations of 
instance checking and subsumption. Similarly, multiple instance checks suffice to get a 
naive implementation of retrieval. However, basic inferences such as subsumption and 
instance checking are potentially very costly, and thus it is vital for DL reasoners to 
replace these “brute force” methods of compound inferences by more subtle approaches. 

To illustrate how compound inferences can be implemented in a more efficient way, we 
exemplarily consider classification. Here, the aim is to minimize the number of subsump- 
tion tests, of which the naive approach performs n? many with n the number of concept 
names in J. The common strategies for achieving this minimization are described and 
evaluated by Baader et al. in [13]. Although Baader et al. restrict themselves to acyclic 
TBoxes, the proposed strategies can also be used for cyclic ones. In general, two kinds 
of optimizations can be distinguished. Firstly, classification can be conceived as an ab- 
stract combinatorial problem on partial orders: compute a complete representation of a 
partial ordering by making as few as possible comparisons. This quite general problem 
is also considered in non-DL contexts, see e.g. [69]. Secondly, we can take into account 
the structure of concept descriptions to reveal obvious subsumption relationships and 
to control the order in which concepts are added to the hierarchy. In the following, we 
assume that the restriction of “C7” to the concepts names of T is represented as a Hasse 
diagram, i.e. as a directed acyclic graph (DAG) such that 


e nodes are sets of concept names that are pair-wise equivalent w.r.t. T; 


e two nodes S1, S2 are connected by an edge if every Ag € S2 is a direct subsumer 
of every A, € Sı, i.e., we have (i) Ay Er Ag and (ii) Ay Ey B Ey Ape implies 
B =r A, or B=y7 Ag? for all concept names B in T. 


To this diagram, we henceforth refer as the (concept) hierarchy. We assume that the 
hierarchy always contains a top node whose label includes T, and a bottom node whose 
label includes L.? In DL TBoxes originating from applications, the concept hierarchy is 
usually not too deep, i.e., the represented order has short chains and long antichains. 


9In case of unsatisfiable TBoxes, the top node and bottom node coincide. 
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One way to compute the concept hierarchy with only few subsumption tests is to 
use an incremental algorithm [13]: we start with a hierarchy containing only T and L, 
and then repeatedly place additional concept names at the appropriate position in the 
(growing) hierarchy. The placing of a new concept name A consists of two phases: a 
top search phase computing the direct subsumers of A that are already contained in 
the hierarchy, and a bottom search phase computing the set of all concept names that 
are already contained in the hierarchy, and of which A is a direct subsumer. Obviously, 
knowledge of these two sets allows us to place A appropriately. Due to the transitivity of 
the subsumption relation, the top search phase is best implemented as a top down search, 
whereas a bottom up approach is appropriate for the bottom search phase. Additionally, 
failed tests can be propagated down the hierarchy in the top search phase: if A Zr B 
and B’ is below B in the hierarchy (implying B’ Ey B), then it follows immediately 
that A Z7 B’. Analogously to propagation in the top search phase, successful tests can 
be propagated up the hierarchy in the bottom search phase. Finally, it is possible to use 
information gained in the top search phase to speed up the bottom search phase, and 
vice versa (see [13] for details). 

Using the structure of concepts, we can additionally avoid subsumption tests in a 
straightforward way: if we find a concept definition A = C with C a conjunction having 
as one of its conjuncts a concept name B, then A Ey B holds trivially. In this case, B 
is a told subsumer of A. Of course, if B is a defined concept, it can have told subsumers 
as well, and these (and their told subsumers, etc.) can also be viewed as told subsumers 
of A. The information about the told subsumers can be propagated down the hierarchy 
before starting the top search phase. To take full advantage of this idea, it is advisable 
to classify concepts in definition order. This means that a concept is not classified until 
all of its told subsumers are classified. 

These optimizations typically reduce the number of necessary subsumption tests to 
a small fraction of n? (see [13] for details). Most techniques sketched here can be used 
in the same or a slightly modified form if sets of GCIs are used instead of TBoxes. Of 
course, it is (at least) equally important to optimize the subsumption test itself. More 
on this issue can be found in Chapter 4. 


4 SUB-BOOLEAN DESCRIPTION LOGICS 


As mentioned in the introduction, the DLs used in the first DL systems did not allow 
for all Boolean operators. Usually, these DLs provided for conjunction, value-restriction, 
and number restriction, and some other special constructors, but existential restriction, 
disjunction and full negation were not available. In some of these formalisms, disjointness 
statements between concept names or atomic negation (i.e., negation restricted to concept 
names) were allowed. 

This restriction to sub-Boolean logics was, on the one hand, due to the origins of 
DLs. These formalisms were not primarily seen as logics (where the inclusion of at least 
proposition logic is natural), but as knowledge representation formalisms in the spirit 
of semantic networks and frames, though equipped with a formal semantics. Graph- 
based formalisms like semantic networks usually favor a conjunctive point of view since 
conjunction corresponds to just drawing several things in the same picture, whereas 
expressing disjunction and negation would require special conventions (like drawing a 
box around the parts that are negated, as in conceptual graphs [147]), which easily 
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destroy the readability of such graphical representations. 


On the other hand, the restriction to sub-Boolean DLs was motivated by the goal of 
designing representation formalisms with tractable (i.e., polynomial-time decidable) in- 
ference problems, which would be precluded by the presence of all Boolean operators. The 
first paper addressing the trade-off between expressiveness and tractability of reasoning 
in the context of DL was [109], where it was shown that a seemingly minor extension of 
the description language can make the subsumption problem intractable. This work trig- 
gered an extensive investigation of the borderline between tractability and intractability 
of reasoning in sub-Boolean DLs [127, 145, 63, 62, 40, 65].1° In Section 4.1, we give a 
brief review of these results. We also sketch in more detail polynomial-time subsumption 
algorithms for the DL FLo (which allows for conjunction and value restriction only) and 
some of its extensions. The results mentioned until now were all restricted to extensions 
of F Lo. The reason was that until the late 1990ies, both conjunction and value restriction 
were assumed to be indispensable for a DL. For conjunction this indeed appears to be the 
case since one usually wants to require several properties simultaneously when defining 
a concept. In order to obtain more than just a fragment of propositional logic, one also 
needs at least one constructor involving roles. However, instead of value restrictions one 
could also use existential restrictions. In fact, there are large DL-based medical termi- 
nologies [134, 148] that employ existential restrictions rather than value restrictions. The 
complexity of reasoning in DLs extending EL, which allows for conjunction, existential 
restriction, and the top-concept, is less well-investigated than for extensions of FLo. We 
will briefly review the results in [84], where the complexity of the satisfiability problem 
in all fragments of ALC, including ones that do not extend FLo, is investigated. In 
addition, we sketch a polynomial-time subsumption algorithms for EL. 


All the complexity results mentioned until now are concerned with satisfiability and 
subsumption of concept descriptions. If one considers reasoning w.r.t. a TBox, then 
the complexity may increase drastically, even for acyclic TBoxes, which do not increase 
the expressive power. The first such result is due to Nebel [128], who showed that the 
subsumption problem w.r.t. acyclic TBoxes is coNP-complete for the DL FLo. Recall 
that subsumption of FLo concept descriptions is polynomial. If one allows for cyclic 
TBoxes, then subsumption in FLo becomes PSPACE-complete, and in the presence of 
GCIs it becomes even EXP’TIME-complete. In contrast, the subsumption problem in 
EL remains polynomial in the presence of acyclic or cyclic TBoxes and GCIs. These 
results for reasoning w.r.t. TBoxes in sub-Boolean DLs will be described in more detail 
in Section 4.2. 


Not only TBox reasoning, but also ABox reasoning, may be harder than reasoning 
with concept descriptions. Section 4.3 gives an example, due to A. Schaerf [137], of a 
sub-Boolean DL where the instance problem is harder than the subsumption problem. 


Finally, Section 4.4 reviews bisimulation characterizations for various sub-Boolean DLs 
due to de Rijke and Kurtonina [105], which can be used to characterize the expressive 
power of these DLs. 


10We have not included [64] in this list since the polynomiality results for subsumption claimed there 
turned out to be incorrect (see [66] for details). 
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Symbol Syntax ALN | ALE | ALU | ALUN | ALEN | ALC | ALCN | 
E Jr.C x x x x | 
u CuD x x x x | 
N (Snr), (>nr) X x x | 


Figure 5. The AL family of DLs. 


4.1 Reasoning with concept descriptions in sub-Boolean DLs 


Donini et al. [65] start their investigation of the complexity of sub-Boolean DLs with the 
DL AZ, whose concept descriptions are formed according to the following syntax rule: 


C,D — A|T|L|7AA|COD|Yr.C | ar.T 


The difference to ALC is that the application of negation is restricted to concept names 
(atomic negation) and that in existential restrictions only the top concept may occur 
(restricted existential quantification). 

In the following, we consider the extensions of AL by subsets of the following set of 
constructors: (full) existential restriction, number restrictions, and disjunction.’! This 
yields the 7 different extensions of AL shown in Figure 5. Note that adding both ex- 
istential restriction and disjunction to AL yields ALC. This is due to the presence of 
atomic negation in AL. In fact, by using de Morgan’s law, the duality of the quantifiers, 
and the removal of double negation, any ALC concept description can be transformed 
into an equivalent one that employs only atomic negation. 

Figure 6 gives a complete classification of the DLs belonging to the AL family regarding 
the worst-case complexity of subsumption and (un)satisfiability of concept descriptions. 
Except for the case of ALEN, these results are shown in [65]. PSPACE-hardness of 
ALEN was shown by Hemaspaandra [84]. 

Before trying to explain some of these results, let us first point out that subsumption 
and unsatisfiability are in general not trivially interreducible in sub-Boolean DLs. We 
have seen that 


C is unsatisfiable iff CEL, 
CED if ~C D is unsatisfiable. 


Since L is available in the DLs of the AL family, unsatisfiability can be reduced in this 
way to subsumption, and thus subsumption is at least as hard as unsatisfiability, and 
unsatisfiability is at least as easy as subsumption. However, for a DL strictly below ALC, 
~C M D usually does not belong to this DL even if C and D do. Nevertheless, the results 
summarized in Figure 6 show that, for the AL family, the complexities of unsatisfiabil- 
ity and of subsumption coincide. In general, this need not be the case. For example, 
the extension ALNT of ALN by inverse roles has a polynomial-time (un)satisfiability 
problem, but the subsumption problem is coNP-hard [66]. In very simple DLs such as 
FLo and EL, satisfiability is even trivial (in contrast to subsumption) since there are no 
unsatisfiable concepts We exemplarily discuss at least one DL for each of the complexity 
classes appearing in Figure 6. Satisfiability in intractable DLs is treated in Section 4.1 
and subsumption in tractable DLs such as FLo and ALN is discussed in Section 4.1. 


11Donini et al. [65] actually consider a somewhat larger family of DLs, where also intersection of roles 
is available as a constructor. 
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Figure 6. The complexity of unsatisfiability and subsumption for the AL family of DLs. 


In Section 4.1 we review the results from [84] on satisfiability in other sub-Boolean DLs, 
and in Section 4.1 we sketch a polynomial-time subsumption algorithm for EL concept 
description. 


(Un)satisfiability in ALC, ALU, and ALE 


One way of deciding satisfiability in ALC is to use a tableau algorithm, as described in 
more detail in Chapter 4 for the modal logic equivalent Kn of ALC. This algorithm tries 
to generate a finite, tree-shaped model for a given input concept description C. This 
tree model is of depth linear in the size of C, but may still be exponentially large due to 
the branching in the tree model. There are two sources of complexity for this approach: 
first, the potentially exponential size of the model that must be generated, and second 
the non-deterministic treatment of disjunction when trying to generate the model. In 
order to stay within PSPACE, one generates one branch of the tree at a time, whereas 
non-determinism is harmless since it is well-known that NPSPACE = PSPACE. 

If we restrict this approach to ALU, then it is easy to see that the tree models generated 
by a tableau-based algorithm are of polynomial size. Thus, to decide satisfiability within 
NP (and thus unsatisfiability within coNP) one can simply guess an interpretation of 
polynomial size, and check whether it is a model. NP-hardness is trivial since ALU 
contains full propositional logic. 

In the case of ALE, the model generated by a tableau-based algorithm may still be 
exponentially large, but the process of generating it is deterministic. In order to check 
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unsatisfiability within NP (and thus satisfiability within coNP), one can guess one path 
through the potential model, and then check whether it must satisfy contradictory con- 
straints. To be more precise, instead of trying to generate successors for all existential 
restrictions, one non-deterministically chooses the ones that actually lead to a contra- 
diction. Since the paths are linear in the size of the input description, this leads to an 
NP-algorithm for unsatisfiability. 
Showing the lower complexity bound for ALE is less trivial than for ALU. To show that 
unsatisfiability of concept descriptions in ALE is NP-complete, we sketch the reduction 
from set traversal given in [62]. An instance of the set traversal problem is given by a 
finite collection M = {M1,..., Mm} of finite sets of positive integers. A set traversal is 
a finite set of positive integers N such that N N Me is a singleton set for all 2,1 < L< m. 
NP-hardness of the existence of a set traversal is an immediate consequence of the fact 
that monotone ONE-IN-THREE 3SAT [73] is a special case of this problem. 

Let M = {Mı,..., Mm} be an instance of the set traversal problem, and assume 
without loss of generality that the numbers occurring in the sets are the ones from 1 to 
n for some positive integer n. We define the corresponding ALE concept description as 


Cm := Cn... nNCh ND, 


where 
Ce := Qr1er-Qoer-- Qm aer- Qi aer-Qoaer- e Qmer. T 


such that 


W ) Y iflg Mi, 
and D is the nesting of 2m value restrictions followed by L, i.e., 
D := Vr. -- Vr, L. 
ew 
2m times 


As an example, consider the two instances 
M := {{1,3,5}, {2,4}, {4,5}} and M' = {{1, 3}, {2,4}, {4,5}} 


of the set traversal problem. Then the corresponding ALE concept descriptions look as 
follows: 


Cy = arvrvr. ar.Vrv.r T, Ci = arvrVr. arVrv.r T, 
Cp = VrArVr. VrAr.Vr. T, Ch = Vr arr. Vrar.vr. T, 
C3 = ar NVrvr. 3Jr.Vr.Yr. T, Cy = arVrVr. ar.VrVr. T, 
Cy = VrAr.dr. Vr.dr.Ar. T, C} = Vr.ar.ar. Vr.dr.dr. T, 
Cs = ar VrAr. ar.VrAr. T, Ch = VrNVrar. VrVrar. T, 
D=NVrNrNr.VrNrvvr. L, D =r N Nr WNT Nr 1. 


One can view the quantifier prefixes as a matrix, where the rows correspond to the el- 
ements of the sets, whereas the columns correspond to the sets (written twice). The 
existential quantifier indicates that the element belongs to the respective set. For exam- 
ple, the first existential quantifier in C5 expresses that 5 belongs to the first set of M, 
whereas the universal quantifier at the same position in C% says that 5 does not belong 
to the first set of M’. 
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n [62], it is shown that Cm is unsatisfiable iff M has a set traversal. We illustrate 
the connection between unsatisfiability of C m and the existence of a set traversal for M 
on our example. For Cm to be unsatisfiable, the conjunction of the concept descriptions 
Ci must enforce an r-path of length 2m, which then clashes with the L in D. The set 
{1,2,5} is a set traversal for M’. This implies that C1 C3MCf enforces a path of length 
6. In fact, Ci starts with an existential restriction, and C% and C% with value restrictions. 
Thus, there is an r-successor of the initial element that must satisfy the conjunction of the 
three concept description C//,CY,C# that are respectively obtained from C1, C2, C} by 
removing the first quantifier. Now C4’ starts with an existential quantifier, and the other 
two with value restrictions. Thus, we can continue with the corresponding r-successor. 
In general, the properties of a set traversal ensure that each time we have one existential 
restriction, whereas all the others are value restrictions (and thus the remaining parts 
of the concept descriptions are propagated to the r-successor required by the existential 
restriction). 

It remains to explain why we have to encode the sets twice. Again, we illustrate 
this on our example. It is easy to see that the collection M := {{1,3,5}, {2,4}, {4,5}} 
does not have a set traversal. Nevertheless, if we consider the simpler reduction concept 
Cm := C1 0 Co N Cs 0 C4 N Cs 1 D where 


Ci =a4rvr.v.r T, 
3 = VrarVr. T, 
Ô =4rvrvr. T, 
Cy = Vrar.ar. T, 
Cs = arVrar. ales 


D =VrNrNr. ale 


then C 'm is unsatisfiable. In fact, Cyn Ô; enforce a path of length 3. The corresponding 
set {4,5} is not a set traversal since its intersection with M3 = {4, 5} is not a singleton. 
For the shorter reduction concept @ ‘m, the fact that ar and Ô; have an existential 
restriction in the same row is irrelevant. However, for the correct longer reduction concept 
Cm this means that, for one of the two, the remaining part is missing in the second round. 


Subsumption in FLo and ALN 


Subsumption in ALN can be decided in polynomial time using a structural subsumption 
algorithm, i.e., an algorithm that normalizes the descriptions to be tested for subsump- 
tion, and then compares the syntactic structure of the normal forms. For simplicity, we 
first explain the ideas underlying this approach for the small DL FLo, which allows for 
conjunction (C N D) and value restriction (Vr.C) only. Subsequently, we show how the 
bottom concept (L), atomic negation (~A), and number restrictions (<nr and >nr) 
can be handled. 
An FLo concept description is in normal form iff it is of the form 


Ayn... Am Nr 0... Vn. Ch, 


where Aj,...,Am are distinct concept names, r1,...,Tn are distinct role names, and 
Ci,...,C, are FLo concept descriptions in normal form. It is easy to see that any 
description can be transformed into an equivalent one in normal form, using associativity, 
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commutativity and idempotence of M, and the fact that the descriptions Vr.(CM D) and 
(Vr.C) N (Vr.D) are equivalent. Now, let 


C= ALN...NAmAVT.CLN...0Vrn.C, and D = Bin... B,NVs,.D ,N...0Vse.De 


respectively be the normal forms of the F Lo concept descriptions C and D. Then C E D 
iff the following two conditions hold: 


1. for all i, 1 < i < k, there exists j,1 < j < m such that B; = Aj. 


2. For all i,1 <i < £, there exists 7,1 < j < n such that s; = r; and C} E Dj. 


It is easy to see that this characterization of subsumption is sound (i.e., the “if” direction 
of the equivalence holds) and complete (i.e., the “only-if” direction of the equivalence 
holds as well). This characterization yields an obvious recursive algorithm for computing 
subsumption. This algorithm can easily be shown to be of polynomial time complexity: 
in Condition 2, there is at most one subsumption test per role name occurring in C and 
D since all role names in r1,...,rn and all role names in s1,...,sg are distinct. 

If we extend FLo by language constructors that can express unsatisfiable concepts, 
then we must, on the one hand, change the definition of the normal form. On the other 
hand, the structural comparison of the normal forms must take into account that an 
unsatisfiable concept is subsumed by every concept. The simplest DL where this occurs 
is FL, the extension of FLo by the bottom concept L. An FL, concept description is 
in normal form iff it is L or of the form 


Apia TM Am AVRO Ta DV Re Cn, 


where Aj,..., Am are distinct concept names different from L, R,,..., Rn are distinct 
role names, and C},...,C, are FL concept descriptions in normal form. Again, such 
a normal form can easily be computed. In principle, one just computes the FLo-normal 
form of the description (where L is treated as an ordinary concept name): By 0n... M 
B,OVR,.Di0...0VR,.D,y. If one of the Bis is L, then replace the whole description 
by L. Otherwise, apply the same procedure recursively to the Djs. For example, the 
F£o-normal form of VR.VR.BNANVR(ANVR.L) is ANVR(ANVRA( BN L)), which 
yields the F£, -normal form ANVRA(ANVR.L). 

The structural subsumption algorithm for FL] works just like the one for FLo, with 
the only difference that L is subsumed by any description. For example, Vr.¥r.BN AN 

r(ANVr.L) E Yr.vr.AN ANVr.A since the recursive comparison of their FL, -normal 
forms ANVr.(ANVr.L) and ANVr.(ANVr.A) finally leads to the comparison of L and 
A. 

The extension of FL, by atomic negation (i.e., negation applied to concept names 
only) can be treated similarly. During the computation of the normal form, negated 
concept names are just treated like concept names. If, however, a name and its negation 
occur on the same level of the normal form, then L is added, which can then be treated 
as described above. For example, Yr.=A N A N Yr.(A N Yr.B) is first transformed into 
AnNvr(ANaAnVr.B), then into ANVr.(LNANAANVr.B), and finally into ANVr.L. 
The structural comparison of the normal forms treats negated concept names just like 
concept names. 

Finally, if we consider the language ALN, the additional presence of number restric- 
tions leads to a new type of conflict. On the one hand, as in the case of atomic negation, 
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number restrictions may be conflicting with each other (e.g., >2r and <1r). On the 
other hand, at-least restrictions >nr for n > 1 are in conflict with value restrictions 
Vr.L that prohibit role successors. When computing the normal form, one can again 
treat number restrictions like concept names, and then take care of the new types of 
conflicts by introducing L and using it for normalization as described above. During the 
structural comparison of normal forms, one must also take into account inherent sub- 
sumption relationships between number restrictions (e.g., >nr E >mrif n>m). A 
more detailed description of a structural subsumption algorithm working on a graph-like 
data structure for a DL extending ALN can be found in [40]. 


Satisfiability in other sub-Boolean DLs 


Until now, we have only considered sub-Boolean DLs that extend AL. Hemaspaandra 
[84] looks at all possible combinations of the constructors 


T, 1, CND, CUD, SA, =C, Yr.C, snc, 


and shows that there are only four possibilities for the complexity of the satisfiability 
problem:!? P, NP-complete, coNP-complete, and PSPACE-complete: 


e DLs that contain a complete basis for ALC have a PSPACE-complete satisfiability 
problem. 


e DLs that contain a complete basis for propositional logic, but not for ALC, have 
an NP-complete satisfiability problem. 


e The DL ALE and its sublanguages where L, T, or both are disallowed, have a 
coNP-complete satisfiability problem. 


e The DL defined by the constructors L, CN D, CUD, Vr.C, Jr.C has a PSPACE- 
complete satisfiability problem. 


e All other DLs obtained as a combination of the above constructors have a polyno- 
mial satisfiability problem. 


Subsumption in EL 


Recall that EL is defined by the constructors top concept (T), conjunction (CMD), and 
existential restriction (4r.C). We show that subsumption of EL concept descriptions can 
be decided in polynomial time by reducing the subsumption problem to a combinatorial 
problem on trees. Any EL concept description C can be represented as a tree Go whose 
edges are labeled with role names and whose nodes are labeled with sets of primitive 
concepts (where the empty set stands for T). For example, the EL concept descriptions 


C := PN 3r.(3r.(P N Q) N 3s.Q) N ar.(PN As.P) 
D := 3r.(3r.P N 3s.Q) N 3r.P 


yield the EL description trees Go and Gp depicted in Figure 7 (see [25] for a formal 
definition of the translation between EL concept descriptions and EL description trees). 

Let C, D be EL concept descriptions. A simulation from Gp to Gc is a binary relation 
Z between the nodes of Gp and the nodes of Go such that 


12Unfortunately, the complexity of subsumption is not considered in [84]. 
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Go: vo:{P} Gp: vo 
vi va: {P} vi: vh: {P} 
vz:{P,Q} vs{Q} vs:{P} v9:{ P} 03:{Q} 


Figure 7. Two EL description trees. 


1. (v’,v) € Z implies that the label of v’ is contained in the label of v; 


2. (v’,v) € Z implies that, for every r-successor u’ of v’ there is an r-successor u of v 
such that (u’,u) € Z. 


Subsumption between EL concept descriptions corresponds to the existence of a simula- 
tion relation!’ between the corresponding trees: if vg is the root of Go and v4 the root 
of Gp, then we have 


CCD iff there is a simulation Z from Gp to Go such that (vj, vo) € Z. 


In our example, we have C C D since the following relation Z is a simulation from Gp 
to Go: 
Z := {(v9, vo), (viv), (v3, v2), (v3, v3), (v4, v4) }- 


The definition of a simulation suggests the following top-down algorithm for constructing 
a simulation Z containing the tuple consisting of the roots (vj, vo). First, put (vp, vo) into 
Z and check whether the first property of a simulation (containment of labels) is satisfied 
for this tuple. If not, then stop with failure. Otherwise, try to extend Z by guessing pairs 
of successors of vj and vo, respectively, such that the second property of a simulation 
is satisfied for the pair (vj, vo). Then continue the process with these new pairs. Since 
there are different ways of pairing off the successors, this algorithm is non-deterministic, 
and thus it does not yield a deterministic polynomial-time subsumption algorithm. 

Fortunately, one can do better. One can compute the largest simulation between 
two trees (and actually also between two graphs with distinguished “root” nodes) by 
starting with all pairs of nodes, and then successively removing pairs that violate the 
first condition in the definition of a simulation or the second one (w.r.t. the current 
relation). It is easy to see that this procedure terminates after polynomially many steps 
with the largest simulation Z from Go to Gp (see [85] for a more efficient algorithm). We 
have C E D iff the pair consisting of the root nodes has not been removed, i.e., belongs 
to Z (sce [9] for more details). 


13Tn [25], subsumption was actually characterized by the existence of a homomorphism, i.e., a simula- 
tion that is a total function. However, it is easy to see that, in case of trees, the existence of a simulation 
implies the existence of a homomorphism. 
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4.2 TBox reasoning in sub-Boolean DLs 


As mentioned in Section 3, reasoning w.r.t. acyclic TBoxes can be reduced to reasoning 
on concept descriptions by expanding the definitions. Unfortunately, expansion may lead 
to an exponential blow-up of the descriptions. Is this due to the inherent complexity of 
reasoning with TBoxes, or can this exponential increase in the complexity be avoided? 
It turns out that the answer to this question depends on which sub-Boolean DL we 
consider.!4 

For the DL F£o, subsumption of concept descriptions is polynomial, whereas sub- 
sumption w.r.t. acyclic TBoxes is coNP-complete, subsumption w.r.t. cyclic TBoxes is 
PSPACE-complete, and subsumption w.r.t. GCIs in ExPTIME-complete. In contrast, for 
the DL EL, subsumption remains polynomial even w.r.t. GCIs. 


TBox reasoning in FLo 


We start by describing an alternative approach for showing that subsumption of FLo 
concept descriptions can be decided in polynomial time. In Section 4.1, the equivalence 
Yr.CNYr.D = VYr.(CN D) was used as a rewrite rule from left to right in order to compute 
the structural subsumption normal form of FLo concept descriptions. If we use this rule 
in the opposite direction, we obtain a different normal form, which is called concept- 
centered normal form in [24], since it groups the concept descriptions w.r.t. concept names 
(and not w.r.t. role names, as the structural subsumption normal form does). Using this 
rule, any FLo concept description can be transformed into an equivalent description 
that is a conjunction of descriptions of the form Vr1.---Vrm-A for m > 0 (not necessarily 
distinct) role names r1,...,7m and a concept name A. We abbreviate Vri.---Vrm.A by 
Yri... Tm- A, where r1...1m is viewed as a word over the alphabet £ of all role names. 
In addition, instead of Yw. AN... Yw. A we write VZ.A where L := {w1,...,we} is 
a finite set of words over =. The term V@.A is considered to be equivalent to the top 
concept T, which means that it can be added to a conjunction without changing the 
meaning of the concept. Using these abbreviations, any pair of F Lo concept descriptions 
C, D containing the concept names A,,..., A, can be rewritten as 


CH=VW;.A,N...0VU,.A, and D=VV,.A,N...0VV_.Ag, 


where U;,V; are finite sets of words over the alphabet of all role names. This normal 
form provides us with the following characterization of subsumption of FLo concept 
descriptions [28]: 

CED iff UD V; for alli,1<i<k. 


Since the size of the concept-based normal forms is polynomial in the size of the original 
descriptions, and since the inclusion tests U; D V; can also be realized in polynomial 
time, this yields a polynomial-time decision procedure for subsumption in F Lg. In fact, 
as shown in [24], the structural subsumption algorithm for F£o can be seen as a special 
implementation of these inclusion tests. 

This characterization of subsumption via inclusion of finite sets of words can be ex- 
tended to cyclic TBoxes with greatest fixpoint semantics as follows. A given TBox 7 can 


14The same is true for propositionally closed DLs (see Section 6). 
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r s 
i =e) 
A = W.ANVYs.C 
B = Vr¥s.C 
C = PNVs.C rs 


Figure 8. A cyclic FLo TBox and the corresponding automaton. 


be translated into a finite automaton!’ Az whose states are the concept names occur- 
ring in J and whose transitions are induced by the value restrictions occurring in T (see 
Fig. 8 for an example and [5] for the formal definition). For a defined concept A and a 
primitive concept P in T, the language L.4,(A, P) is the set of all words labeling paths 
in Az from A to P. The languages L.4,(A, P) represent all the value restrictions that 
must be satisfied by instances of the concept A. With this intuition in mind, it should 
not be surprising that subsumption w.r.t. cyclic FLo TBoxes can be characterized in 
terms of inclusion of regular languages represented by automata. Indeed, the following 
characterizes subsumption w.r.t. greatest fixpoint semantics: 


ACorprB iff Dya,(A,P) 2 L,,(B,P) for all primitive concepts P. 


In the example of Fig. 8, we have Ly,(A,P) = r*ss* D rss* = L,4,(B,P), and thus 
A E7 B, but not B E7 A. 

Obviously, the languages L4, (A, P) are regular, and any regular language can be 
obtained as such a language. Since inclusion of regular languages is a PSPACE-complete 
problem [73], this shows that subsumption w.r.t. cyclic FLo TBoxes with greatest fixpoint 
semantics is PSPACE-complete [5]. The same complexity can be shown for subsumption 
in cyclic FLo TBoxes interpreted with least fixpoint semantics or with descriptive se- 
mantics [5, 102]. In addition, the PSPACE-completeness result can be extended to the 
DL ALN [106]. 

For an acyclic FLo TBox T, the automaton At is acyclic as well. Since inclusion of 
languages accepted by acyclic finite automata is coNP-complete [73] and subsumption 
w.r.t. greatest fixpoint semantics coincides with subsumption w.r.t. descriptive semantics 
in the case of acyclic TBoxes, this proves Nebel’s result that subsumption w.r.t. acyclic 
F Lo-TBoxes is coNP-complete [128]. Thus, for Lp, even the presence of acyclic TBoxes 
increases the complexity of the subsumption problem. 

Finally, ExPTIME-hardness of subsumption in FLo w.r.t. GCIs was shown in [10]. 
The ExpTIME-upper bound follows from the fact that subsumption in ALC w.r.t. GCIs 
is in EXPTIME [138]. 


15Strictly speaking, we obtain a finite automaton with word transitions, i.e., transitions that may be 
labeled by a word over X rather than a letter of X. 
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Figure 9. A normalized €£ TBox and the corresponding description graph. 
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TBox reasoning in EL 


The approach for deciding subsumption between EL concept descriptions sketched in 
Section 4.1 can be extended to EL TBoxes [9]. In fact, one can show that any EL 
TBox can be transformed in polynomial time into an equivalent normalized TBox whose 
definitions are of the form 


A=P,N...0Py,Nary.Byn...0are.Be, 


where P,,..., Pm are primitive concepts, r1, ..., rg roles, and B,,..., Be defined concepts. 
Any normalized EL TBox T can then be transformed into an EL description graph Gr 
whose nodes are the defined concepts of 7. If A is a defined concept whose definition 
in T is of the normalized form shown above, then A has label {P,,..., Pm}, and is the 
source of the edges (A, r1, Bi),...,(A,re, Be) (see Figure 9 for an example). 

Subsumption w.r.t. greatest fixpoint semantics corresponds to the existence of an 
appropriate simulation on Gr [9]: if A, B are defined concepts in 7, then 


ACofp,r B iff there is a simulation Z from Gz to Gr such (B, A) € Z. 


Since the algorithm for computing the largest simulation sketched in Section 4.1 also 
works on graphs, this shows that subsumption w.r.t. EL TBoxes interpreted with greatest 
fixpoint semantics can be decided in polynomial time. In [9], the same result is also shown 
for descriptive and least fixpoint semantics. As a special case we have that subsumption 
w.r.t. acyclic EL TBoxes is polynomial. 

In [46], it is shown that subsumption in EL remains polynomial even in the presence 
of GCIs, and in [10] this result is extended to the DL €£**, which extends EL by the 
bottom concept, nominals, a restricted form of concrete domains, and a restricted form 
of role-value maps.!® 

The polynomial-time subsumption algorithms for E£ and E actually classify the 
given set of GCIs T, i.e., they simultaneously compute all subsumption relationships 
between the concept names occurring in 7. In the following, we sketch an algorithm for 
EL. This algorithm proceeds in four steps: 


Ltt 


1. Normalize the set of GCIs. 


2. Translate the normalized set of GCIs into a graph. 


16Concrete domains and role-value maps will be introduced in Section 6. Adding unrestricted concrete 
domains or role-value maps to E£ with GCIs would cause undecidability of subsumption [10, 8]. 
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3. Complete the graph using completion rules. 

4. Read off the subsumption relationships from the normalized graph. 

A set of EL GCIs is normalized iff it only contains GCIs of the following form: 
AyiNAZCB, ACdAr.B, jrACB, 


where A, A;, A2, B are concept names or the top-concept T. One can transform a given 
set of GCIs into a normalized one by applying normalization rules. Instead of describing 
these rules in the general case, we just illustrate them by an example: 


qr.ANar.ds.A C AN ar.1 ~ drAC Bı, Bynards.AC ANJ 
ani Jr.A L By, dr.ds.A = Ba, Bı Bə = A a 

NY: ar.A = By, ds.A B3, Jr. B3 = Ba, Bı Bə = A al 

og Jr.A C By, 4s.AC Bs, dr. B3 C Bo, Bı 0 B3 CA, By Bo = 


RUR ae 


For example, in the first normalization step we introduce the abbreviation Bı for the 
description dr.A. One might think that one must make Bı equivalent to dr.A, i.e., also 
add the GCI Bı E 3r.A. However, it can be shown that adding just 4r.A EC By, is 
sufficient to obtain a subsumption-equivalent set of GCIs, i.e., a set that induces the 
same subsumption relationships between the concept names occurring in the original set 
of GCIs. All normalization rules preserve equivalence in this sense, and if one uses an 
appropriate strategy (which basically defers the applications of the rule applied in the 
last step of our example to the end), then the normal form can be computed in linear 
time. 
In the next step, we build the classification graph Gr = (V,V x V, S, R) where 


e V is the set of concept names (including T) occurring in the normalized set of 
GCIs T; 


e S labels nodes with sets of concept names (again including T); 
e R labels edges with sets of role names. 


The label sets are supposed to satisfy the following invariants: 


e B € S(A) implies A Cz B, i.e., S(A) contains only subsumers of A w.r.t. the set 
of GCIs 7. 


e r € R(A, B) implies A Ezy Jr.B, i.e., R(A, B) contains only roles r such that 3r.B 
subsumes A. 


Initially, we set S(A) := {A, T} for all nodes A € V, and R(A, B) := for all edges 
(A,B) € V x V. Obviously, the above invariants are satisfied by these initial label sets. 

The labels of nodes and edges are then extended by applying the rules of Figure 10. 
Note that such a rule is only applied if it really extends a label set. It is easy to see that 
these rules preserve the above invariants. For example, consider the (most complicated) 
rule (R3). Obviously, 3r.Bı E Ai € T implies 3r.Bı Ery Aji, and the assumption that 
the invariants are satisfied before applying the rule yields B Ey Bı and A Ezy Jr.B. 
The subsumption relationship B Ey Bı obviously implies dr.B Ey 3r.Bı. By applying 
transitivity of the subsumption relation Ez, we thus obtain A Ey Aj. 

The fact that subsumption in EL w.r.t. GCIs can be decided in polynomial time is an 
immediate consequence of the following statements: 
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(R1) Ain A,C BET and Aj, Ao € S(A) then add B to S(A) 
(R2) A, Car.BeT and A; € S(A) then addr to R(A, B) 
(R3) J3r.B, E A, €T and Bı € S(B),r € S(A,B) then add A; to S(A) 


Figure 10. The completion rules for subsumption in EL w.r.t. GCIs. 


1. Rule application terminates after a polynomial number of steps. 


2. If no more rules are applicable, then A Ey B iff B € S(A). 


Regarding the first statement, note that the number of nodes is linear and the number 
of edges is quadratic in the size of 7. In addition, the size of the label sets is bounded 
by the number of concept names and role names, and each rule application extends at 
least one label. Regarding the equivalence in the second statement, the “if” direction 
follows from the fact that the above invariants are preserved under rule application. To 
show the “only-if” direction, assume that B ¢ S(A). Then the following interpretation 
T is a model of T in which A € AF, but A ¢ B?: 


e Al := V; 
er? := {(A', B’) |r € R(A’, B’)} for all role names r; 
e B’? := {A' | B’ € S(A’)} for all concept names A’. 


More details can be found in [46, 10]. 


4.8 ABozx reasoning in sub-Boolean DLs 


In [67], the complexity of instance checking in DLs of the AL family is investigated. 
With one exception, the complexity!” of instance checking coincides with the complexity 
of subsumption. This one exception is ALE, where the subsumption problem is NP- 
complete, whereas instance checking is PSPACE-complete. In the following, we sketch 
the PSPACE-hardness proof given in [67]. It depends on the PSPACE-hardness proof 
of satisfiability in ALC given in [143], which works by a reduction!’ from Quantified 
Boolean Formulae (QBF), whose validity problem is known to be PSPACE-complete [73]. 
A given QBF g is translated in polynomial time into an ALC concept description Cy such 
that ọ is valid iff Cy is satisfiable. For the purpose of sketching the PSPACE-hardness 
proof from [67], it is not really necessary to know what a QBF is and how the reduction 
concept Cy is defined in detail. The first important observation made in [67] is that Cy 
is equivalent to a concept description of the form 


DNAD NN... AD, 


17To be more precise, the “combined complexity” of A = C(a), i.e., w.r.t. both the size of A and the 
size of C. 

18Note that this reduction actually differs from the one usually employed in modal logic to show 
PSpace-hardness of K [81]. 
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where D, D,,..., Dn are ALE concept descriptions whose size is polynomially related to 
the size of Co. Thus, it remains to be shown that satisfiability of concept descriptions of 
this form can be reduced in polynomial time to instance checking in ALE. 

Assume that ALE concept descriptions D, D1,..., Dn are given. Let q be a new role 
and En a new concept name. We define ALE concept descriptions Eo,...,En—1 as 
follows: 

E; := Jq. (Di+1ı N Fi41) for i = 0,...,n— 1. 


The ABox A is defined as 
A := { q(a, a), q(a, 6), D,(a), ES$ D,(a), E: (b), EEE En(b), D(b) } 
In [67], it is shown that 


DN=AD,N...N-7Dy, is satisfiable iff A Eola). 


In fact, assume that A jÆ Eo(a). Then there is a model Z of A such that 


at ( Eo)? = (Vq.( Dy, U .E,))*. 


Thus (a7,a7) € ¢,a7 € D7 and (a7,b") € q7,b? € Ey imply that a? € (~E) and b? € 
(=D,)*. We can now apply the same argument to a? € (=E,)* = (Yq. D2 U 7E>))*, 
etc. In the end, we obtain that b? € (=D;)* for i = 1,...,n, and since we also have 
b? € D? this shows that DN AD, M...0-D,, is satisfiable. 

Conversely, it is easy to see that a model of D N ~AD,...1—-D,, can be used to 
construct a model of A in which a does not belong to Eo. 


4.4 Bi-simulation characterizations of sub-Boolean DLs 


As noted before, concept descriptions of the AL family (and also of many other DLs) 
can be translated into first-order formulae with one free variable. Thus, any such DL 
L yields a fragment FO, of first-order predicate logic, which consists of those formulae 
with one free variable that are equivalent to the first-order translation of an £ concept 
description. These fragments can be used to compare the expressive power!? of DLs. 

We say that a DL Lə is strictly more expressive than a DL Ly (Ly < Le) iff FO¢, C 
FO,z,, i.e., every first-order translation of an Lı concept description is equivalent to the 
first-order translation of an £2 concept description, and there is an £2 concept description 
whose translation is not equivalent to any translation of an £; concept description. 

Usually, the inclusion between two fragments FO;¢, and FO;z, is relatively easy to 
show. However, how can one show that such an inclusion is strict? One way of doing 
this is to use an appropriate bisimulation characterization of the first-order fragments. 
For example, it is well-know that the fragment FO Ace consists of those first-order for- 
mulae that are preserved under bisimulation (see Chapter 1). This can be used to show 
that ALC < ALCN by giving an example of an ALCN concept description that is not 
preserved under bisimulation (see [105}). 

In [105], the bisimulation characterization of the first-order fragment corresponding to 
ALC is adapted to various sub-Boolean DLs, and then used to compare their expressive 
power. Here, we only sketch the characterization of FO 4c. 


19The definition of the expressive power of DLs obtained this way is used in [105]; it is weaker than 
the one defined in [4] since it does not allow one to extend the vocabulary. 
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First, we must introduce some notation. If X,Y are subsets of a set A, and R is a 
binary relation on A, then we define 


XR'Y iff for alld € X there is e€ Y such that (d,e) € R, 
XR'Y iff for alle € Y there is d € X such that (d,e) € R. 


In order to explain the intuition underlying this definition from a DL point of view, as- 
sume that r is a role, C, D are concept descriptions, and Z = (AF, -7) is an interpretation, 
and define R := r+, X := C7, and Y := D7. Then X R'Y means that CF C (Ar.D)?, 
and X R! Y means that D? C (Ar~.C)*. 

Let Z = (A*,-7) and J = (AY, -7 ) be two interpretations. An AL-simulation between 
T and J is a non-empty relation Z C 24* x AT such that the following three conditions 
are satisfied: 


1. If (X1,d2) € Z, then X, C A? implies dọ € AY and X, C (~A) implies də € 
(~A)? for all concept names A. 


2. For every role name r, if (X1, d2) E€ Z and Xı (r7)! Yı, then there is an eg € AY 
such that (d2, e2) € r7. 


3. For every role name r, if (X1, d2) € Z and (d2,e2) € rĪ, then there is an Yı C AF 
such that X1 (r7)! Yı and (Yi, e2) € Z. 


Intuitively, the fact that AL-simulations are binary relations between subsets of A? and 
AY makes sure that disjunction (which is not available in AL) is not preserved. The 
first clause of the definition ensures that concept names and negated concept names (but 
not full negation) are preserved. The second clause ensures preservation of restricted 
existential restrictions 4r.T, but not of full existential restrictions 4r.C (since we do not 
require (Y1,e2) € Z). The third clause ensures that value restrictions are preserved. 

The first order formula a(x) is preserved under AL-simulations iff for all interpreta- 
tions Z = (A?,-7) and J = (AY,-“) and all AL-simulations Z between Z and J, we 
have: 


(X,d2) € Z and T — a(d;) for all dı E€ X implies ZTE a(dz). 


In [105], it is shown that FO 4c consists of those first-order formulae that are preserved 
under AL-simulations. 

This result can be used to show that ALU is strictly more expressive than ACL. In fact, 
the formula A(x) V B(x) obtained by translating the ALU concept description AU B 
into first-order logic is not preserved under A£-simulations. To see this, let Z be the 
interpretation consisting of two elements d1, e1, where dı belongs to A and e1 belongs to 
B, and let J be the interpretation consisting of the element dz, which belongs neither to 
A nor to B. It is easy to see that Z := {({d1, e1}, d2)} is an AL-simulation between 7 
and J. However, ({di,e1},d2) € Z and both dı and e; satisfy A(x) V B(x), but dz does 
not satisfy A(x) V B(x). 


5 NON-STANDARD INFERENCES 


After motivating the need for non-standard inferences in DLs and illustrating some of 
them by examples, we give formal definitions of the most important non-standard infer- 
ences considered until now, and review the existing results. 
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5.1 Motivation 


All DL systems provide their users with standard inference services like computing the 
subsumption hierarchy, testing ABox consistency, and instance checking. These infer- 
ences are not only useful when working with “finished” knowledge bases, they can also 
support the knowledge engineer while building a knowledge base, by pointing out incon- 
sistencies and unwanted consequences. They can help the knowledge engineer to check 
whether a concept definition makes sense, but they provide no support for actually com- 
ing up with a first version of the definition. The non-standard inferences introduced in 
this section can be used to overcome this deficit, basically by providing two ways of re- 
using “old” knowledge when defining new one: (i) constructing concepts by generalizing 
from examples, and (ii) constructing concepts by modifying “similar” ones. 

The first approach was introduced as bottom-up construction of description logic 
knowledge bases in [20, 25]. Instead of defining the relevant concepts of an applica- 
tion domain from scratch, this methodology allows the user to give typical examples of 
individuals belonging to the concept to be defined. These individuals are then general- 
ized to a concept by first computing the most specific concept (msc) of each individual 
(i.e., the least concept description w.r.t. subsumption in the available description lan- 
guage that has this individual as an instance), and then computing the least common 
subsumer (lcs) of these concepts (i.e., the least concept description w.r.t. subsumption 
in the available description language that subsumes all these concepts). The knowledge 
engineer can then use the computed concept as a starting point for the concept defini- 
tion. As a simple example, assume that the knowledge engineer has already defined the 
concept of a man and a woman as 


Man = Human M Male and Woman = Human M Female, 


and now wants to define the concept of a parent, but does not know how to do this within 
the available DL (which we assume to be E£ in this example). However, the available 
ABox 


Man(JACK), child(JACK, CAROLINE), Woman(CAROLINE), 
Woman(JACKIE), child(JACKIE, JOHN),  Man(JOHN), 


contains the individuals JACK and JACKIE, of whom the knowledge engineer knows that 
they are parents. The most specific concepts of JACK and JACKIE in the given ABox are 


Man M dchild.Woman and Woman M dchild.Man, 


respectively, and the least common subsumer (in EL) of these two concepts w.r.t. the 
definitions of Man and Woman is 


Human N Achild. Human, 


which looks like a good starting point for a definition of parent. 

In contrast to standard inferences like subsumption and instance checking, the output 
of the non-standard inferences we have mentioned until now (computing the msc and 
the lcs) is a concept description rather than a yes/no answer. In such a setting, it is 
important that the returned descriptions are as readable and comprehensible as possible. 
Unfortunately, the descriptions that are produced by the known algorithms for computing 
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the lcs and the msc do not satisfy this requirement. The reason is that — like most 
algorithms for the standard inference problems — these algorithms work on expanded 
concept descriptions, i.e., concept descriptions that do not contain names defined in the 
underlying TBox. Consequently, the descriptions that the algorithms produce also do 
not use defined concepts, which makes them in many cases large and hard to read and 
comprehend.”° This problem can be overcome by rewriting the resulting concept w.r.t. 
the given TBox. Informally, the problem of rewriting a concept given a terminology can 
be stated as follows: given an acyclic TBox 7 and a concept description C that does not 
contain concept names defined in 7, can this description be rewritten into an equivalent 
shorter description E by using (some of) the names defined in 7? For example, w.r.t. 
the TBox in Figure 3, the concept description 


Person M Vchild.Female M dchild. T M Vchild.Person 


can be rewritten to the equivalent concept Parent M Vchild.Woman. 

Rewriting w.r.t. a TBox is just one instance of a more general rewriting framework, 
which will be introduced below. Another instance of this framework is approximation, 
where one tries to express a concept description C defined in one DL £; by a concept 
description C2 expressed in another DL Ly. If £, is strictly more expressive than Lo, 
then it is not always possible to find a concept description Cə that is equivalent to C1. In 
this case, one can try to approximate Cı by an £2 concept description that is as “close” 
as possible to C1, for example by trying to find an £2 concept description that subsumes 
Cı and is minimal w.r.t. subsumption. One possible application for such an inference is 
translating knowledge bases from the language employed by one system into the language 
employed by another system. 

In order to apply the second approach of constructing concepts by modifying existing 
ones, one must first find the right candidates for modification. One way of doing this 
is to give a partial description of the concept to be defined as a concept pattern (i.e., 
a concept description containing variables standing for concept descriptions), and then 
look for concept descriptions that match this pattern. For example, the pattern 


Man N Schild.(Man N X) N Aspouse.(Woman N X) 


looks for descriptions of classes of men whose wives and sons share some characteristic. 
An example of a concept description matching this pattern is Man M Achild.(ManN Tall) 7 
Jspouse. (Woman N Tall). 

Unification is a generalization of matching where both concepts may contain variables. 
The main motivation for introducing unification in DLs was to avoid redundancies in 
knowledge bases that are built by several knowledge engineers over a long time period. In 
this setting, it frequently happens that the same (intuitive) concept is introduced several 
times, often with slightly differing descriptions. Testing for equivalence of concepts is not 
always sufficient to find out whether, for a given concept description, there already exists 
another concept description in the knowledge base describing the same notion. As an 
example, lets us ask whether the following two FLo concept descriptions might denote 


20In the above example, this means that the definitions of Man and Woman are expanded before 
applying the lcs algorithm. If Human also had a definition, then it would also be expanded, and instead 
of the concept description containing Human shown above, the algorithm would return its expanded 
version. 


Description Logic 791 


the same (intuitive) concept: 
Vchild.Vchild.Rich M Vchild.Rmr and Acr 1 Vchild.Acr M Vchild.Vspouse. Rich. 


The answer is yes, since replacing the concept name Rmr by the description Rich M 
Vspouse.Rich and Acr by Vchild.Rich yields the descriptions 


Vchild.Vchild.Rich M Vchild.(Rich M Vspouse.Rich), 
Vchild.Rich M Vchild.Vchild.Rich N Vchild.Vspouse.Rich, 


which are obviously equivalent. Thus, under the assumption that Rmr stands for “Rich 
and married rich” and Acr for “All children are rich”, we can conclude that both descrip- 
tions are meant to express the concept “All grandchildren are rich and all children are 
rich and married rich”. This connection between the two description can be found by a 
unification algorithm if we declare Rmr and Acr to be variables. Of course, unifiability 
does not necessarily mean that the concept descriptions are meant to represent the same 
concept. Unifiability only suggests that there is a possible connection: the final decision 
must be taken by the knowledge engineer. 


5.2 Least common subsumers and most specific concepts 


Intuitively, the least common subsumer of a given collection of concept descriptions is 
a description that represents the properties that all the elements of the collection have 
in common. More formally, it is the most specific concept description that subsumes 
the given descriptions. What this most specific description looks like, whether it really 
captures the intuition of representing the properties common to the input descriptions, 
and whether it exists at all strongly depends on the DL under consideration. 

Let £ bea DL. A concept description E of L isa least common subsumer (Ics) of the 
concept descriptions C1,...,C, in £ (Iesc(Ci,...,C,) for short) iff it satisfies 


1. Ci E E for alli =1,...,n, and 


2. E is the least £L concept description with this property, i.e., if E’ is an £L concept 
description satisfying C; E E’ for alli=1,...,n, then E E F”. 


As an easy consequence of this definition, the lcs is unique up to equivalence, which 
justifies talking about the lcs. In addition, the n-ary lcs as defined above can be reduced 
to the binary lcs (the case where n = 2). Indeed, it is easy to see that Icsg(Ci,...,Cn) = 
lese (C1, .. . , lese(Cn-1, Cn): +). Thus, it is enough to devise algorithms for computing 
the binary lcs. 

It should be noted, however, that the lcs need not always exist. This can have different 
reasons: (a) there may not exist a concept description in £ satisfying (i) of the defini- 
tion (i.e., subsuming C),...,C,); (b) there may be several subsumption incomparable 
minimal concept descriptions satisfying (i) of the definition; (c) there may be an infinite 
chain of more and more specific descriptions satisfying (i) of the definition. Obviously, 
(a) cannot occur for DLs containing the top concept. It is easy to see that, for DLs al- 
lowing for conjunction of descriptions, (b) cannot occur. An example for a DL exhibiting 
behavior (c) can be found in [6], where the lcs is defined w.r.t. a cyclic TBox. 

It is also clear that in DLs allowing for disjunction, the lcs of C),...,C, is their 
disjunction C1 U... U Cn. In this case, the lcs is not really of interest. Instead of 
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Gp: wo: Go x Gm: (vo, wo):0 
i a 
wi:{P} (v1, w1):0 (v4, w1):{ P} 


NO O ZN T 


w2z:{P}  w3:{Q} (v2, w2): {P} (v3, w3):{Q} (vs, w3):0 


Figure 11. The product of EL description trees. 


extracting properties common to C1,...,Cn, it just gives their disjunction, which does 
not provide us with new information. Thus, it only makes sense to look at the lcs in 
sub-Boolean DLs. 

For DLs whose expressive power lies between F Lo and ALN, one can use the charac- 
terization of subsumption via finite languages over the alphabet of the role names (see 
Subsection 4.2) to compute the lcs. Recall that any pair of FLo concept descriptions 
C, D containing the concept names Aj,..., A, can be written as 


CH=VW;.A,N...0VUp.A, and D =VYV1.A1 MN... MYVk.Ak, 


where U;, V; are finite sets of words over the alphabet of all role names, and that C E D 
iff U; D V; for i = 1,...,k. As an easy consequence of this characterization we obtain 
that the lcs E of C, D is of the form 


E= VU, N Vi).-Aı BERS m Y(Uk N V;,).Ak- 


Using the language-based characterization of subsumption in ALN [106], this approach 
for computing the lcs by language intersection can be extended to ALN [20], but this 
involves the use of certain infinite regular languages. 

For DLs with existential restrictions, the characterization of subsumption via the exis- 
tence of certain simulation relations between description trees (see Subsection 4.2) implies 
that the lcs corresponds to the product of the description trees [25]. The product Go x Gp 
of two EL description trees Gc and Gp is defined by induction on the depth of the trees. 
Its root is the pair (vo, wo) consisting of the roots of Gc and Gp, and the label of (vo, wo) 
is the intersection of the labels of vg and wo. For each r-successor v of vg in Go and w of 
wo in Gp, we obtain an r-successor (v, w) of (vo, wo) in Go X Gp that is the root of the 
product of the subtree of Go with root v and the subtree of Gp with root w. 

As an example, the product of the description tree Go shown in Figure 7 and the 
description tree Gp’ shown in Figure 11 is depicted on the right-hand side of Figure 11. 
Thus, the lcs in EL of the concept descriptions 


C := PN 3r.(3r.(P 0 Q) N 3s.Q) N 3r.(P Nn 3s.P) and D’ := 3r.(P N 3r.P N 3s.Q) 


is Iese¢(C, D’) = 3r.(3r.P N 3s.Q) N 3r.(P N 3s.T). 
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This approach of computing the lcs as a product of description trees can be extended 
to ALE [25] and to ALEN [108]. The main difference is that the concept descriptions 
must be normalized appropriately before building the description trees. 

Now, we come to the formal definition of the most specific concept. Let £ be a DL. 
The £ concept description E is the most specific concept (msc) in £ of the individual a 
in the £L ABox A (mscg(a) for short) iff 


1. AE E(a), and 


2. E is the least concept satisfying (i), i.e., if E’ is an £ concept description satisfying 
A H E’(a) then EC F. 


As with the lcs, the msc is unique up to equivalence, if it exists. In contrast to the lcs, 
which usually exists for standard DLs, the msc does not always exist in EL, ALN, and 
ALE. This is due to the presence of so-called role cycles in the ABox. For example, 
w.r.t. the ABox 

{loves(NARCIS, NARCIS), Vain(NARCIS)}, 


the individual NARCIS does not have an msc in EL. In fact, assume that E is the msc 
of NARCIS. Then E has a finite role depth, i.e., a finite maximal number of nestings of 
existential restrictions. If this role depth is smaller than n, then E is not subsumed by 
the EL concept description 


E' := 


loves.- - - Jloves. Vain, 
m 


n times 


in spite of the fact that NARCIS is an instance of E’. The same example works for ALE, 
and a similar one can be given for ALN [20]. 

One way to overcome this problem is to allow for cyclic TBoxes interpreted with 
greatest fixpoint semantics. In the above example, the defined concept Narcis = Vain M 
Jloves.Narcis is then an msc of the individual NARCIS. In order to employ this approach 
in the bottom-up construction of DL knowledge bases, one must allow these knowledge 
bases to contain cyclic definitions. Thus, also the subsumption problem and the problem 
of computing the lcs must be solved w.r.t. cyclic definitions interpreted with greatest 
fixpoint semantics. In [106, 20], this is done for ALN, and in [9, 7] for EL. The 
appropriate treatment of cyclic TBoxes in ALE is still an open problem. 

Another possibility is to approximate the msc by restricting the attention to concept 
descriptions whose role depth is bounded by a fixed number k [53, 107]. 


5.3 Matching and unification 


Concept patterns are concept descriptions in which concept variables (usually denoted by 
X,Y, etc.) may occur in place of concept names. The main difference between concept 
names and concept variables is that the latter can be replaced by concept descriptions 
when applying a substitution. 

For example, D := PN XNVr.(Y NVr.X) is a concept pattern containing the concept 
variables X and Y. By applying the substitution o := {X + Q, Y + Vr.P} to it, we 
obtain the concept description 


o(D) = PNQNVr.(vr.PNVr.Q). 
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Let £ be a DL. An £ unification problem is of the form 
Ch =? Dı, ...}3 Ch = Dn, 


where C,..., Dn are £ concept patterns. A unifier of this problem is a substitution o 
such that o(C;) = o(D;) for i=1,...,n. 

For unification, the only results available until now are for the small DL F£Lo and 
its extension FLyeg by the role constructors union, composition, and reflexive-transitive 
closure. In [28], it is shown that deciding unifiability of FLo-patterns is an EXPTIME- 
complete problem, and in [22] this result is extended to FLreg and it’s extension with 
L. In the following, we sketch how the results for unification in F£Lpo can be obtained. 
As shown in [28], we can without loss of generality restrict the attention to unification 
problems consisting of a single equation C =? D. Using the language-based normal form 
of F Lo concept descriptions, we can write the patterns C, D in the form 


C= VSo1-A1 ay VS0,4-Ak VS1.X4 bens VSn-Xn, 
D= VT0.1-A1 eae VTo,k-Ak YTı.-Xı wae VTyn-Xn, 
where A;,...,A, are the concept names and Xj,..., Xn the concept variables occurring 


in C, D, and So, Sj, Toi, Tj (i = 1,...,k,j =1,...,n) are finite sets of words over the 
alphabet of all role names. In [28], it is shown that C =’ D has a unifier iff for all 
i=1,...,k, the linear language equation 


Soi U Sy X15 U.U SnXni = To,i U T X41 j U.U TnXn,i 


has a solution, i.e., we can substitute the variables X; ;¿ by finite languages such that 
the equation holds. Note that this is not a system of k equations that must be solved 
simultaneously: since they do not share variables, each of these equations can be solved 
separately. 

Let us illustrate the connection between F Lo unification problems and linear language 
equations by a simple example. The normal forms of the concept patterns 


C := Yr.(Aı NYr.A2) N Yr.Ys.Xı and D := VYr.Vs.(Ys.Aı N Vr.Ag) N Yr.Xı N Yr.Yr. A2 
are 

C = Y{r}.A N V{rr}. Aá NY{rs}.Xı and D = V{rss}.Aı NY{rsr, rr}. A> NV{r}.Xı. 
Thus, the unification problem C =° D leads to the two linear language equations 


{r} U {rs} X11 = {rss} U {r} Xi, 
{rr} U {rs} X12 = {rsr,rr} U {r} X12. 


The first equation (the one for A) has X1 = {e,s} as a solution, and the second (the 
one for Az) has X1 2 = {r} as a solution. These two solutions yield the following unifier 
of C = D: 

{Xi b> Ay mM Ys. Aı mM Vr. Ag}. 
By an exponential time reduction to the emptiness problem of top-down automata on 


finite trees it is shown in [28] that solvability of linear language equations of the form 
introduced above can be decided in exponential time. EXP'TIME-hardness is shown by 
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a reduction from the intersection emptiness problem for deterministic top-down tree 
automata. This shows that solvability of FLo unification problems is an EXPTIME- 
complete problem. In [22], these results are extended to FLyeg. Basically, instead of 
linear language equations over finite sets, one obtains linear language equations over 
regular sets, and uses automata working on infinite trees to solve them. 

An extension of these results to more expressive DLs, such as ALC, appears to be very 
hard. This is supported by the fact that research on unification in modal logics has also 
not yet produced results on unification in K. In modal logic, unification can be seen as a 
special case of testing for the admissibility of an inference rule (see Chapter 8 for more 
details and references). The rule 


01 (21,---,2n),+-+5Am(21,---,2n) 


Blz, Xs on) 


is called admissible in a logic £ iff every substitution of the x; by formulae making 
Q1,---,Q@m valid also makes 8 valid. If £ is consistent, then the rule a(z1,...,£n)/L is 
admissible iff a(x1,...,£n) = T is not unifiable. If the logic is propositionally closed, 
then all unification problems can be brought into this form. Consequently, decidability 
of the admissible inference rule problem (e.g., in K4, Grz) implies decidability of the 
unification problem. 

Kracht also shows in Chapter 8 that admissibility of inference rules can be reduced to 
unification if every unification problem has a computable finite complete set of unifiers 
(see [32] for the relevant definitions from unification theory). Using Ghilardi’s results 
that unification in K4, $4, and intuitionistic logic is finitary in this sense [76, 75], this 
shows that admissibility of inference rules is decidable for intuitionistic logic. It should 
be noted however, that these result consider only elementary unification, i.e., unification 
without free constants. In the DL setting introduced above, this means that they do 
not allow for concept names in concept descriptions (only concept variables). Also note 
that unification in FLo is not finitary [2]. For the modal logic K, decidability of both 
admissibility of inference rules and unification are open problems (and generally assumed 
to be very hard). 

Matching can be seen as a special case of unification where the left-hand sides of 
the unification problem are concept descriptions, i.e., the concept descriptions C; in 
Ci =’ D; do not contain variables. For DLs that are propositionally closed, unification 
can be reduced to matching. Indeed, it is easy to see that the equation C =’ D has the 
same solutions as T =? (CM D)U(=CN-D). Thus, for ACC, matching is as hard as 
unification. For sub-Boolean DLs, matching can be significantly easier than unification 
(see below). 

In [39], a different notion of matching, called matching modulo subsumption, was intro- 
duced.?! In this setting, a matching problem is of the form C C? D where C is a concept 
description and D a concept pattern. A matcher is then a substitution o such that 
C E o(D). Since C E a(D) iff CNo(D) = C, and CNo(D) = o(C)No(D) = o(CND), 
this matching problem modulo subsumption can be reduced to the following matching 
problem modulo equivalence: C =° C N D. 

However, in many cases, matching modulo subsumption is simpler than matching 
modulo equivalence since it can be reduced to the subsumption problem. This is the case 


21Tn the following, we call matching problems of the form C =° D matching problems modulo equiva- 
lence to distinguish them from matching problems modulo subsumption. 
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for DLs that allow for T and where all constructors are monotonic, i.e., replacing their 
arguments by larger ones w.r.t. subsumption yields a larger description. An example of 
a monotonic constructor is conjunction: if C E C’ and DE D’, then CONDE C'N D. 
Other examples are value and existential restrictions as well as disjunction. For such a 
DL, C C? D has a matcher iff the substitution ør that replaces all variables by T is 
a matcher, i.e., if C E o+(D). In fact, monotonicity of the constructors implies that 
a(D) E ot (D) holds for all substitutions ø, and thus whenever there is a matcher ø, 
then o+ is also a matcher. Also note that matching cannot be simpler than subsumption 
since the matching problem C EC’ D where D does not contain variables has a solution 
if CCD. 

In the context of matching modulo subsumption, one is, however, usually not interested 
in arbitrary solution, and in particular not in the trivial largest one o+, but rather in 
minimal ones, i.e., in matchers ø of C E? D such that there does not exist another 
substitution ô such that C E (D) C o(D) (see [39] for a motivation). Computing 
minimal matcher may again be harder than simply testing whether the trivial solution 
candidate ør is indeed a matcher. 

In [28], the language-based approach for unification is used to show that solvability 

of matching problems modulo equivalence (and thus also modulo subsumption) in FLo 
can be decided in polynomial time, and that minimal matchers of matching problems 
modulo subsumption are unique up to equivalence and can be computed in polynomial 
time. In [23], this result is extended to ALN.?? Matching in EL and ALE is considered in 
21]. For both DLs, matching modulo equivalence is NP-complete. As explained above, 
the complexity of matching modulo subsumption coincides with the complexity of the 
subsumption problem, i.e., it is polynomial for E£ and NP-complete for ALE. In the 
following, we consider the complexity of matching modulo equivalence in E£ and ALE 
in some more detail. NP-hardness of matching in ALE is an immediate consequence of 
NP-hardness of subsumption in ALE. 
NP-hardness of matching modulo equivalence in EL is shown in [21] by a reduction 
from SAT. Let ¢ = yi A++- N Ym be a propositional formula in conjunctive normal form 
and let {p1,..., Pn} be the propositional variables of this problem. For these variables, 
we introduce the concept variables {X ,...,Xn,X1,--.,Xn}. Furthermore, we need 
concept names A and B as well as role names r1,..., 7%» and $1,..., 5m. First, we specify 
a matching problem C, =’ D,, that encodes the truth values of the n propositional 
variables: 


Cn := arn.ANary.BN...N4r,.An sr,.B 
Dn w= 3ry.Xy N Iri Xan... Wary Xn Mary Xn. 


The matchers of this problem are exactly the substitutions that replace X; by A and X; 
by B (corresponding to p; = true), or vice versa (corresponding to p; = false). 

In order to encode ¢, we introduce a concept pattern D,, for each clause y;. For 
example, if y; = pı V 7p2 V p3 V apa, then Dy, := X1 N X2 0X3 0X40 B. The whole 
formula is then represented by the matching problem Cg =’ Dg, where 


Cg = 


WwW 


sı (AN B)N...Nasm.(AN B) and Dg :=4s1.Dy,N...148m.Dy,,- 


This matching problem ensures that, among all the variables in Dy,, at least one must 
be replaced by A. This corresponds to the fact that, within one clause y;, there must 


?2Tn the presence of atomic negation one defines patterns such atomic negation may not be applied to 
variables, and thus atomic negation does not destroy the monotonicity property introduced above. 
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C := WN ac.(W 0 3c.(W n D) n ac.(WMP)) 1 Sc.(W D1 dc.(W 7 P)) 
D:=WNac.(X N3c(WNY))3c.(xXx NY) 
Ge vg:W Gp: wo:W 
c c € c 
vı:W v2:W, D w: X w2: X,Y 
c c e| e| 
u3:W, D va:W,P us:W, P w3:W, Y 


Figure 12. An EL concept description and an EL concept pattern, and the corresponding 
description trees. 


be at least one literal that evaluates to true. Note that we need the concept B in Dg, to 
cover the case where all variables in Dy, are substituted with A. If we combine the two 
matching problems introduced above into a single problem Cn N Cy = DaM Dg, then it 
is easy to verify that ¢ is satisfiable iff this matching problem is solvable. 

Membership in NP for matching modulo equivalence in EL and ALE is an easy con- 
sequence of the following two (non-trivial) facts [21]. If an E£ or ALE matching problem 
modulo equivalence has a matcher, then it has one of size polynomially bounded by the 
size of the problem. Furthermore, this matcher uses only concept and role names already 
contained in the matching problem. Thus, one can simply guess a substitution satisfying 
the given size bound, and then test (in P for E£ and in NP for ALE) whether it is a 
matcher. 

Of course, this NP-algorithm for testing solvability of a matching problem does not 
yield a practical algorithm for actually computing matchers. A more practical algorithm 
that computes all minimal matchers of EL and ALE matching problems modulo sub- 
sumption is based on the characterization of subsumption through the existence of a 
homomorphism (i.e., a simulation relation that is a function) between the corresponding 
description trees [25]. As an example, consider the E£ matching problem C C? D for 
the concept description C and the concept pattern D depicted in Figure 12. Readers not 
liking such abstract examples may read W as Woman, D as Doctor, P as Professor, and c 
as child. Thus, the pattern describes concepts consisting of women that have (i) a child 
satisfying some property X and having a female child satisfying some property Y, and 
(ii) a child satisfying both X and Y. 

When considering homomorphisms between the description trees of a concept pattern 
and a concept description, we simply ignore the concept variables, i.e., the inclusion 
condition between the labels does not take variables into account. In our example, there 
are six homomorphisms from Gp into Gc. We consider the ones mapping w; onto v; for 
i = 0,1,2, and w3 onto v3 or wg onto v4, which we denote by hı and h2, respectively. 
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The matching algorithm described in [21] tries to construct substitutions 7 such that 
C E T(D), i.e., there is a homomorphism from Gp) into Gc. This is achieved by first 
computing all homomorphisms from Gp into Gg. Assume that the node w in Gp, whose 
label contains X, is mapped onto the note v of Gc. The idea is then to substitute X 
with the concept description corresponding to the subtree of Gc starting with the node v. 
We will denote this description by C,» in the following. The remaining problem is that a 
variable X may occur more than once in D, and thus nodes containing X may be mapped 
to several nodes in Gc. Thus, we cannot simply define T(X) as Ch(w) where w is such that 
X occurs in the label of w. Since there may exist several nodes w with this property, we 
take the least common subsumer of the corresponding parts of C. The reason for taking 
the least common subsumer is that we want to compute minimal matchers. 


In our example, the homomorphism hı yields the substitution 71: 


™1(X) := Ies(Cy,,Cr,) =WNAc (WMP), n(Y) := Ies(Cy,,Cr,) = WD, 


whereas hə yields the substitution Tə: 


72(X) := Ies(Cy,,Cv,) =WN3Ac (WMP), — 72(Y) := Ies(Cy,, Cv,) = W. 


The algorithm is guaranteed to compute all minimal matchers, but may also compute 
some non-minimal ones, which must be removed in a post-processing step. In our ex- 
ample, the substitution 7, is a minimal matcher, but 72 is not minimal. In general, a 
given matching problem modulo subsumption may have exponentially many inequivalent 
minimal matchers, and the size of these minimal matchers may also be exponential in 
the size of the matching problem [21]. 


5.4 Rewriting and approximation 


In [26], a very general framework for rewriting in DLs is introduced, which has several 
interesting instances. In order to introduce this framework, we fix a set Nr of role names 
and a set Np of primitive concept names. Now, let Ls, La, and L; be three DLs (the 
source-, destination, and TBox-DL, respectively). A rewriting problem is given by 


e an L; TBox T containing only role names from Np and primitive concepts from 
Np; the set of defined concepts occurring in 7 is denoted by Np; 


e an L, concept description C using only the names from Np and Np; 
e a binary relation p between L, concept descriptions and Lq concept descriptions. 


An La rewriting of C using T is an Lq concept description E built using role names from 
Np and concept names from Np U Np such that CpE. Given an appropriate ordering 
< on La concept descriptions, a rewriting E is called <-minimal iff there does not exist 
a rewriting E’ such that E’ < E. 

To illustrate the use of this general framework by examples, we consider two of its 
instances in more detail: the minimal rewriting problem and the approximation problem. 
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Minimal rewriting 


This is the instance of the framework where (i) all three DLs are the same language £; 
(ii) the TBox T is acyclic; (iii) the binary relation p corresponds to equivalence w.r.t. 
the TBox; and (iv) £ concept descriptions are ordered by size, i.e., E < E’ iff |E| < |E’|. 
The size |E| of a concept description E is defined to be the number of occurrences of 
concept and role names in Æ. 

In order to determine the complexity of the minimal rewriting problem, Baader et al. 
[26] first analyse the decision problem induced by this optimization problem for a given 
DL £: given an £ concept description C, an acyclic £ TBox T, and a nonnegative integer 
k, does there exist an £ rewriting E of C using T such that |E| < k? Since this decision 
problem can obviously be reduced to the problem of computing a minimal rewriting 
of C using 7, hardness results for the decision problem carry over to the optimization 
problem. 

For ALC, this decision problem is PSPACE-hard since the PSPACE-complete subsump- 
tion problem can be reduced to it. Indeed, let C, D be two ALC concept descriptions, 
and A, Pı, P> three different concept names not occurring in C, D. Then C E D iff there 
exists a minimal rewriting of size 1 of the ALC concept description P; N P N C using 
the TBox T := {A = P Nn P ncn D} [26]. The two concept names P; and P, are 
introduced to ensure that the size of the concept description to be rewritten is strictly 
larger than the size of A. 

However, subsumption is not the only source of complexity for the minimal rewriting 
problem. In fact, even for the small DL FLo, for which subsumption of concept de- 
scriptions and w.r.t. expanded TBoxes is polynomial, the rewriting problem (using an 
expanded TBox) is NP-hard. This is shown in [26] by a reduction from the set cover 
problem. 

For an arbitrary DL £, the minimal rewriting decision problem can obviously be de- 
cided by a non-deterministic polynomial time algorithm that uses an oracle for subsump- 
tion. This algorithm just guesses an £ concept description over the available vocabulary 
and of size at most «, and then checks whether this description is equivalent to the 
input description modulo the TBox. For ALC, this shows that the minimal rewriting 
decision problem is PSPACE-complete. It can also be used to show that the problem is 
NP-complete for FLo (see [26] for details). 

Let us now come to the problem of actually computing minimal rewritings. The 
hardness results mentioned above imply that computing one minimal rewriting is already 
a hard problem. In addition, the following simple example shows that the number of 
minimal rewritings of a concept description C using a TBox T can be exponential in the 
size of C and T. 

For a nonnegative integer n, let Cn := Pi)... P, and J, := {A; =P; |1<i<n}. 
For each vector i = (41,...,in) E€ {0,1}”, we define 


E; := [| P; 0 [| Aj. 


1<j<njij=0 1<j<n,ij=1 


Obviously, for all i € {0,1}”, E; is a rewriting of Cn of size |E;| = n = |C,,|. Furthermore, 
it is easy to see that there does not exist a smaller rewriting of Cn using Zn. Hence, there 
exists an exponential number of different minimal rewritings of Cn using Th. 

A naïve algorithm for computing one minimal rewriting would enumerate all concept 
descriptions E of size k = 1, then k = 2, etc., until a rewriting Eo of C using T is 
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encountered. By construction, this rewriting is minimal, and since C is a rewriting of 
itself, one need not consider sizes larger than |C]. If one is interested in computing all 
minimal rewritings, it remains to enumerate all concept descriptions of size | Eo|, and test 
for each of them whether they are equivalent to C modulo 7. Obviously, this algorithm 
is not practical. 

The main ideas underlying the more practical algorithm described in [26] is the fol- 
lowing. For a given input description C, one splits the computation of rewritings into 
two steps: 


e Compute an extension C* of C. Such an extension is obtained from C by conjoining 
defined concepts at some positions of C while making sure that C =y C™ holds. 


e Compute a reduction C of C*. Such a reduction is obtained from C* by removing 
certain parts of C* while making sure that C* =y C holds. 


The exact definitions of the right notions of extension and reduction depend, of course, 
on the DL under consideration. In [26], these definitions are given for ALE. It is shown 
that the algorithm obtained this way computes only writings of the input description, 
and that all minimal rewritings are among the computed rewritings. In addition, [26] 
describes a more efficient heuristic algorithm that is not guaranteed to find minimal 
rewritings, but behaves quite well in practice. Basically, this algorithm uses a greedy 
strategy in the extension step, i.e., it conjoins as many defined concepts as possible to 
each position of C. 


Approximation 


This is the instance of the framework where (i) T is empty, and thus £; is irrelevant; (ii) 
both p and < are the subsumption relation C. In this case, we talk about approximation 
rather than rewriting. Given two DLs £, and L4, an La approximation of an Ls concept 
description C' is thus an La concept description D such that C E D and D is minimal 
(w.r.t. subsumption) with this property. 

The case where Ls = ALC and La = ALE is investigated in [48]. Recall that the 
only difference between ALC and ALE is that disjunction is disallowed in ALE concept 
descriptions.” If C1,C2 are ALE concept descriptions, then it is easy to see that the 
approximation of the ALC concept description C1 U C2 by an ALE concept description is 
Icsace (C1, C2). This suggests the following approach for approximating an ALC concept 
description C by an ALE concept description: just replace every disjunction in C by an 
application of the lcs operation. The following example demonstrates that this approach 
is too naive: let C := (Vr.BU (Sr.B NVr.A)) N r.A. If we replace the disjunction by an 
Ics operation and then compute the Ics, we obtain the ALE concept description 


lesace(Vr.B, (Ar.B N Yr.A)) N 3r.A = T N adr.A = Jr.A. 


However, this concept description is too general. It is easy to see that C C 
dr.A. In fact, 3r.(A N B) is the correct approximation. 

In order to overcome this problem, the ALC concept description has to be transformed 
into an appropriate normal form. Basically, this normal form is obtained by distributing 


r(ANB)C 


?3Here we assume without loss of generality that all ALC concept descriptions are in negation normal 
form where negation occurs only in front of concept names. 
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conjunctions over disjunctions, and by applying the rule Vr.C NVr.D —> Vr.(C N D). For 
the example from above, the normal form is 


C = (Yr.B N ar.A)U (3r.B N Yr.A N ar.A), 


and Icsace(Vr.B N 3r. A, 3r.B N Yr.A N 3r. A) = 3r.(AN B). 

However, even for ALC concept descriptions in this normal form, one cannot simply 
replace disjunction by the lcs operation to obtain their ALE approximation. Consider 
the ALC concept description C’ = 3r.A N 3r.B NYr.(~AU ~B). If we simply replace the 
disjunction by the lcs, then we obtain 3r. A N 3r.B NYr.T = 3r.A N 3r.B. However, C” is 
also subsumed by the more specific ALE concept description dr.(AN-7AB)Nar.(BN-A). 
This problem can be overcome by also propagating value restrictions onto existential 
restrictions. An approximation algorithms based on these ideas is described in [48]. 
It is shown that every ALC concept description has an ALE approximation, and this 
approximation is unique up to equivalence, i.e., there is always a least approximation. 
However, the size of the approximation may grow exponentially with the size of the 
input description. The algorithm for computing the approximation given in [48] runs in 
doubly-exponential time, and it is not clear whether this time bound can be improved. 
In [47], these results are extended to the approximation of ALCN concepts descriptions 
by ALEN concept descriptions. 


6 NON-STANDARD EXPRESSIVITY 


As discussed in Section 2, many expressive means of description logics have a counterpart 
in modal logic. In this section, we discuss two expressive means that are important for 
DLs, but lack a direct modal counterpart: concrete domains and role value maps. 


6.1 Concrete Domains 


The purpose of concrete domains is to enable the definition of concept descriptions with 
reference to concrete qualities of real-world objects such as their age, weight, temperature, 
and spatial extension. For example, we may define a teenager as a human whose age is 
between 10 and 19, or formulate a GCI stating that the age of a child is always smaller 
than the age of its parents. Representing concrete qualities and constraints of this form 
is necessary in almost all applications of description logics, such as reasoning about the 
semantic web [19] and about conceptual database models [114]. For this reason, even 
early DL systems such as MESON [68] and CLASSIC [44] addressed the issue of representing 
concrete qualities. However, these early approaches were of a rather ad hoc nature. 
The first approach that was fully (and formally) integrated with a description logic was 
presented by Baader and Hanschke [14], who proposed to extend the description logic 
ALC with so-called concrete domains. 


Definitions 


A concrete domain D is a pair (AP , ®”) consisting of a non-empty set A? and a collection 
©” of predicates names such that each predicate P € ®? is equipped with an arity n 
and a fixed extension PP C (A? )". Slightly abusing notation, we will sometimes refer to 
the set AP as the concrete domain. In contrast, the domain A? of interpretations Z will 
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be called the abstract domain. For many application areas, the most interesting concrete 
domains are numerical ones. A typical numerical concrete domain is Q = (Q, #9), where 
Q denotes the rational numbers, and ®° is comprised of the following predicates: 


e unary predicates P} for each P € {<,<,=,4,>,>} and each q € Q with (P,)2 = 
{7 € Qld Pa: 


e binary predicates <,<,=,4,>,> with the obvious extensions; 
e a ternary predicate + with (+)° = {(¢,q',¢") E QR? |qt+d = q"}. 


By integrating a concrete domain D into ALC, we obtain the basic description logic 
with concrete domains ALC(D). More precisely, ALC(D) is obtained from ALC by 
augmenting it with 


e abstract features: a new sort of roles that is interpreted as a partial function from 
A7 to A7; abstract features can be used inside value restrictions and existential 
restrictions; 


e concrete features: a new sort of roles that is interpreted as a partial function from 
the abstract domain A? into the concrete domain A”; concrete features can not 
be used inside value restrictions and existential restrictions; 


e a new concept constructor P(u1,..., un), where P € ©” is a predicate of arity n, 
and each u; is an expression f;0---o f,og with fi,..., fp (k > 0) abstract features 
and g a concrete feature. In the following, such expressions will be called concrete 
paths. The semantics of the new constructor is 


P(u1,... Un)? := {d € AF | 3z1,..., En € AP ut (d) = 2; for 1 <i<n 
and (£1,..., £n) E€ PPY}, 


where the interpretation u? of a concrete path u = f,0---0 fp og is defined as the 
partial function that maps d € A? to g% (fF ---(ft(d))---). 


Using the concrete domain Q, the teenagers mentioned above can now be defined as 
Teenager = Human N >9(age) N <20(age) 


where age is a concrete feature. Similarly, the constraint saying that the age of children 
is smaller than the age of their parents can be formulated as 


T E <(age, mother o age) M <(age, father o age), 


where mother and father are abstract features. 

There is a slight difference between the logic ALC(D) as defined here and the original 
version introduced in [14]: Baader and Hanschke’s variant uses only a single type of 
feature whose interpretation is a partial function from A? to A? U AP. Thus, this type 
of feature combines our abstract and concrete features into one sort. In the literature, 
both versions of ALC (D) are considered. All results discussed in this section hold for both 
versions. Also note that the assumption that ALC is extended with only one concrete 
domain can be made without loss of generality, as it is shown in [14] that multiple 
concrete domains can be combined into a single one. In the world of modal logic, the 
closest relatives to DLs with concrete domains are linear temporal logics with constraints, 
see for example [33, 60]. 
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Basic Results 


When considering a description logic that is equipped with concrete domains, it is most 
desirable to obtain decidability results and complexity bounds that do not depend on 
a particular concrete domain, but rather apply to a class of concrete domains that is 
as large as possible. The first (decidability) result in this spirit was given by Baader 
and Hanschke in their original paper. Their result concerns the satisfiability of ACC(D) 
concept descriptions, where the concrete domain D is only required to satisfy some weak 
conditions. These conditions are derived from the fact that any satisfiability algorithm 
not committing itself to a particular concrete domain must call some concrete domain 
reasoner as a subprocedure via a well-defined interface. This observation leads to the 
notion of admissibility. 

Let D be a concrete domain and V a countably infinite set of variables. A D- 
conjunction is a predicate conjunction of the form 


where P; € ®” is an n,-ary predicate for each i < k and the a!) are variables from V. 
A D-conjunction c is satisfiable iff there exists a function 6 mapping the variables in c 
to elements of AP such that (5(x9?),...,6(a%)) € PP for each i < k. We say that the 


concrete domain D is admissible iff 


24 


1. its set of predicates is closed under negation?4 and contains a name Tp for AP, 


and 
2. the satisfiability of D-conjunctions is decidable. 


We refer to the satisfiability of D-conjunctions as D-satisfiability. Property 1 of ad- 
missibility has to be satisfied since ALC(D) provides for negation: for example, the 
concept description C := =(g1,91)) N =(ge, 92) N =< (91, 92) is such that d € C? implies 
gi (d) > g3(d) without explicitly using the “>” predicate,?° and such information must 
be conveyed to the concrete domain reasoner. Note that the concrete domain Q pre- 
sented above can easily be extended to satisfy Property 1 of admissibility: simply add 
predicates Ta, La, and + (ie., the negation of “+”) with the obvious extensions. Let 
Q* denote the extended version of Q. By using a reduction to linear programming, it is 
straightforward to show that Q*-satisfiability is decidable in polynomial time [115], and 
thus Q® is admissible. 

The basic decidability result for ALC(D) given by Baader and Hanschke states that 
satisfiability (and thus also subsumption) of ALC(D)-concept descriptions is decidable if 
D is admissible [14]. The complexity of this problem has been analyzed by Lutz [113], 
who proved PSPACE-completeness under the assumption that D is admissible and D- 
satisfiability is in PSPACE. Thus if D-satisfiability is in PSPACE, then adding concrete 
domains to ALC does not increase the complexity of reasoning. Since Q*-satisfiability is 
a polynomial time problem, we obtain PSPACE-completeness for the instance ALC(Q*) 
of ALC(D). A discussion of the complexity of D-satisfiability for a variety of numerical, 
temporal, and spatial concrete domains can be found in [115, 112]. 


243 e., for each P € ©” of arity n, we find a P € P with P? = (AP)"\ PP. 
25The first two conjuncts are needed to ensure that gf? (d) and gj (d) are actually defined. 
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When TBoxes are admitted, the complexity of reasoning increases drastically. We first 
consider acyclic TBoxes. As discussed in Section 2.2, satisfiability and subsumption w.r.t. 
acyclic TBoxes can be reduced to satisfiability w.r.t. the empty TBox using expansion. 
Thus, we obtain decidability of ACC(D) reasoning w.r.t. acyclic TBoxes if D is admissible. 
Since expansion is worst-case exponential, we also obtain an EXPSPACE upper bound if 
D-satisfiability is in PSPACE. In the case of ALC without concrete domains, this upper 
bound can be improved to a PSPACE one. Quite surprisingly, we can only push down 
the EXPSPACE upper bound to a NEXPTIME one in the case of ALC(D): as proved 
in [117], there exists a concrete domain D such that D-satisfiability is in PTIME and 
satisfiability in ALC(D) w.r.t. acyclic TBoxes is NEXPTIME-hard. A matching upper 
bound states that satisfiability in ACC(D) w.r.t. acyclic TBoxes is in NEXPTIME if D 
is admissible and D-satisfiability is in NP [117]. For subsumption, this yields analogous 
co-NEXPTIME bounds. 

The jump in complexity from PSPACE-complete to NEXPTIME-complete that is in- 
duced by adding acyclic TBoxes to ALC(D) is due to the fact that this addition increases 
the succinctness of ALC(D) (but not the expressivity). The NEXPTIME lower bound has 
been proved by reduction of a NEXPTIME-complete variant of the Post Correspondence 
Problem (PCP). As we cannot describe the reduction in full detail here, we sketch only 
how it makes use of the succinctness of acyclic TBoxes. The key observation is that it 
is possible to devise an acyclic TBox of size O(k) that enforces models (of the concept 
name Lo) to contain a binary tree of depth k such that left successors are reachable via 
the abstract feature £ and right successors are reachable via the abstract feature r: 


Lo = Ae. Dy g Jr. Lı, e... Lk ic Ae. Ly, [F] dr. Dx. 


Without TBoxes, such a tree can only be enforced with a concept of length exponential in 
k. For the reduction, we add concept definitions expressing that the (exponentially many) 
leaves of the tree are connected via a chain of concrete domain predicates. For example, 
if we augment the above TBox with the following concept definitions and consider models 
of the conjunction Lo N Co, then we enforce that each leaf has a smaller number stored 
in the concrete feature g than all leaves that are to the right of it: 


Co = <(r*®-1g,r0*-1g)NV2.C,Vr.Ch, 
Ck-2 = <(lrg, rlg) N YL.Ck-1 NYr.Ck-1, 
Cr-ı = <(lg,rg). 


Intuitively, the exponentially long chain of concrete domain predicates connecting the 
leaves can now be used to simulate the exponentially time-bounded computation of a 
Turing machine, or to talk about the concatenation of words in a PCP. 

We now consider reasoning in ALC(D) with respect to GCIs, starting with a closely 
related result: let ALC (D) be the extension of ALC(D) with a transitive closure oper- 
ator on roles and abstract features. Baader and Hanschke [16] prove that reasoning in 
ALCt(R) w.r.t. the empty TBox is undecidable, where R is the concrete domain of real 
numbers with predicates based on Tarski algebra [149]. Their proof can easily be adapted 
to reasoning in ALC(R) w.r.t. GCIs, which is thus also undecidable. This adaptation is 
performed in [117], where a more general result is obtained: satisfiability (and thus also 
subsumption) in ALC(D) w.r.t. GCIs is undecidable if the concrete domain D satisfies 
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N C AP, and ©” provides for a unary predicate for equality with 0, a binary equality 
predicate, and a binary predicate for incrementation. Thus, reasoning in ALC(Q) w.r.t. 
GCIs is undecidable since, in Q, incrementation can be expressed using the predicates 
“=,” and “+”. There are two ways for overcoming this rather disappointing result: ei- 
ther use a less powerful concrete domain constructor or very carefully choose the concrete 
domain. 

The first approach was adopted, among others, by Moller et al. [80] and by Horrocks 
and Sattler [95, 130]. The imposed restriction on the concrete domain constructor usu- 
ally is to allow only concrete features inside the concrete domain constructor instead of 
concrete paths of arbitrary length. In the following, the variant of ALC(D) obtained by 
this restriction will be called path-free. A particular form of path-freeness is to admit only 
unary predicates as proposed in [95]: in this case, reasoning in ALC(D) can be reduced 
to reasoning in path-free ALC(D) by replacing each concept description P(f,0---0 fog) 
with the equivalent path-free one 3f1.-3f2.--- dfk.P(g). In [78] and [130], it is shown 
that reasoning in SHN (D) and SHOQ(D), the extensions of two expressive fragments 
of SHOTQ by concrete domains, is decidable w.r.t. GCIs if path-freeness is assumed and 
the concrete domain D is admissible. A more general result has been obtained in Section 
5.3 of [27], where it is shown that any description logic £ such that (i) satisfiability in 
L w.r.t. GCIs is decidable and (ii) £’s class of interpretations is closed under disjoint 
unions (see [27] for details) can be extended with the path-free variant of the concrete 
domain constructor without losing decidability—provided that the concrete domain is 
admissible. Indeed, the “harmlessness” of the path-free concrete domain constructor is 
not very surprising since dropping concrete paths deprives concrete domains of most of 
their expressive power. For this reason, the complexity of reasoning w.r.t. GCIs in a 
DL incorporating path-free concrete domains is often not harder than the corresponding 
problem without concrete domains (if it dominates the complexity of D-satisfiability). 
For example, in Section 2.4.1 of [112], it is shown that satisfiability in path-free ALC(D) 
w.r.t. GCIs is ExPTIME-complete if D is admissible and D-satisfiability is in EXPTIME. 

The second approach to overcome undecidability of ALC(D) with GCIs is to keep the 
original version of the concrete domain constructor and identify concrete domains that 
do not destroy decidability of reasoning if combined with GCIs. The first positive result 
following this route was established in [116], where a concrete domain C (for comparison) 
is considered that is based on the rational numbers Q = A‘, and provides for the binary 
predicates <,<,=,4,>, and >. It is shown that satisfiability (and thus also subsump- 
tion) in ALC(C) w.r.t. GCIs is ExPTIME-complete, and that an analogous result holds 
for an interval-based temporal concrete domain. In [111], these results are further im- 
proved: first, the concrete domain C is extended to C*, which additionally admits unary 
predicates =, for each q € Q; and second, the description logic is extended from ALC(D) 
to SHTQ(D), i.e. SHOT Q without nominals, but with the concrete domain Ct. For this 
extended logic, an ExPTIME result analogous to the one stated above is established. A 
more general result is proved in [120], where a property of concrete domains is identified 
that is sufficient for decidability of ALC(D) with GCIs: a concrete domain D is called 
w-admissible if it satisfies all of the following: 


e D has only binary predicates; 


e D has compactness: an infinite D-conjunction is satisfiable if and only if every finite 
sub-conjunction is satisfiable; 
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e D has the patchwork property, which is defined as follows. A D-conjunction c is 
complete iff, for all variables x,y occurring in c, c contains exactly one conjunct 
P(x,y) and exactly one conjunct P(y,x). Then, D has the patchwork property 
if the union of two satisfiable and complete D-conjunctions that agree w.r.t. the 
conjuncts P(x,y) and P(y, x) w.r.t. all shared variables x, y is satisfiable. 


The concrete domain C and the temporal concrete domain based on time intervals con- 
sidered in [116] are w-admissible. Additionally, it is shown in [120] that a spatial concrete 
domain based on the topological RCC8 relations is also w-admissible, and therefore the 
corresponding incarnation of ALC(D) is decidable with GCIs. The result in [120] for DLs 
with w-admissible concrete domains is established using a tableau algorithm and does 
not yield tight upper complexity bounds. 


Roles in the Concrete Domain Constructor 


The reader may wonder why the concrete domain constructor is introduced along with 
abstract features, instead of admitting normal roles in concrete paths. Indeed, this 
variant of concrete domains has also been considered by Hanschke [82]: a concrete role 


path is an expression rı 0---or,og with r1,...,fr roles and g a concrete feature. Then 
we may extend ALC with the concept constructors YR1,..., Rk.P and 3R1,..., Re-P, 
where R,,...,R, are concrete role paths and P € ®? is a predicate of arity k. The 
semantics of these constructors is as follows: 
(YRi,-.-, Rp P) := {dE AT |Vz,... 2k E AP: 
(d, xi) € R? for 1 < i < k implies (z£1,..., £k) € PP} 
(ER1,..., Rk P) := {d€ A7 |z... £k E AP: 


(d, xi) € R? for 1 <i < k and (z1,..., £k) € PP} 


where the interpretation R? of concrete role paths R is defined in the obvious way 
through relational composition.2° The resulting DL is called ALCP(D). Reasoning 
with ALCP(D) concept descriptions has been proved to be decidable in [82]. When 
investigating the complexity of ALCP (D), it becomes clear that the restriction to abstract 
features inside the concrete domain constructor has computational advantages: it is 
shown in [117] that there exists a concrete domain D such that D-satisfiability is in 
PTIME and satisfiability of ACCP(D) concept descriptions is NEXPTIME-hard. Again, a 
matching upper bound is obtained for the case where D-satisfiability is in NP. This should 
be contrasted with the PSPACE-completeness of satisfiability of concept descriptions in 
ALC(D). 

We have seen that both the generalized concrete domain constructor and acyclic 
TBoxes are seemingly moderate extension of ALC(D) that make reasoning considerably 
harder. Other such extensions include inverse roles, role conjunction, nominals, and a 
concrete domain role constructor [117, 118]. Thus, the PSPACE upper bound of ALC(D) 
is not robust w.r.t. extensions of the language. 


Uniqueness Constraints and Functional Dependencies 


Uniqueness constraints (sometimes also called identification constraints and keys) and 
functional dependencies play an important role in the database area, and are also useful 


?6In ALC(D) with only functional roles inside the concrete domain constructor, the universal version 
of this constructor can be defined in terms of the existential one (see e.g. [113]). 
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in connection with concrete domains [118, 119].?” Say, for example, that there exists a 
concrete feature socnum associating humans with their social security number. Then, 
if a human is American, this person should be uniquely identified by this number: no 
other instance of the concept name American should have the same value of the concrete 
feature socnum. This corresponds to a uniqueness constraint. As another example, we 
may want to enforce that all books having the same ISBN number share the same title. 
This is a functional dependency, i.e. the value of the ISBN number determines the title 
in a functional way. It is not a uniqueness constraint since different books may have the 
same ISBN number (say, two different copies of the “Handbook of Modal Logic”). 

In the following, we concentrate on uniqueness constraints. A key box is a finite set 


of uniqueness constraints (u1,...,Un keyfor C), where u1,..., tn are concrete paths and 
C is a concept description. An interpretation Z satisfies (u1,...,Un keyfor C) if, for all 
d,e € OF, 


ut (d) =u? (e)for1<i<n implies d=e, 


uv 


and it is a model of a key box XK if it satisfies all uniqueness constraints in K. In the 
presence of key boxes, we are interested in the satisfiability of a concept description w.r.t. 
a TBox and a key box, i.e. in joint models of all three components (and similarly for 
subsumption). 

It is interesting to note that there is a close relationship between nominals and key 
boxes. For example, if used together with the uniqueness constraint (g keyfor T), the 
ALC(Q) concept description 4g.=, behaves similar to a nominal for each q € Q: it is 
interpreted by a set of cardinality at most one. Key boxes are strong enough to render 
reasoning in ALC(D) undecidable [118]: satisfiability of ACC(D) concept descriptions 
w.r.t. key boxes is undecidable (even without TBoxes) if the concrete domain D satisfies 
N C A? and ©? provides a unary predicate for equality with 0, a binary equality 
predicate, and a binary predicate for incrementation. Note that this result is similar to 
the undecidability of satisfiability in ALC(D) w.r.t. GCIs. 

Decidability can be regained by allowing only Boolean combinations of concept names 
inside uniqueness constraints. Key boxes satisfying this property are called Boolean. 
Even w.r.t. Boolean key boxes, reasoning is much harder than reasoning without key 
boxes: there exists a concrete domain D such that D-satisfiability is in PTIME and 
satisfiability of ALC(D) concept descriptions w.r.t. Boolean key boxes is NEXPTIME- 
hard [118]. This high complexity cannot even be reduced if paths are restricted to length 
one inside ALC(D) concept descriptions and key boxes (path-freeness). The matching 
upper bound relies on a modified notion of admissibility, called key-admissibility. Roughly 
spoken, a concrete domain is key-admissible if it is admissible and provides for a binary 
equality predicate. The original definition given in [118] is slightly more general, but 
too complex to be repeated here. In [118] it is shown that satisfiability of ALC(D) 
concept descriptions w.r.t. Boolean key boxes is in NEXPTIME if D is key-admissible 
and D-satisfiability is in NP. In the same work, also a more powerful DL with concrete 
domains, SHOQ(D), is extended with key boxes, and a decidability result for the path- 
free case is established (where D is required to be key-admissible, but key boxes are not 
expected to be Boolean). 

In the case of functional dependencies, quite similar results can be established. We 
refer to [119] for more details. 


27 They can also be used in description logics without concrete domains, c.f. [41, 49, 103, 151]. 
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Aggregation 


Aggregation is a useful mechanism available in many expressive conceptual modelling 
formalisms such as database schema languages and query languages. The use of aggre- 
gation in the context of concrete domains has been proposed in [31]. As an example, 
consider the following description of a process and its subprocesses: 


Process M > (duration) M Ysubproc. (Process M > o(duration)). 


The aggregation function “sum” is needed if we want to express that the duration of the 
mother process is identical to the sum of the durations of its subprocesses (of which there 
may be arbitrarily many). 

A concrete domain with aggregation is a concrete domain that, additionally, provides 
for a set of aggregation functions agg(D), where each I € agg(D) is associated with a 
partial function I? from the set of finite multisets over A? into AP. To distinguish 
concrete domains with aggregation from those without, we denote the former with X. 
Typical aggregation functions are min, max, sum, count, and average. The set of ALC() 
concept descriptions is now defined in the same way as ALC(D) concept descriptions, 
except that aggregated features may be be used in place of concrete features, where an 
aggregated feature is an expression I(r o g) with r a role, g a concrete feature, and T 
an aggregation function from ©. The semantics of aggregated features is defined via 
multisets: for each interpretation Z and each d € A? such that the set {e | (d,e) € r7} 
is finite, we use M7° to denote the multiset that, for each z € AP, contains z exactly 
|{e | (d,e) € r? and g*(e) = z}| times. The semantics of aggregated features is now 
defined as follows: 


7 i T?(M3°9) if {e | (d,e) € r7} is finite 

(T(r o g)) (d) := . 
undefined otherwise. 

Returning to the initial example, we can now express the fact that the duration of the 
mother process is identical to the sum of the durations of all its subprocesses by writing 
=(duration, sum(subproco duration)). The investigations performed by Baader and Sattler 
[31] reveal that the expressive power provided by aggregation functions is hard to tame in 
order to obtain a decidable formalism: for concrete domains with aggregation © where (i) 
N C AF, (ii) Ø? contains a (unary) predicate for equality with 1 and a (binary) equality 
predicate, and (iii) agg(X) contains min, max, and sum, satisfiability of ALC(S) concept 
descriptions is undecidable. This lower bound applies even if we admit only conjunction, 
the Yr.C constructor, and the concrete domain constructor, but drop all other concept 
constructors. Rather strong measures have to be taken to regain decidability: either, we 
have to drop the Vr.C' constructor from the language, thus obtaining a sub-Boolean DL, 
or we have to confine ourselves to “well-behaved” aggregation functions such as min and 
max of which there exist only very few. More details can be found in [31]. 


6.2 Role Value Maps 


Role value maps are a family of concept constructors that were available in the first 
description logic system, KL-ONE [45], and have since then been considered in several 
variations. The original and most powerful variant of role value maps has later been 
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found to cause undecidability, even if used with quite weak (sub-Boolean) description 
logics such as the one available in the KL-ONE system. 

To define role value maps, we must introduce the notion of a path, i.e., a composition 
rı O-+++Of, of role names. If R and S are paths, then the expression (R C S$) isa 
containment role value map and (R = S) is an equality role value map. To extend ALC 
with role value maps, we admit them as additional concept constructors. The resulting 
description logic is denoted ALC™™. The semantics of the additional concept constructors 
is as follows: 


(RCS)? = {de At |Ve.(d,e) € R? implies (d,e) € SF}, 
(R=S) = {ee At | Ve(d,e) € R7 iff (d,e) € SF}, 

where the interpretation R? of paths R is defined in the obvious way through relational 
composition. For example, the concept description Person M (child o friend C knows) 
describes persons knowing all the friends of their children. 

Though there appears to be no direct modal counterpart to role value maps as a 
concept constructor, there is a connection to modal reduction principles as discussed in 
Chapter 7. Modal reduction principles (MRPs) are axioms of the form Mp — Np, where 
M and N are sequences of modal operators O; and Q; [152]. We call an MRP boz-only 
if M and N are non-empty sequences of box operators. There is a close correspondence 
between normal modal logics axiomatized by box-only MRPs and ALC™™: it follows 
from Sahlqvist’s completeness theorem that normal modal logics axiomatized by a box- 
only MRP ọ = Qae Op > Oj ee jmp are characterized by the class of frames 
that validates y; moreover, it is a routine task to show that the same class of frames is 
determined by all models of the GCI T E (rj, 0---o7r;,, C Sji 0--+-08;,,). There is also a 
close connection between role value maps and so-called grammar logics [58], which will 
be discussed in more detail below. 


Undecidability 


Reasoning in the first description logic system KL-ONE was initially believed to be in 
PTIME. However, in 1989 Schmidt-Schau8 was able to show that it is undecidable, 
identifying role value maps as the main culprit [141]. More precisely, Schmidt-Schau8 
proves that, even in the description logic FL5'" providing only for the constructors 
conjunction, value restriction, and role value maps, subsumption w.r.t. the empty TBox 
is undecidable. 

The proof of Schmidt-Schau8 uses a reduction of the word problem for groups. We 
present here a slight variation that reduces the word problem for semigroups [36].7° For 
simplicity, we first show undecidability of FLọ™ w.r.t. GCIs, and then eliminate the GCIs 
from the reduction. A finitely presented semigroup S is given in the form of defining 
identities sı = t1,...,5m = tm, where the s; and t; are words over some finite alphabet 
X. Then the word problem is to decide, given S and words s and t, whether s = t holds 
in S, i.e., whether the identity s = t can be derived from the defining identities of S and 
the usual axioms for semigroups. For the reduction, we view the symbols rj,...,r;, of X 


?8The reduction of Schmidt-Schau8 yields a slightly stronger result since it applies also to the case 
where we have only equality role value maps, but no containment role value maps. 
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as role names and construct a set of GCIs Tg and a concept description Ds, as follows: 


Tg := {TE(s, =t1)N---N (Sm = tm)} 
Det := (s=t) 


Then it is not hard to show that T Ez, Ds, if and only if s = t can be derived from 
the defining identities of S. This yields undecidability of subsumption in FLọ™ w.r.t. 
GCIs. To get rid of GCIs, we can internalize them (c.f. Section 3.1). More precisely, the 
subsumption T C7, Ds, holds if and only if Cs E Ds +, where Cg is defines as follows: 


Cs := [lic u) N (uou C u)) NVu.((s1 = t1) N- -N (sm = tm)) 
r 
where u is a role name that does not occur in X. It follows that subsumption in FL5™ 
is undecidable also without GCIs. 

There is a related result in modal logic that should be mentioned: Shehtman proved 
in 1982 that there exists a set [ of box-only modal reduction principles such that, in the 
normal modal logic axiomatized by T, satisfiability is undecidable [146]. By what was 
said above about the connection between MRPs and role value maps, and since GCIs 
can be internalized in ACC™™ similar to what was done above in the case of FLy", it is 
obvious that this gives a proof of undecidability of reasoning in ALC™™ without TBoxes 
and GCIs. 

To avoid undecidability, two approaches have been considered: first, role value maps 
have been weakened into feature agreements and feature disagreements, which have a 
similar semantics but are restricted to paths comprised only of functional roles; and 
second, the original role value maps have been used for paths of a syntactically restricted 
form. In the next section, we describe the first approach. Syntactic restrictions on paths 
are discussed subsequently in Section 6.2. 


Feature Agreements 


A feature path is a composition f,0---of, of abstract features as introduced in Section 6.1. 
If u and v are feature paths, then the expression (u = v) is a feature agreement, and 
(u 4 v) is a feature disagreement. The description logic ALCF is obtained from ALC™™ 
by replacing role value maps with feature (dis)agreements. The semantics of the new 
concept constructors is: 


(u=v)? = {de At | Je.(d,e) € u? and (d,e) € v7} 
(uż) = {de A7 | Fe, e’.(d,e) € už, (d,e) Eu", and e £ e'} 


In the literature, feature agreements are sometimes called the same-as constructor, e.g. 
in their incarnation in the CLASSIC system [44]. The restriction of role value maps to 
feature paths has an impairing effect on the usefulness of feature (dis)agreements. For 
example, the concept description 


Person M (child o friend C knows) 


cannot be expressed in ALCF since child and knows should not be forced to be functional. 
However, feature (dis)agreements can still be usefully employed, as illustrated by the 
following concept definition: 


ParentsMarried = (mother o married-to = father) 
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The main advantage of feature agreements over role value maps lies in their computa- 
tional properties. Indeed, Hollunder and Nutt [89] show that satisfiability (and thus also 
subsumption) of ALCF concept descriptions is decidable and PSPACE-complete (see also 
[113]). 

When further expressive means are added to ALCF, the computational complexity 
often gets dramatically worse. In this respect, feature (dis)agreements resemble con- 
crete domains: the PSPACE upper bound of the basic description logic with feature 
(dis)agreements ALCF is rather fragile w.r.t. extensions of the language. An impor- 
tant example for this behaviour are TBoxes. As shown in [110], satisfiability in ALCF 
w.r.t. acyclic TBoxes is NEXPTIME-complete. The result is established by reduction 
of a NExPTIME-complete variant of the domino problem, and exploits the succinctness 
gained by introducing acyclic TBoxes similar to what is discussed in Section 6.1 in the 
context of concrete domains. When cyclic TBoxes or GCIs are admitted, satisfiability and 
subsumption in ALCF even become undecidable [11], which can be shown by a reduction 
of the word problem for groups. Other extensions of ALCF that make reasoning harder 
include intersection of roles, inverse roles, and transitive closure of functional roles. In 
the first case, satisfiability of concept descriptions becomes NEXPTIME-complete, while 
it is undecidable in the latter two cases [11, 112]. 


Restricted Paths in Role Value Maps 


In this section, we consider syntactic restrictions on paths inside role value maps. There 
are some quite drastic restrictions that are easily seen to regain decidability of reasoning 
in ALC™: 


e Only allow paths of length one. In this case, reasoning in ALC™™ can be reduced 
to reasoning in ALC’, the extension of ALC with Boolean role constructors: 
simply replace (r = s) with (r C s) N (s C r), and (r C s) with V(r N =s). L. Since 
satisfiability and subsumption in ALC w.r.t. GCIs is known to be decidable 
[122, 121], so is the restricted version of ALC™™. Note that there is also a close 
connection to role hierarchies: a role inclusion r E s as used in a role hierarchy can 
be simulated using the concept equation T = (r C s) in ALC™™. 


e Only admit role value maps of the form (ror C r). Clearly, we obtain a localized 
variant of transitive roles. It is straightforward to adapt the standard techniques 
for dealing with (globally) transitive roles [135, 94] to show that, in this variant 
of ALC™™, satisfiability and subsumption w.r.t. GCIs are decidable. It appears 
to be an open problem whether admitting single-role role value maps of the form 
(r” C r™), with n,m € N and r” denoting the n-fold composition of r, yields a 
decidable variant of ACC™™. 


More powerful decidable fragments of ALC™™ can be obtained by restricting paths in a 
less strict way. This is done by Horrocks and Sattler [96] in their work on complex role 
inclusion axioms (RIAs), and in the closely related area of grammar logics [58, 34, 59]. 
In both cases, role value maps are not considered to be concept constructors, but rather 
they are global, similar to the role inclusions in a role hierarchy, i.e., the role value map 
must hold for every element of the interpretation domain. In the following, we consider 
ALC concept descriptions and assume the presence of a role boz, i.e. a finite set of role 
value maps (R C S). An interpretation Z is a model of a role box R if it satisfies R? C S7 
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for all (R C S) € R. In this setting, we are interested in satisfiability and subsumption 
w.r.t. TBoxes/GCIs and role boxes, i.e., in common models of all three inputs. 

Translated to this terminology, the idea of grammar logic is to view a role value map 
(71 O+++ Org C 81 0--++0 8g) as a production rule s1---s¢ —> r1--+-1rg, and a role box 
as a formal grammar [58]. Here, the mapping from role names to terminal and non- 
terminal symbols is arbitrary, but fixed. From the description logic perspective, the 
most relevant results from grammar logic are the following. First, Demri shows that 
satisfiability and subsumption of ALC concept descriptions is ExPTIME-complete if only 
role boxes corresponding to left-linear or right-linear grammars are admitted [59]. In role 
boxes of this form, we can express properties such as “the enemies of my friends are my 
enemies” : 


(friend o enemy C enemy). 


Note that this result captures the case where paths are required to be of length at most 
one, but not the case (ror C r). Second, Baldoni et al. show that satisfiability of ALC 
concept descriptions is undecidable if role boxes corresponding to context-free grammars 
are admitted [34]. This result was later strengthened by Demri to linear grammars [59]. 


Horrocks and Sattler consider the extension of SHZQ with global role value maps of 
the form (r C s), (ros Cr), and (sor Cr), where r,s is a role name or the inverse of a 
role name [96]. For example, the statement about enemies of friends from above can be 
strengthened by additionally saying that the friends of my enemies are my enemies: 


(friendo enemy C enemy) 
(enemy o friend C enemy). 


Note that this role box does not correspond to a left-linear or right-linear grammar. 
Role value maps of this form are of particular interest since they allow to describe the 
propagation of properties, e.g. along part-whole relations: “the owner of a whole is the 
owner of all parts” can be written as (part-of o owner C owner). Let us call Horrocks and 
Sattler’s variant of role value maps HS-RVMs. Horrocks and Sattler obtain the following 
results: first, reasoning in the extension of SHZQ with HS-RVMs is undecidable in the 
general case. An inspection of the proof shows that undecidability already arises in ALC 
extended with inverse roles, number restrictions of the form (< 1 r), GCIs, and HS- 
RVMs. Decidability of plain ALC extended with HS-RVMs (and possibly GCIs) appears 
to be an open problem. Second, satisfiability and subsumption in SHTQ w.r.t. GCIs 
and role boxes becomes decidable if we admit only HS-RVMs and acyclic role boxes. 
Acyclicity of role boxes is defined similar to the TBox case: a role r directly affects a role 
s if r Æ s and there is an HS-RVM with (i) r appearing on the left-hand side (possibly 
inside a composition) and s appearing on the right-hand side, or (ii) the inverse of r 
appearing on the left-hand side and the inverse of s appearing on the right-hand side. 
Affects is the transitive closure of “directly affects”. Then a role box is acyclic if no role 
affects itself. Observe that the above example about friends and enemies is acyclic. 

There are several other restrictions of paths that can be considered. An interesting 
example is to admit only role value maps (R C S) with R and S paths of equal length. 
This restriction has been investigated by Molitor [126], but the decidability status of 
AcLc™™ under this restriction is, as of now, unknown. 
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This chapter provides a modern overview of the field of hybrid logic. Hybrid logics are ex- 
tensions of standard modal logics, involving symbols that name individual states in models. The 
first results that are nowadays considered as part of the field date back to the early work of Arthur 
Prior in 1951. Since then, hybrid logic has gone through a number of revivals and reinventions. 
Nowaways, it is a field of research in its own right, with a wealth of results, techniques, and 
applications. 

Our main aim, in this chapter, is to provide a coherent picture of the current state of affairs in 
the field of hybrid logic. Rather than a comprehensive summary, we will try to give the reader 
a taste for the type of results and techniques that we consider hallmarks of the field. In some 
cases, we will only state results, with pointers to relevant literature, while in other cases we will 
provide full proofs. 

In Section 1, we give an intuitive introduction to hybrid logics, with examples of the extra 
expressive power offered by the hybrid operators. This section also contains the basic definitions 
of syntax and semantics that are used throughout the chapter. In Section 2 we provide a short 
history of the field, discussing the work of Prior in the 50s, of the Sofia School in the 80s, and 
the work on very expressive hybrid languages in the 90s. Sections 3 and 4 form the core of 
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the chapter. They contain the most important techniques and results in the field, with respect to 
completeness, expressive power, frame definability, interpolation and complexity. In Section 5 
we briefly present proof systems for hybrid languages (sequents, natural deduction, tableaux, 
and resolution), and we discuss some issues concerning the development of automated provers 
based on them. In Section 6 we comment on connections with related areas (some of which 
are discussed in detail in other chapters of this handbook). Section 7 finishes the chapter with a 
summary and general perspectives. 


1 WHAT ARE HYBRID LOGICS? 


In their simplest form, hybrid languages are modal languages that have special symbols to name 
individual states in models. These new symbols, which are called nominals, enter the stage 
gracefully: we simply add a new sort of atomic symbols NOM = {i, j, k, . . .} disjoint from the 
set PROP of propositional variables and let them combine freely in formulas. For example, if i 
is a nominal and p and q are propositional variables, then 


Oi Ap) Aling) > O(PAQ), (1) 


is a well formed formula. Now for the important twist: since nominals name individual states in 
the model, they denote singleton sets. In other words, they are true at a unique point in the model. 
Once this step has been taken, the whole landscape changes. For example, (1) becomes a validity: 
let M be a model, m a state in the domain of M, and suppose M,m — O(i A p) A O(t ^q). 
Then some successor state m’ of m satisfies i ^A p, and some successor state m” of m satisfies 
i Aq. Since i is a nominal, it is true at a unique point in M. Hence m’ = m” and we have 
M,m [| ©(pA q). Note that (1) could be falsified if i were an ordinary propositional variable. 

When we realize the potential that nominals have, an interesting idea suggests itself: to intro- 
duce, for each nominal 2, an operator @; that allows us to jump to the point named by i. The 
formula @;p (read “at i, y”) moves the point of evaluation to the state named by 7 and evaluates 
y there. These operators satisfy many nice logical properties. For a start, each @; is a normal 
modal operator: it satisfies the distributivity axiom (Q;(y — Y) —> (@;y — @;2)) and the ne- 
cessitation rule (if ọ is valid, then @;¢ is also valid). Moreover, it is self-dual: @;y is equivalent 
to =@;-y. In an intuitive sense, the Q; operators provide a bridge between semantics and syntax 
by internalizing the satisfaction relation ‘=’ into the logical language: 


M,w = ¢ iff M H Qip, where i is a nominal naming w. 


For this reason, these operators are usually called satisfaction operators. 

Aiming to make full use of the flexibility provided by direct reference to specific points in the 
model naturally leads to further enrichment of the language. One possibility would be to have 
not only names for individual states but also variables ranging over states, with corresponding 
quantifiers. We would then be able to write formulas like 


Vy.Oy. (2) 


The first-order translation of this formula is Vy.dz.(R(ax, z) A z = y) or, simply, Vy.R(x, y), 
forcing the current state to be related to all states in the domain. The V quantifier is very expres- 
sive. As discussed in [32], even the basic modal language extended with state variables and this 
universal quantifier is undecidable. Moreover, V and @ together give us already full first-order 
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expressive power (cf. Section 3.2). Nevertheless, the V quantifier is historically important. The 
earliest treatments are probably those of [117, 118, 46]. 

The V quantifier is very “classical.” If we think modally, and remember that evaluation of 
modal formulas takes place at a given point, a different kind of binder suggests itself. The | 
binder binds variables to points but, unlike V, it binds to the current point. In essence, it enables 
us to create a name for the here-and-now, and refer to it later in the formula. For example, the 
formula 


Ly.Cy (3) 


is true at a state m iff m is related to itself. The intuitive reading of (3) is quite straightforward: 
the formula says “call the current state y and check that y is reachable.” The difference between 
V and | is subtle, but important. V is global, in the sense that formulas containing V are not 
preserved under generated submodels [32]. On the other hand, | is intrinsically local and, as 
we will show in Theorems 16 and 18, it can be characterized in terms of the operation of taking 
generated submodels. 

Like V, the | binder has been invented independently on several occasions. For example, 
in [122], | is introduced as part of an investigation into temporal semantics and temporal data- 
bases, [131] uses it to aid reasoning about automata, it is related to the freeze operator in [88], 
and [52] employs it as part of his treatment of indexicality. However, none of the systems just 
mentioned allows the free syntactic interplay of variables with the underlying propositional logic; 
that is, they make use of |, but in languages that are not fully hybrid. The earliest paper to 
introduce it into a fully hybrid language seems to be [77]. 

Note that satisfaction operators work in perfect coordination with |. Whereas | “stores” the 
current point of evaluation (by binding a variable to it), the satisfaction operators enable us to 
“retrieve” stored information by shifting the point of evaluation in the model. By using the 
“storing and retrieving” intuition it is easy to define complex properties. For example, Kamp’s 
temporal until operator U (with semantics: U(y, w) is true at a state m if there is a future state 
m’ where ọ holds, such that y holds in all states between m and m’) can be defined as follows: 


U(y, Y) := |zOly.(p A @,O(Oy > y)). 


Let us see how this work. First, we name the current state x using |, and use the © operator 
to find a suitable successor state, which we call y, where y holds. Without the @ operator we 
would be stuck in that successor state, but we can use @ to go back to x and demand that in all 
successors of x having y as a successor, Y holds. 


Summarizing the above discussion, we can say that the term hybrid logic refers to a family of 
extensions of the basic hybrid language with devices that, in one way or another, allow for explicit 
reference to individual states of the Kripke model. But, why are hybrid logics called hybrid? 
One explanation comes from the work of Arthur Prior in the 1950s. As we will discuss more 
in detail in Section 2, Prior was interested in the relation between what McTaggart called the 
A-series and B-series of time [109]. Following McTaggart’s analysis of time in terms of the A- 
series of past, present and future and the B-series of earlier and later, Prior discusses two logical 
systems: the J-calculus aims to capture the properties of the B-series and takes variables ranging 
over instants as primitive, while the T’-calculus examines tenses and takes variables ranging over 
propositions. In [117, Chapter V.6], Prior proposes a way to develop the J-calculus inside the T- 
calculus, and for this he allows instant-variables to be used together with propositional variables. 
He will call this step “the third grade of tense-logical involvement” in [118, Chapter XI], where 
instant-variables are treated as representing (special) propositions. From this perspective, the 
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terms hybrid applies to the “confusion” of terms (the variables over instants) with formulas (the 
propositional variables). 

There is another sense in which hybrid logics are hybrid, namely that, both in terms of expres- 
sive power and in terms of the techniques used to analyze them, hybrid languages lie in between 
the basic modal language and first-order logic. While having a distinctly modal flavor, hybrid 
logics enjoy features which are of a clear first-order nature. As we discussed above, the more ex- 
pressive hybrid languages include binders and variables over elements of the domain, traditional 
hallmarks of first-order languages, while nominals are nothing else than first-order constants. 
The nominals and satisfaction operators also introduce a restricted form of equality: a state m in 
a model can satisfy a nominal ¿ if and only if it is equal to the denotation of i, and a model M 
satisfies @,7 if and only if the denotations of į and j coincide. In other words, nominals introduce 
equality between the point of evaluation and a named state, while satisfaction operators enable 
us to express equality between named states. Concerning first-order techniques which can be 
used for hybrid languages, we will see in Section 3.1 for example, that nominals can be used 
as ‘witnesses’ in a classical Henkin-style completeness proof for hybrid languages, and classical 
first-order notions like potential isomorphisms are useful for characterizing the expressive power 
of hybrid languages. In Section 3.3, we will see a very general interpolation result, the proof of 
which relies on the fact that shared nominals can be “bound away” using |, in the same way that 
shared constants can be replaced by existentially quantified variables in first-order logic. 

For a more detailed introduction, including further intuitive examples using the different hy- 
brid languages, the reader is referred to [26]. The Hybrid Logic Web Pages [3] provides addi- 
tional information and a broad on-line bibliography. We now move on to the basic definitions of 
syntax and semantics that will be used through the chapter. 


1.1 Basic Definitions 


The simplest hybrid language is H, which extends the basic modal language with nominals only. 
Further extensions will be named by listing the additional operators. The most expressive system 
we will discuss in detail is H(E, @, |), with the existential modality E, @-operators, and the | 
binder (when considering languages containing the | binder, it is implicitly understood that the 
language also contains state variables). At various points, we will briefly mention other hybrid 
languages as well (e.g., hybrid extensions of temporal and dynamic logics). 

The following two definitions give the syntax and semantics of 1(E, @, |). The corresponding 
definitions for sublanguages of H(E, @, |) can be obtained by leaving out irrelevant clauses. 
DEFINITION 1. Let REL = { R1, R2, ...} (the relational symbols), PROP = {p1, po, ...} (the 
propositional variables), NOM = {%1,%2,...} (the nominals), and SVAR = {21,%2,...} (the 
state variables) be pairwise disjoint, countably infinite sets of symbols. By a state symbol, we 
will mean any element of NOM U SVAR. The well-formed formulas of the hybrid language 
H(E, @, |) in the signature (REL, PROP, NOM, SVAR) are given by the following recursive 
definition: 


FORMS := T | p|s|-y | gid ge | (Rip | Ep | G@sy | lay, 


where p € PROP, s € NOM U SVAR, z € SVAR, R € REL and y, 91, v2 E€ FORMS. 


Given a set of formulas T C FORMS, we will use PROP(T), NOM(T) and SVAR(T) to de- 
note, respectively, the set of propositional variables, nominals, and state variables occurring in 
formulas in T. Also, for y a formula, SF(p) will be the set of subformulas of ọ. 
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Note that the above syntax is simply that of ordinary (multi-modal) propositional modal logic 
extended with clauses for the state symbols and for Ey, Qp and |x;.p. Also, note that, like 
propositional variables, nominals and state variables can be used as atomic formulas. The differ- 
ence between nominals and state variables is analogous to the difference between constants and 
variables in first-order logic: nominals cannot be bound by |, and their interpretation is specified 
by the model, whereas state variables are interpreted by assignment functions, and they can be 
bound by the | -binder. 

The notions of free and bound state variable are defined as in first-order logic, with | as the 
only binding operator. Similarly, other syntactic notions (such as substitution, and a state symbol 
t being substitutable for x in p) are defined as in first-order logic. A sentence is a formula 
containing no free state variables. Furthermore, a formula is pure if it contains no propositional 
variables, and nominal-free if it contains no nominals. 

In the remainder of the chapter we will assume fixed a signature (REL, PROP, NOM, SVAR). 
Now for the semantics. 


DEFINITION 2. A (hybrid) model M is a triple M = (M, (RM) rere, V) such that M is a 
non-empty set, each R™ is a binary relation on M, and V : PROP U NOM —> (M) is such 
that for all nominals ¿ € NOM, V(i) is a singleton subset of M. We usually write M (roman 
letters) for the domain of a model M, and call the elements of M states, worlds or points. Each 
R™ is an accessibility relation, and V is the valuation. A frame is defined in the usual way: as a 
model without a valuation. If F = (M, (RF) rere) is a frame and V is a valuation on M, then 
M = (F,V) is the model (M, (RF) reret, V}. In this case we, say that M is based on F, and 
that F is the underlying frame of M. 

An assignment g for M is a mapping g : SVAR — M. Given an assignment g : SVAR — M, 
a state variable x € SVAR, and a state m € M, we define g*, (an x-variant of g) by letting 
gf, (a) = mand gë, (y) = gly) for all y # 2. 

Let M = (M, (RM) rereL, V} be a model, m € M, and g an assignment for M. For any 
state symbol s € NOM U SVAR, let [s]““"9 be the state denoted by s (i.e., fori € NOM, [i]“9 
is the unique m € M such that V (i) = {m}, and for x € SVAR, [z]“9 = g(zx)). Then the 
satisfaction relation is defined as follows: 


M,g,m-T 

M,g,m |p iff meV (p) forpe PROP 
M,g,m Es iff m=[s]}9 fors € NOM U SVAR 
M, g, m = ny iff M,g, m E p 


M,g,m |E yı ^2 iff M,g,m = yı and M, g, m = ve 

M,g,m = (Rọ iff there is a state m’ such that RM (m, m’) and M, g, m’ = 
M, g, m H Ey iff there is a state m’ € M such that M, g, m’ = » 

M, g, m = @sy iff M,9,[s})“9 H forse NOM U SVAR 

M,g,m = |x.p iff M,g3, m E g. 


| 
aS) 


The first six clauses in the definition of the satisfaction relation are similar to the ones for the basic 
modal language, except that they are relativized to an additional assignment function. Recall 
that nominals and state variables can be used as atomic formulas, in which case they act as 
propositional variables that are true at a unique state. The | binder binds state variables to the 
state where evaluation is being performed (the current world), and @, shifts evaluation to the 
state named by s. As in first-order logic, if y is a sentence (i.e., a formula with no free state 
variables), the truth of ~ at a state in a model does not depend on the assignment. Hence, in this 
case we will write M, m H y instead of M,g,m E= vp. 
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A formula ọ is said to be globally true in a model M under an assignment g (notation: 
M,g E p) if M,g,m H ¢ for all m € M. A formula y is satisfiable if there is a model M, 
an assignment g on M, and a world m € M such that M,g,m |= y. A formula y is valid 
(notation: = y) if for all models M and assignments g, M,g = y. A formula y is a local 
consequence of a set of formulas © if for all models M, assignments g, and points m € M, 
M,g,m H X implies M,g,m |= y. A formula ọ is a global consequence of a set of formulas 
X if for all models M and assignments g, M,g H| & implies M,g = y. We denote local 
consequence by X = y and global consequence by © -*” y. As in ordinary propositional 
modal logic, local consequence is strictly stronger than global consequence. 

Definitions 1 and 2 specify the syntax and semantics of the most expressive hybrid language 
we are going to discuss in detail, H(E,@, |). Two important fragments of this language are 
H(@, |), which is obtained by dropping the clauses for the existential modality E, and H(@), 
which is obtained by dropping in addition the state variables and the |-binder. In other words, 
H(@) is simply the extension of the basic modal language with nominals and satisfaction opera- 
tors. The languages H(@Q) and H(@, |) will receive most attention in this chapter. 


2 HISTORY 


In this section we will provide an overview of the historical development of hybrid languages, 
starting with the pioneering work of Prior, through the “revival” in the late eighties and early 
nineties in Sofia, and ending with the work of Blackburn and Seligman in the late nineties. 


2.1 The Foundational Work of Prior 


The work of Prior in modal logic and in particular in the modal analysis of time is well known, to 
the point that he is usually regarded as the inventor of temporal logic. For a detailed discussion 
of Prior’s contributions to this field, together with some biographical information, see [111]. The 
following discussion is based on [51], a short but very good overview. See also [27], especially 
Section 4. 

Prior is considered one of the most important promoters of the application of modal syntax 
to the formalisation of a wide variety of phenomena. Less well known is the fact that Prior, 
in collaboration with Carew Meredith, devised a version of possible worlds semantics roughly 
at the same time as, but independently of, the work of Carnap on modal semantics and several 
years before Kripke published his first paper on the topic. Interestingly, this part of Prior’s work 
is already closely related to hybrid logic. 

Nowadays, the view that modal logic can be seen as a fragment of first-order or second- 
order logic is commonplace. This is fairly straightforwards once we observe the possible worlds 
semantics of modal operators. When reading the earlier work of Prior, however, we should keep 
in mind that, at that time, most modal intuitions came solely from axiomatics. Nevertheless, in 
Prior’s (unpublished) second book “The Craft of Formal Logic” (completed in 1951) we can find 
the following passage: 


For the similarity in behaviour between signs of modality and signs of quantity, var- 
ious explanations may be offered. It may be, for example, that signs of modality 
are just ordinary quantifiers operating upon a peculiar subject-matter, namely pos- 
sible states of affairs... It would not be quite accurate to describe theories of this 
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sort as “reducing modality to quantity.” They do reduce modal distinctions to dis- 
tinctions of quantity, but the variables to which the quantifiers are attached retain 
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something modal in their signification — they signify “possibilities”, “chances”, 
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“possible states of affairs”, “possible combinations of truth-values”’, or the like. 


Two things should be noticed in this passage. Firstly, the reference to “possible states of affairs” 
and even “possible combinations of truth-values,” is a very early reference to possible worlds se- 
mantics. Secondly, note Prior’s strong reservations concerning “reducing modality to quantity”. 
This early intuition on the foundational nature of modality later grew into a mature philosophy in 
Prior’s view that quantification over possible worlds and instants was to be interpreted in terms 
of modality and tense — which constituted primitive notions — and not vice versa (although he 
did recognized that the study of both quantity and modality could benefit of each other). 

Three years later, in 1954 at the New Zealand Congress of Philosophy, Prior presented a pa- 
per (not published until much later as [116]) in which his philosophical position is made more 
explicit. Working already in the framework of temporal logic, he introduces in this paper the 
I-calculus (which he will later call the U-calculus). In the J-calculus, propositions of the tense 
calculus are treated as predicates expressing properties of dates (which are represented by vari- 
ables). The formula px should be read as “p at x,’ and J is a binary relation taking dates as 
arguments where Ixy is read as “y is later than x.” Using an arbitrary date x to represent the 
time of utterance, Fp (intuitively, “the proposition p happens in the future”) is equated with 
dy.(Ixy A py) (i.e., “p at some time later than x”) and similarly for Pp, “the proposition p hap- 
pens in the past.” Prior mentions already that, by imposing various conditions on the relation J, 
analogues of the axioms of the tense calculus can be derived in the J-calculus. 

Later in the same paper, Prior includes a detailed warning against regarding this interpretation 
of the tense calculus within the J-calculus as “a metaphysical explanation of what we mean by 
is, has been and will be”; he stresses that the J-calculus is not “metaphysically fundamental.” 
He explains that F'(Socrates is sitting down) means “It is now the case that it will be the case 
that Socrates is sitting down,” and there is no genuine way of representing the indexical now in 
the -calculus (he says that the free variable x is “a complete sham”). He continues: “If there 
is to be any ‘interpretation’ of our calculi in the metaphysical sense, it will probably need to be 
the other way round; that is, the J-calculus should be exhibited as a logical construction out of 
the PF-calculus rather than vice versa.” This idea of the primacy of the tense calculus over the 
I-calculus — or, as he was later to put it, of McTaggart’s A-series over the B-series, see [109] — 
was to become a central and distinctive tenet of his philosophy. These issues form the theme of 
his final, unfinished, book [119], but they already appear in some earlier articles. 

But of course, the reconstruction of the /-calculus within the tense calculus is impossible, 
as the -calculus is strictly more expressive than the tense calculus. Prior recognized this fact 
and investigated ways to extend the expressive power of the tense calculus to permit the recon- 
struction. This directly led to what we call today very expressive hybrid languages (1.e., hybrid 
languages including the V binder). In [117, Chapter V.6], he actually proposes a way to develop 
the -calculus inside the tense calculus, and for this he allows instant variables to be used together 
with propositional variables. He will call this step “the third grade of tense-logical involvement” 
in [118, Chapter XI], where instant variables are treated as representing (special) propositions. 

We see, then, that Prior’s development of hybrid languages was rooted in his philosophical 
convictions, and was instrumental in the implementation of some of his very early intuitions on 
time and tense. Prior’s death in 1969 put an end to these investigations. Notice though, that Prior 
was never fully satisfied with his solution. It was technically correct (and actually quite bold 
and ingenious) but he was concerned that, in managing to “upgrade” the tense calculus to full 
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first-order expressivity, the language had lost its claim to a metaphysical fundamentality. Robert 
Bull, a student of Prior, pushed the ideas of hybridization further in [46], where he provides an 
axiomatization and completeness result for a logic containing variables for paths on a model, 
which he calls “history-propositional” variables. 


2.2 The Sofia School 


As we saw, the roots of hybrid logic go back to Prior and Bull. About fifteen years later in Sofia, 
Bulgaria, nominals were re-discovered by Gargov, Passy and Tinchev in their investigations on 
Boolean modal logic and propositional dynamic logic. One of the issues that led them into these 
investigations was the following asymmetry in the expressive power of the modal language. The 
union of two accessibility relations is definable in the basic modal language, in the sense that the 
formula 
(T)p = (R)p V (S)p 

is valid on a frame precisely if the accessibility relation interpreting (T) is the union of the acces- 
sibility relations interpreting (R) and (S). Moreover, when added to the basic modal language, 
this formula completely axiomatizes the modal logic of the relevant class of frames. 

Surprisingly, intersection of accessibility relations is not definable in the same way: it follows 
from the Goldblatt-Thomason theorem [76] that there is no formula in the basic modal language 
that is valid on a frame precisely if the accessibility relation of (T) is the intersection of the 
accessibility relation of (R) and (S). And even though the axiom scheme (T)p — ((R)p A 
(S)p) (together with the standard axioms and rules for the basic polymodal logic) completely 
axiomatizes the logic of this frame class, it is valid on the larger class where the accessibility 
relation of (TJ) is contained in the intersection of the accessibility relation of (R) and (S). 

Now, Gargov, Passy and Tinchev showed in [74] that intersection can be defined using nomi- 
nals. Indeed, for i a nominal, the axiom scheme 


(T)i  (RYiA(S)i 


defines intersection in the above sense, and exactly axiomatizes the logic of the relevant class of 
frames (when added to an appropriate base axiomatization)!. The same story goes for comple- 
mentation: there is no formula of the basic modal language that is valid on a frame precisely if 
the accessibility relation of (R) is the complement of the accessibility relation of S, but such a 
formula exists when nominals are added to the language: (R)i œ 7(S)i. 

This form of capturing the Boolean operations (together with an alternative based on the “‘suf- 
ficiency operator” m) was investigated by Gargov, Passy and Tinchev in [74]. In that paper, the 
first complete axiomatization of the minimal hybrid language is given. Following [75], recur- 
sively define O- and ©-forms as follows: 1) $ is both a O- and a ©-form (where $ is a fixed 
symbol not occurring in the language); 2) If L is a O-form and y a formula, then (p — L) and 
L are also O-forms; and 3) If M is a ©-form and y is a formula, then (p A M) and (OM) 
are also ©-forms. For F a O- or ©-form and y a formula, let F(p) be the formula obtained by 
replacing the unique occurrence of $ in F by y. Now, Gargov, Passy and Tinchev showed that 
any complete axiomatization of the basic modal language, extended with the axioms 


M(iA gy) > L(i— vy) fori a nominal, L a O-form and M a ©-form 


completely axiomatizes the hybrid logic (in the language H) of the class of all frames. 


'Note that this implies that the Goldblatt-Thomason theorem, in its usual form, does not hold for hybrid languages. 
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Axiom Schemes: 
(A0) All propositional tautologies 


(Al) (v)t 

(A2) winy) > [v(t > p) 

(A3) yg (v)y 

(A4) (uv) (v)p > rie 

(A5) y= [yv)y 

(A6) (ajy > (vp 

(A7) (ab) > (a) (8e 

(A8) (aU Bji > laji V (B)i 

(A9) (aN Bji > laji A (Bi 

(A10) (@)i e [aji 7 

(All) acBe lang 

(A12) (v(i A (a")j)  (v)(9 A (a)i) 
(A13) (p?) = p^ 

(A14) (a*)p > yV (a)(a*)p 
(A15)  [al(y > 4) > (laly — [aly) 
Rules: 


(R1) If [a]77 for some i not in a, then F [a]. 
(R2) If F [G][a”]y forall n € N, then [G][a*]y. 
R3) = If y, thent [v]y. 

(R4) If yand y —> y, then F w 


Where y, w are formulas, a, 8 programs, v the universal program and 7, j nominals. 


Figure 1. Axiomatization of CPDL(N,, C, =A 


Besides the minimal hybrid language H, Gargov, Passy and Tinchev also studied a richer 
hybrid language, obtained by extending propositional dynamic logic (PDL, cf. Chapter 12 of 
this handbook) with nominals. Intersection of accessibility relations is particularly interesting 
in this setting, as it can be interpreted as parallelism, or concurrency of programs. Passy and 
Tinchev [113] propose an extension of PDL with nominals and the universal modality, which 
they call Combinatory PDL (CPDL). The paper contains an axiomatization of CPDL(M,~, c,~'), 
combinatory PDL extended with program intersection, complementation, subprograms and in- 
verse, shown in Figure 1. Note that this axiomatization contains an infinitary rule (R2), i.e., an 
inference rule with infinitely many premises. 


Besides the standard axioms and rules of PDL, and the axioms for the universal program v, no- 
tice the definitions of union (A8), intersection (A9), complement (A10), subprogram (A11) and 
inverse program (A12). Notice also how the presence of the universal program v helps defining 
the behaviour of nominals in axioms (A1) and (A2). Finally, notice the “Gabbay-Burgess-style 
rule” (R1) [67], which ensures that models are named, i.e., each state in the model is the de- 
notation of some nominal (this also implies that models are countable). Axiomatizations for 
sublanguages of CPDL(N,~, C, 7+) are obtained by dropping the corresponding definitions of 
the absent operators. In particular CPDL, “core” combinatory PDL, is axiomatized by axioms 
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(A1) to (A8), (A13) to (A15) and rules (R1) to (R4)?. 

Passy and Tinchev proved a number of interesting properties of CPDL (see [115] for further 
details). For example, they observed that named models (i.e., models in which each state is 
named by a nominal) can be completely described by a set of formulas of the form (—)Q;p, 
(~)@;Oj or (=)@;j. Clearly, this property only depends on the expressive power of nominals 
and @, and hence holds already for H(@). This observation provides the theoretical basis for 
automated theorem proving and model building via the definition of Herbrand models (i.e., a 
model can be represented by the set of elementary formulas which are true in it, see [17]). 

With respect to (un)decidability results, naturally the negative results concerning the undecid- 
ability of both global and local consequence in PDL [85] transfers to CPDL. Passy and Tinchev 
provide some (un)decidability results for satisfiability of languages related to CPDL in [115], 
while Gargov provides in [71] a finitary axiomatization of CPDL and proves the finite model 
property and decidability of the satisfiability problem for CPDL. Actually, the complexity of 
satisfiability in CPDL coincides with the one in PDL, EXPTIME-complete [56, 55]. 


THEOREM 3. ForT U {y} a decidable set of CPDL formulas, deciding whether T -*” p 
and T |=" ọ is II}-complete. On the other hand, satisfiability of CPDL formulas is EXPTIME- 
complete. 


Gargov’s axiomatizability result mentioned above uses Segerberg’s axiom pA [a*|(y > [a]y) > 
[a*|y to replace the (R2) rule and shows that the (R1) rule is redundant, but infinitary rules 
cannot always be eliminated. For example, satisfiability of CPDL(-) is highly undecidable (Xt- 
complete) from which it follows that no finitary axiomatization can be complete. Passy and 
Tinchev [115] discuss the issue of eliminability of the infinitary rules in detail (cf. also [98] for 
more recent results on infinitary axiomatizations of hybrid logics). 

We now move into more expressive hybrid languages similar to those used by Prior and Bull. 
Chapter III of [115] is devoted to CDL, Combinatory Dynamic Logic which allows quantification 
over state variables. Interestingly, the authors seem to present CDL as an alternative to quantified 
modal logic, stating that replacing classical quantification (over the domains in each state of the 
model) by hybrid quantification (over the states themselves) leads to a better behaved system. 
While this is true, it also leads to a system which does not resemble quantified modal logic! In 
any case, it is interesting to see that, once nominals have been discovered, explicit quantification 
over states becomes a natural extension. 

The following complete axiomatization of CDL is given in [115]: 


All axioms and rules of CPDL minus (R1), plus 
(A16) dec 
(A17) Yc. > yic/d] 
(A18) YVe.[a]y — [a]Vc.y for c with no free occurrences in a. 
(R5) IF y, then F Vey. 


The Sofia tradition in hybrid logics continues with the work of Goranko. In [72], Gargov and 
Goranko investigate the basic modal language extended first with nominals and the universal 
and existential modalities (H(E)), and then with the difference operator D (M£L(D))}?. They 
prove that both languages are equivalent with respect to frame definability, and then provide 
characterizations of frame definability for these languages. 


? Actually, in [115], the infinitary version of (R1) “If  [a]~i for all i € NOM then E [a]-L” is discussed, which is 
necessary for completeness in some extensions of CPDL. 
3The semantic condition for the difference operator D is M, w Dg iff there is a w 4 w such that M, w’ = yp. 
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The work of Gargov and Goranko is historically relevant because, within the Sofia school, it 
marks the start of research on hybrid logics as such, and not as part of their research on exten- 
sions of PDL. Around the same time, but independently, Blackburn was studying simple hybrid 
languages over a Prior-style tense logic [21, 22]. These two lines of research can be considered 
the origins of the current perspective on hybrid logics. 

Goranko is also the first to investigate the | binder in the context of hybrid logic. In [77], he 
extends the basic modal language with the universal modality and the | binder with only a single 
state variable (though using a slightly different notation). Goranko provides an axiomatization 
for this logic, and illustrations of its high expressivity (sufficient, for example, to define Kamp’s 
U(p, q) and S(p, q) and Stavi’s U’ (p,q) and S"(p, q) temporal operators and to simulate Prior’s 
instant variables), and shows that the satisfiability problem for this language is undecidable. 
He mentions in the same paper that introducing multiple state variables would be possible, and 
investigates the resulting language in more detail in [78]. 

In [79], Goranko uses hybrid binders to design CTL,,, (CTL with reference pointers), a com- 
putation tree logic for finitely branching w*-trees, and defines syntactic and semantic interpre- 
tations between CTL* and CTL,.. In particular, this yields a complete axiomatization for the 
translations of all valid CTL*-formulas, a step forwards in the search for a complete direct ax- 
iomatization of CTL*, a long standing open problem finally solved in [121]. 

With this we conclude our (necessarily brief) overview of the work on hybrid logics done by 
the Sofia School. It is interesting to note that most of the languages studied by the Sofia school 
included the universal modality. In the following years and mainly through the work of Black- 
burn and Seligman, research in hybrid languages deals with, on the one hand, weak languages 
containing only nominals (e.g., [23, 33]) and, on the other hand, very expressive languages con- 
taining binders (e.g., [31, 35, 37]). 


2.3. Very Expressive Hybrid Languages 


In the mid-nineties, Blackburn and Seligman [31] studied a number of very expressive hybrid 
languages, obtained by means of various state variable binders. We will review a few of these 
binders here, most of which will not return in the remainder of the chapter. 

Up to now, we have introduced two hybrid binders, the “classical” 4 and the “more modal” 
|. Let us review their semantic definitions. Given a model M = (M,(R™)reret,V), an 
assignment g in M and m € M: 


M,g,m H J3z.y iff M,9%,,mE y for some m’ € M. 
M,g,m H lzy iff Mig ,mEy. 


Both quantifiers let us change the value assigned to x, without changing the point of evaluation. 
In [31] Blackburn and Seligman investigate two other binders which, besides changing the value 
of the bound variable, also change the point of evaluation: 


M,g,m = Ez. iff M,9",,m' H y for some m’ € M. 
M,g,m H lap iff M,g%,,m' H y for some m’ € M. 


It is not hard to see that “x.y is equivalent to E| x.y, whereas {}x. is equivalent to |a.Ey. The 
Standard Translation (cf. Chapter 1 of this handbook) may be extended to these hybrid languages, 
in which case the appropriate clauses for these operators would be as follows (we provide also 
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the clause for E for comparison): 


ST,(Ey) = Jz.ST.(y) (za variable not in ọ) 

ST,(4y.~) = Ay.ST2(¢) 

ST2(ly.~) = Ay(y=xA ST, (¢)) 

STz(Xy.p) = 3y.ST (p) 

STzy.p) = Azdy(y=xAST.(y)) (za variable not in p). 


The main result in [31] is that these binders form an expressive hierarchy. If we let < stand for the 
relation “is strictly less expressive than” then we have that H(|) < H(A) < H(J)) and H(E) < 
H(X) < H(\). The expressivity inclusions are proved using the following equivalences: 


lr. = Ari(xrAg) 

dap = Jedla(zAy) (za variable not in p) 
Ey = z.y (za variable not in p) 

Sap = deda(xAy) (a variable not in p). 


Moreover, the equivalence z.p = |a.Ey shows that H({}) < H(|,E) and hence any lan- 
guage containing an operator from each of the two “branches” in the hierarchy is expressively 
equivalent to H(4}). The strictness of the hierarchy is proved in [31] using different variants of 
bisimulations, preserving truth of formulas of the various languages. This paper also introduced 
so-called spypoint arguments, and used them to show that basic hybrid languages enriched with | 
lack the finite model property and are undecidable. Spypoint arguments were later used to show 
a number of complexity and undecidability results in hybrid logic (see, in particular, [8]). 

In [141, 142], Tzakova explores some examples of very expressive hybrid languages with 
binding operators in more detail, both axiomatically and by means of tableaux systems. 

We turn now from motivation and historical remarks to recent developments and the current 
state of the field. 


3 MODEL THEORY 


Many different hybrid languages were introduced in the previous sections. In this section, we will 
discuss two languages in more detail, namely H(@) and H(Q@, |). These two hybrid languages 
have received most attention in recent literature, and the proofs of the results we will discuss can 
usually be adapted to other hybrid languages. 


3.1 Completeness 


One of the most important motivations for the study of hybrid logics has been that the addition 
of nominals to the modal language makes it possible to prove very general completeness results, 
using a straightforward adaptation of the Henkin construction for first-order logic. 


DEFINITION 4. The logic K7,(@,,) is the smallest set of H(@, |) formulas that includes all 
axioms, and is closed under the rules, given in Figure 2. Given a set © of H(Q@, |) formulas, 
Ky,(a,)) + is the logic obtained by adding all formulas in X as axioms to Kj,@,|), and closing 
again under the rules in Figure 2. Given a set of H(@)-formulas ©, K7,(@) and Ky(@) + X are 
defined analogous to K7@,|) and Ky(@,|) + 4, except without the DA axiom scheme (note that 
this is the only axiom or rule in which | occurs). 
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Axioms: 

(CT) All classical tautologies 

(Ko) FIR (p > v) > [Rly > [Rl 

(Ka) - @;(y > 4) > Qiy > Gy 

(Selfduala) F Q; > ~Q; mny 

(Refa) F- Qt 

(Agree) - Q;Qjy = Qjy 

(Intro) Fi (yo Giv) 

(Back) - (R)Qip > Qiy 

(DA) F @(l2.~ © ¢[z/i)) 

Rules: 

(MP) If- yand y —> y then F w 

(Subst) IfF y then F y7, for o a substitution 
(Gena) If- y then F Qiy 

(Geno) Ift y then F [Ry 

(Name) If- @;y and i does not occur in y, then F y 
(BG) If- @;(R)j > Qjo, j i and j does not occur in y, then @;[R]y 


Figure 2. Axioms and rules for K4(@,1) 


One note should be made, concerning the substitution rule (Subst). By this rule, one cannot 
only replace propositional variables uniformly by arbitrary formulas, but one can also replace 
nominals uniformly by other nominals (note that substituting nominals by formulas does not 
preserve validity in general). 

We call an axiomatization complete with respect to a class of frames, if for all formulas y 
of the relevant language, ọ is derivable in the axiomatization iff y is valid on the given frame 
class. An axiomatization is strongly complete with respect to a frame class if for every set of 
formulas © and formula y of the relevant language, © =% iff there are %1,..., Un E€ X such 
that %1 A -++ A Yn > ¢ is derivable. 

The following completeness result is taken from [34], but slight variations of it can be found 
already in [37]. Recall that a formula is pure if it contains no propositional variables (but may 
possibly contain nominals). 


THEOREM 5 (Pure completeness). 


1. Let £ be any set of pure H(@)-formulas. Then Kua) + & is strongly complete for the 
class of frames defined by X. 


2. Let £ be any set of pure H(@, |)-formulas. Then Kya) + © is strongly complete for 
the class of frames defined by X. 


By the frame class defined by X£., we mean the class of frames on which each formula in X is valid. 
Many frame properties can be defined using pure hybrid formulas, including properties such as 
irreflexivity, that cannot be defined in the basic modal language. A precise characterization of 
frame properties definable by pure formulas will be given in Section 3.2. 

The proof of Theorem 5 trades heavily on the presence of the (Name) and (BG) rules. In [34], 
Blackburn and ten Cate show that, in the case of H(Q, |), these rules (which are non-orthodox 
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in the sense that they involve syntactic side conditions) can be replaced by 


(Name) | |s.(s— y) — y provided that s does not occur in yp 
(BG) + @,[R]ls.@;(R)s 
(Gen) IfF y thent |s.y. 


and an axiomatization with only orthodox rules is obtained, for which Theorem 5 still holds. In 
the case of H(@), on the other hand, the (Name) and (BG) rule cannot be eliminated. More 
precisely, every axiomatization for H(@) that is complete for arbitrary pure extensions contains 
either infinitely many rules or rules with side conditions [34]. 

Part of the present section will be devoted to a proof of Theorem 5. However, before we start, 
we will mention some other, complementary completeness results. 

Theorem 5 resembles in spirit the Sahlqvist completeness theorem for modal logic (cf. Chap- 
ter 1 of this handbook). This raises the question of how pure formulas and Sahlqvist formulas 
relate, both in terms of expressive power and in terms of proof theoretic behaviour. As it turns 
out, for every modal Sahlqvist formula y there is a pure sentence 7 of H(Q, |) that defines the 
same frame class as y, and, moreover, 7) can be picked such that y — 7 is provable in Kya, nie 
It follows from this observation that every extension of Ky(@,,) with modal Sahlqvist axioms is 
complete. 

However, there are frame properties that can be defined by modal Sahlqvist formulas but not 
by pure 7{(@)-formulas. For example, no set of pure 7{(@)-formulas defines the same frame 
class as the modal Sahlqvist formula (CR) OOp — Oop. This makes the following result, 
proved in [140], interesting. 


THEOREM 6 (Sahlqvist completeness). Let X be any set of modal Sahlqvist formulas. Then 
Kaa) + È is strongly complete for the class of frames defined by X. 


Completeness does not hold for arbitrary combinations of pure formulas and modal Sahlqvist 
formulas. Consider the Sahlqvist axiom (CR) given above and the pure formula (NoGrid) O(i A 
Oj) — O(j — i). The incompleteness of Kya) + {(CR), (NoGrid)} is proved in [140] using 
a general frame argument. 

It should be noted that, when converse modalities are added to the language (as in the basic 
tense logic), modal Sahlqvist formulas can be translated into pure H(@Q) formulas. And, indeed, 
in this case axiomatizations combining pure formulas and modal Sahlqvist formulas are always 
strongly complete for the relevant frame class [80, 136]. 

There are a number of well known complete modal logics that cannot be axiomatized by means 
of Sahlqvist formulas, including PDL, GL and Grz. One might ask what happens when nominals 
and satisfaction operators are added to these logics. The following result, proved in [20, 136], 
provides a partial answer. It shows that, under certain condition, a complete axiomatization of a 
modal logic can be turned into a complete axiomatization of the corresponding hybrid logic (in 
the language H(@)). Recall that a modal logic has a master modality if there is a modality [x] 
that satisfies the S4 axioms, such that [x]p — [R]p is derivable for all other modalities |R] in the 
language (see also Chapter 2 and 4 of this handbook). Furthermore, recall the notion of admitting 
filtration defined in Chapter 3 of this handbook. Informally, a logic defined over a class of frames 
K admits filtration if each formula ọ can be associated with a set of formulas X, (the “filtration 


‘This essentially follows from the proof by substitutions of the Sahlqvist correspondence theorem (cf. Chapter 1 of 
this handbook), since the substitutions used only involve a bounded form of quantification. See Section 3.2 for more 
information on the tight relationship between bounded quantification and H(@, |). 
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set” of Y) such that for each model M based on a frame in K, and for each formula g, there is a 
filtration of M over X of which the underlying frame is in K. 


THEOREM 7. Let ® be any set of modal formulas such that the modal logic K + & is complete, 
admits filtration and has a master modality. Then Ky4(@) + & is also complete. 


GL, Grz and PDL all meet the requirements of Theorem 7. Incidentally, a similar transfer result 
cannot exist for 71(@, |). Indeed, the #1(@, |)-logic of the frame class defined by GL (i.e., the 
class of transitive and conversely well-founded frames) is not recursively axiomatizable [136]. 


We now prove Theorem 5 using a technique similar to that used in a standard, Henkin-style 
completeness proof for first-order logic [58]. The general argument runs as follows: we will 
show that every consistent set of formulas can be extended to a maximal consistent set satisfying 
certain properties. Next, we will construct out of each such maximal consistent set a model, 
whose domain consists of equivalence classes of nominals. Finally, we show that the constructed 
model satisfies the original set of formulas, and that the underlying frame satisfies the relevant 
frame conditions. 
The proof of the following lemma is straightforward. 


LEMMA 8. The following formulas and rule are derivable in Ky4(a) + ©. 
1. FQ@;k > (Qjy = Qy) 

2. F @;(yı A de) = Ajy A Qjp 

3. F Qjay > =Q; 

4. F QjQkY — Oky 

5 

6. 


. H @;(R}k A @ry > @;(R)b 


. If- @Q;(R)j A Qjo — y then F @;(R)y — y, provided i # j and j does not occur in p 
or p. 


We can now prove a Lindenbaum Lemma that shows how to extend any consistent set of formulas 
to a maximally consistent set, but in addition we will ensure that all diamonds are “witnessed” 
by nominals. 


LEMMA 9. Every Ka, ,) + X-consistent set I can be extended to a maximal Ky(@,|) + X- 
consistent set T* such that 


1. One of the elements of T+ is a nominal; 
2. For all variables x, there is a nominal i such that Q@;x € T. 


3. For all Q@;(R)p ET there is a nominal j such that @;(R)j € T and Q;ọ ET. 


Proof. By expanding the language with countably many nominals, we can ensure that there are 
infinitely many nominals that do not occur in I, while preserving consistency of T. Let (in)neN 
be an enumeration of the nominals of the extended language, and let (yp) ,en be an enumeration 
of all H(@, | )-formulas of the extended language. We will construct T+ as the limit of an infinite 
sequence IT? CT! CI? C.---, 

Let T’ denote the set T U {i} U {@;, x | £ € VAR}, where the new formulas use nominals not 
in I’, and the ją are such that if x and y are different variables then also jy and jy are different. 
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It is easy to see that I'o is consistent. For example, the addition of 2 cannot cause inconsistency 
because otherwise there are y1,..., (Pn € I such that Fx, +5 E> 7(~1 A+++ A Gn). By 
the (Gena) rule and the (Ka) axiom, it follows that Fk, (4,4 @Qit > Q@;7(y1 A- Apn). By 
the (Refa) axiom and the (MP) rule, Fk, )¢¢,)) +5 @;7(~1 ^- A Pn), and hence, by the (Name) 
rule, Pikiwa nes 3(y~1 A+++ A Pn). But this contradicts the fact that T is consistent. The case 
for the additional @,;, x formulas is similar. Notice that the set T° satisfies already conditions 1 
and 2 in the lemma. We only need to ensure condition 3. 
For k € N, define I+! as follows: 


1. D841 = T* if T7 U {px} is Kyy(a@,) + U-inconsistent, 
2. otherwise 


(a) P*+1 = TF U {yp} if pp is not of the form @;(R)w. 


(b) PEt? = TF U {yp, @(R)im, Qi, Y} if vy is of the form @;(R)w, where im is the 
first nominal that does not occur in T* or px. 


Each step preserves consistency: if T* is K4,(@,|) + U-consistent, then so is T*+1, The only 
non-trivial case is (2.2b), and we will prove that also in this case, consistency is preserved. 

Let TEU {9p} be Kya,|) + 4-consistent, let Yx be of the form @;(R)w, and suppose for the 
sake of contradiction that T*+! = T* U {yp @i(R)im, Qin V} is not Ky,(@,)) + U-consistent. 
Then there are Y1,..., Yn E IF such that ERa (Yk A Q(R)im A @in Y) > aly A 
-++ A Pn). It follows by the last clause of Lemma 8 that Fk, (6, +5 Pk > (Y1 A A Pn). 
But this contradicts the fact that 1+ U {px} is Kaça) + U-consistent. We conclude that T* is 
consistent. 

Since K4,(@,;) + X-consistency is preserved at each stage, it follows that T+ = Unen T” 
is Ka(@,,) + X-consistent. It is easy to see that T* also satisfies the other requirements in 
Lemma 9. Q 


We can proceed with the proof of Theorem 5. 


Proof of Theorem 5. We first treat the case of H(Q, |). Let T be a Ky,(@,;) + X consistent 
set of H(@, |)-formulas and T+ a maximal Kj,(@,) + ¥-consistent set of H(@, |)-formulas 
extending I’, satisfying the conditions of Lemma 9. For i € NOM, let [i] = {7 | Qij € TT}. 

Define the hybrid model M = (W,(R™)reret,V), where W = {[i] | i is a nominal 
occurring in +}, RM = {([i, [j]) | @i(R)j € T+}, V(p) = {[e] | @:p € F+} and V(i) = 
{[i]}. Define the valuation g as g(x) = [i] for @;x € T+. Checking that the model and valuation 
that we obtain in this way are well defined is simple. 

Now, for all #(@, |)-formulas y and nominals j, M,g,[j] H y iff Qjp € I'*. This 
truth lemma can be proved by a straightforward induction on y, using the properties of T7 
and Lemma 8. For the inductive step for formulas of the from |x.7, we use the fact that T? 
contains all substitution instances of the (DA) axiom. 

It follows that M, g, [i] H T+, for i € I'* (recall that one of the elements of T* is a nomi- 
nal). Since M is a named model (i.e., every point is named by a nominal) and ['* contains all 
substitution instances of elements of X}, all formulas in X are valid on the underlying frame of 
M. We conclude that T is satisfiable on the class of frames defined by X. 

For Ky(q@) + È}, the same argument applies. Note that the (DA) axiom was only used in the 
truth lemma, for the inductive step for formulas of the form | x.y. 
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In the above completeness proof, the role of the non-orthodox rules (Name) and (BG) is to ensure 
the existence of a named model. Named models have played a crucial role in the development of 
the model theory of hybrid languages. As we commented in Section 2.2, they were already used 
by the Sofia school in their axiomatic investigations for combinatory PDL. They are closely re- 
lated to the notion of a discrete general frame, and with the work of Venema [144] completeness 
for modal logics containing the difference operator D. 


3.2 Expressive Power and Characterization 


In this section, we investigate the expressive power of the hybrid languages H(@Q) and H(Q, |), 
both on the level of models and on the level of frames, and we compare it to the basic modal 
language and the first-order correspondence language. For further details on the results discussed 
in this section see [8, 136]. 


Correspondence language and standard translations 


From the point of view of first-order logic, nominals are nothing more than constants: they 
designate elements of the domain of the model. The first-order correspondence language of 
hybrid logic is therefore most naturally defined as follows. 


DEFINITION 10. The first-order correspondence language for hybrid logic is the first-order 
language with equality that contains a unary predicate P for each propositional variable p € 


PROP, a binary relation symbol for each modality R € REL and a constant for each nominal 
i € NOM. 


Any hybrid model M = (M,(RM)prereL, V) can be regarded as a model for the first-order 
correspondence language. The accessibility relations RM are used to interpret the binary rela- 
tion symbols, unary predicates are interpreted as the subsets that V assigns to the corresponding 
propositional variables, and constants are interpreted as the worlds that the corresponding nom- 
inals name. In what follows, we will not distinguish between hybrid models and models for the 
first-order correspondence language, and we will use the notation M = (M, (RM) reper, V) 
for both. 

The Standard Translation from modal logic into the first-order correspondence language (cf. 
Chapter 1 of this handbook) can be extended to hybrid languages. The translation for the hybrid 
language H(E, @, |) is given in Figure 3 (top part), where s,t € NOM U SVAR, p € PROP, and 
R e REL. Here, we conveniently identify the state variables of hybrid logic with the variables 
of the first-order correspondence language. 


PROPOSITION 11 (ST preserves truth). For all hybrid formulas p, hybrid models M, states 
w € M and assignments g, M,g,m = ¢ iff M,g%, | ST.(y), where x is a variable not 
occurring in p. 


As it turns out, there is also a converse translation, mapping formulas of the first-order corre- 
spondence language to formulas of H(E, @, |). It is given in the bottom part of Figure 3. 


PROPOSITION 12 (HT preserves truth). Let y be a formula of the first-order correspondence 
language. Then for every model M, assignment g and for any state w, M, g7, = p if M, g, w H 
|z.HT(y). 

It follows that H(E, @, |) is as expressive as the first-order correspondence language. In fact, 
the satisfaction operators can be defined in terms of E (namely, @Q;ọ is equivalent to E(i A »)), 
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ST,(T) S 

STils) = (t=s) 

ST+(p) = P(t) 

ST (79) = -ST;(y) 
ST:i(pAp) = STi(y) AST) 
ST,((R)y) = Ay(R(t,y) A ST,(¢)) 
ST+(Ey) = dy.ST,(y) 
ST(@sy) STs(y) 

eae dz.(z2=tA STi(¢)) 


HT(T) See ile 

HT(R(s,s')) = @,(R)s’ 
HT(P(s)) = @,p 

HT(s =t) = Qt 

HT (79) = 7HT(¢) 
HT(oAd) = HT(o) ATW) 
HT (Az.y) = Elx.HT(y) 


Figure 3. Standard Translation ST and Hybrid Translation HT 


and therefore H(E, |) is already as expressive as the first-order correspondence language’. This 
leaves the question open of what is the range of ST for languages weaker than H(E, @, |), i.e., 
which formulas of the first-order correspondence language are (equivalent to) translations of 
formulas of these hybrid languages? We will discuss this issue in the next section. 


Characterizing expressivity on models 


In this section, we address in detail the question of which formulas of the first-order correspon- 
dence language are equivalent to (standard translations of) hybrid formulas. 
First, let us generalize the notion of bisimulation to hybrid languages. 


DEFINITION 13. Let M = (M, (R™) rereEL, V) and N = (N, (SN) sereL, U) be hybrid 
models. A hybrid bisimulation between M and N is a non-empty binary relation Z C M x N 
such that the following clauses hold 


(atom) If Z(m,n), then m € V(p) iff n € U(p), for p € PROP U NOM. 

(nom) If V(i) = {m} and U (i) = {n} then Z(m, n), for i € NOM. 

(forth) If Z(m,n) and RM (m, m’), then there is an n’ € N such that SY (n, n’) and Z(m’,n’). 
(back) If Z(m,n) and S^ (n, n’), then there is an m’ € M such that RM (m, m’) and Z(m', n’). 


A formula y(z1,..., £n) of the first-order correspondence language is said to be invariant for 
bisimulations if for all bisimulations Z between hybrid models M and M and for all assignments 
g and h with Z(g(£p), h(£p)) fork =1...n, itis the case that M, g | y iff N, hE y. 


5A similar translation can be given for H(@, V), see [32]. 
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THEOREM 14. A formula ¢ of the first-order correspondence language with at most one free 
variable x is equivalent to the standard translation of an H(@)-formula iff p is invariant under 
hybrid bisimulations. 


The proof is a straightforward generalization of the one for the basic modal language. As a 
corollary of Theorem 14, we obtain the following syntactic characterization. 


COROLLARY 15. A formula ¢ of the first-order correspondence language with at most one free 
variable x is equivalent to the standard translation of an H(@)-formula iff p is equivalent to a 
formula generated by the following recursive definition, where t is a term (constant or variable), 
cis a constant, and x is a variable distinct from t: 


gr=T|PO)|t=cl>e| pny |dr. (RE, £) A p). 


Proof. One direction of the claim follows from the fact that ST (wy) is of the given form, for 
each H(@)-formula y. As for the other direction, a straightforward induction shows that every 
first-order formula of the given form is invariant under hybrid bisimulations, and hence every 
such formula with at most one free variable is equivalent to (the standard translation of) an 
H(@)-formula. Q 


Let us now consider the language H(Q, |). First, we will give a syntactic characterization 
(see [8] for further details). Call a first-order formula bounded if it is built up from atomic 
formulas using the Boolean connectives and bounded quantification of the form 3x.(R(s, x) A-) 
or Yx.(R(s, x) — -), where s is a term distinct from the variable x. 


THEOREM 16. A formula ¢ of the first-order correspondence language with one free variable 
is equivalent to the standard translation of a H(@, |) sentence iff p is equivalent to a bounded 
formula. 


Proof. The standard translation of an H(@, |) sentence is always a bounded formula of the 
correspondence language. Conversely, we can extend the translation HT given in Figure 3 with 
the following clause for bounded quantification: 


AT (An.(R(s,2) Aw)) = @,(R) lx. AT (4). 


— 


In this way, we obtain, for each bounded formula ¢ of the first-order correspondence language, 
an H(@, |)-formula HT(y). Moreover, a straightforward inductive argument shows that HT (p) 
is equivalent to y, in the sense of Proposition 12. Recall that the formula y in the statement of 
the Theorem contains at most one free variable x, and let y’ be any bounded formula equivalent 
to y. It follows that y’ (and hence p) is equivalent to ST,(|a.HT(y’)). a 


In other words, H(@, |) corresponds to the bounded fragment of first-order logic. By means of 
the notion of generated submodels, we can semantically characterize this fragment. 


DEFINITION 17. Let M = (M, (R™) rereEL; V) and N = (N, (RN) rere, Vv’) be hybrid 
models. Then N is a generated submodel of M if N C M and for all w,v € M and for any 
relation R;, if w € N and R;(w,v) then v € N, while R; and V’ are the restrictions of R; 
and V to N respectively. A formula ¢ is invariant for generated submodels if for all models 
M, N such that M is a generated submodel of M, and for all M-assignments g, M,g = 
y if and only if M, g = ». 


THEOREM 18. A formula ¢ of the first-order correspondence language is invariant under gen- 
erated submodels iff p is equivalent to a bounded formula. 


840 Carlos Areces and Balder ten Cate 


Proof. Suppose a first-order formula ¢ is invariant under generated submodels. For convenience, 
we assume that ¢ is a sentence (free variables can be replaced by new constants). Let c1,..., Ck 
be the constants and R,,..., Rm be the binary relations occurring in y, and let P be a new unary 
predicate. We will use R(s, t) as a shorthand for V} -,<,,, Ri(s, t). Then the following holds: 


{Vx (R” (a,x) > P(x))|1<l<kandneN} KE yoy’, 


where R” (x, y) is a shorthand for a bounded formula which expresses that y can be reached from 
x in exactly n steps along R (i.e., Sri (R(x, x1) A Ixa (R(x1, £2) A+++ (+ -^A£n = y) +- ))) and 
gP is the result of relativising all quantifiers in ọ by P (that is, 3x.p becomes Jx.(P(x) A p) 
and Vx.y becomes Vx.(P(x) — y)). By compactness, it follows that there is an m € IN such 
that 


ve(( V RS"(a,2)) > PE) Ryo g. 
1<I<k 
Let y’ be the result of relativising all quantifiers in y by the formula ( V4 <;<(RS™ (c1, £))). It 


follows that = y = y’. Finally, y’ is (modulo some simple syntactic manipulations) a bounded 
sentence. Q 


This result was first proved in the sixties by Feferman and Kreisel [60, 59], and was indepen- 
dently proved by Areces, Blackburn and Marx [8] in the context of hybrid logic. 

For any model M and world w, let Ma denote the smallest generated submodel of M con- 
taining w. In fact, it is easy to see that the domain of M contains precisely those worlds that are 
reachable in finitely many steps from w or from a world named by a nominal. As a corollary of 
the above results, we know that M, w and Mw, w agree on all sentences of H(@, |). If we com- 
bine this with the fact that all first-order formulas are invariant under potential isomorphisms, we 
obtain the following: 


PROPOSITION 19. Let M and N be models, with corresponding states w,v. If there is a 
potential isomorphism between My and N, connecting w to v, then M, w and N,v agree on 
all H(Q@, |)-sentences. 


While the converse does not hold in general, it does hold on w-saturated models. This means that 
“potential isomorphisms between point-generated submodels” capture H(Q@, | )-indistinguishab- 
ility in exactly the same way that potential isomorphisms capture first-order indistinguishability. 


Characterizing frame definability 


Given a set of hybrid formulas 1, we say that the frame class defined by © is the class of frames 
in which every formula of X is valid. We say that a frame class is elementary (or first-order 
definable) if it is defined by a first-order sentence, in the language with equality and a relation 
symbol for each R € REL. The Goldblatt-Thomasson theorem tells us that an elementary frame 
class is definable by a set of formulas of the basic modal language iff the class is closed under 
disjoint unions, generated subframes, and bounded morphic images, and its complement is closed 
under ultrafilter extensions (see Chapter 5 of this handbook for this result and for a definition of 
the notions involved). In this section, we discuss analogues of this result for hybrid languages. 
Due to the increased expressivity of hybrid languages, frame classes definable by hybrid for- 
mulas are in general not closed under disjoint unions or bounded morphic images. For example, 
the class of irreflexive frames, which is not closed under bounded morphic images, is defined in 
H(@) by the formula i — i, and the class of frames that have exactly one element, which 
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is not closed under disjoint unions, is defined by the formula 7. Nevertheless, frame classes de- 
finable in H(@) are closed under generated subframes, and their complement is closed under 
ultrafilter extensions. In fact, a slightly stronger closure condition holds, involving a restricted 
form of bounded morphisms. 


DEFINITION 20. Let F and G be frames, and let ueG be an ultrafilter extension of G. G is an 
ultrafilter morphic image of F if there is a surjective bounded morphism f : F — ueG such that 
| f~1(u)| = 1 for all principal ultrafilters u € ueG. 


Note first that whenever G is an ultrafilter morphic image of a frame F, ueG is a bounded morphic 
image of F. It follows that the validity of modal formulas is preserved under taking ultrafilter 
morphic images. Secondly, note that every frame is an ultrafilter morphic image of its ultrafil- 
ter extension. Hence, if a property of frames is preserved under ultrafilter morphic images, its 
complement is preserved under taking ultrafilter extensions. 


PROPOSITION 21. All frame classes definable by a set of H(@)-formulas are closed under 
taking ultrafilter morphic images. 


Proof. Let y be an H(@)-formula, let f : F — ueG be a surjective ultrafilter morphism, and 
suppose G jÆ y. We will show that F  y. 

Let V be a valuation and w a world such that (G, V}, w Æ p. Define the valuation V“* on ueG 
such that V“*(p) = {u | V(p) € u} for all propositional variables p and V"? (i) = {u | V (i) € 
u} for all nominals 7. It is easily seen that V“* assigns to each nominal a singleton set consisting 
of a principal ultrafilter, and hence V™* is a well-defined hybrid valuation. Moreover, a standard 
argument [28, Proposition 2.59] shows that for all worlds v and formulas w, (G,V),u H w 
iff (ueG,V"*°), au H p, where mv is the principal ultrafilter generated by v. It follows that 
(ueg, V=}, mw Ko. 

Next, define the valuation V’ for F such that V’(p) = {v | f(v) € V“*(p)} for all propo- 
sitional variables p and V’(p) = {v | f(v) € V*“°(i)} for all nominals i. Since f is injective 
on principal ultrafilters and nominals denote principal ultrafilters in ueG, V’(2) is a singleton 
for all nominals 7, and hence (F, V’) is a well-defined hybrid model. Furthermore, a standard 
argument shows that (the graph of) f is a hybrid bisimulation between ueG and F. Since f is 
surjective, there is a u € F such that f(u) = mw. By invariance under hybrid bisimulations, 
(F,V’),u [E p, and hence F |- p QO 


We can strengthen Proposition 21 to the following characterization of frame definability in 


H(@) [136]. 


THEOREM 22. An elementary class of frames is definable by a set of H(@) formulas iff it is 
closed under taking ultrafilter morphic images and generated subframes. 


Proof. The easy direction is already discussed above: every frame class defined by a set of 
H(@)-formulas is closed under taking ultrafilter morphic images and generated subframes. We 
will now prove the hard direction. Let K be any elementary frame class closed under taking 
ultrafilter morphic images and generated subframes, and let Th( K) be the set of 71(@)-formulas 
valid on K. To show that K is 7{(@)-definable, it suffices to show that Th(K) itself defines K. 

Suppose that F = Th(K) for some frame F with domain W. For each subset A C W, 
introduce a propositional variable p4, and for each w € W, introduce a nominal iw®. Let A be 


6Technically, this might involve adding uncountably many propositional variables and nominals to the language. 
However, this will not cause any problems below. Of course, individual formulas can only contain finitely many propo- 
sitional variables and nominals. 
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the set consisting of the following formulas, for all A C W, v € W and R € REL. 


P-A © “PA 

PanB © Pa ^ PB 

pr-1(4) > (R)pa where R~!(A) = {w € W | Iw € A such that wRv} 
ly O Piv}. 


Let Af = {Q,;, [Ri] se [Ri,,]6 | VE W, ô € A, and Ri, Sd a Ri, € REL withn € N}. 
Intuitively, A~ provides a full description of the frame F. Clearly, A 7 is satisfiable on F under 
the natural valuation that sends p4 to A and i, to {v}. We claim that A7 is satisfiable on K. 
By compactness (recall that K is elementary), it suffices to show that every finite conjunction 6 
of elements of Ar is satisfiable on K. But this follows immediately: 6 is satisfiable on F and 
F = Th(K), hence =ô ¢ Th(K), i.e., ô is satisfiable on K. 

Let (G, V} H Ar with G € K. Since K is closed under generated subframes, we may assume 
that G is generated by the set of points that are named by a nominal. It then follows that the model 
(G, V} globally satisfies A. Let (G*, V*) be an w-saturated elementary extension of (G, V} (such 
elementary extensions are known to exist even in the case of uncountable vocabularies). By 
elementarity, G* € K and (G*,V*) globally satisfies A. 

It can be shown that ueF is an ultrafilter morphic image of G*, where the ultrafilter morphism 
f is given by f(v) = {A C W | (G*,V*),v H pa}. See [136] for further details. Since K is 
closed under ultrafilter morphic images, we conclude that F € K. m) 


As we already discussed earlier, there is a particular interest in frame conditions definable by pure 
formulas, since these immediately yield complete axiomatizations. It would be worth having a 
characterization of the properties of frames that can be defined using pure formulas only. Details 
for such results can be found in [136], here we only state one theorem. 


DEFINITION 23. We say that a bisimulation Z between frames F = (F,(R7) rere) and 
G = (G, (RY) rereL) respects a set X of elements of G if for all x € X, 


1. Z(w,x) and Z(v, x) implies w = v, and 
2. Z(w, x) and Z(w, v) implies v = zx. 
A bisimulation system from F to G is a function f that assigns to each finite subset X C Ga 


total bisimulation f(X) C F x G respecting X. 


THEOREM 24. A class of frames is defined by a pure H(@)-formula iff it is elementary and 
closed under taking images of bisimulation systems. 


An example of a frame condition that is not preserved under taking images of bisimulation sys- 
tems is the Church-Rosser property. 


PROPOSITION 25. The frame condition Yxyz.( R(x, y) A R(x, z) > du.(R(y, u) A R(z,u))) 


is not preserved under images of bisimulation systems. 


Proof. Consider the two frames F, = (F,, R71) and Fy = (Fp, R72) shown in Figure 4. 
Notice that F; is identical to F2, except for the additional point u (and its incoming and outgoing 
arrows). For any finite set X C Fo, let f(X) = {(w,w) | w € Fi }U{(u, we), (u, vi) }, for some 
wr, vy Z X (note that such wg and v; always exist). As is not hard to see, f is a bisimulation 
system. However, F, satisfies the frame condition, while Fa does not. 0n 
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Figure 4. Church-Rosser is not definable by pure formulas 


It follows that the Church-Rosser property cannot be defined by pure formulas of H(@). A 
similar example of indefinability is the class of transitive and atomic frames (where atomicity 
means that Vx.dy.(R(x, y) A Vz.(R(y, z) => z = y))). This class of frames is defined by the 
modal formula (OOp — Op) A (GOp — Op), but it cannot be defined by means of pure 
H(@)-formulas, since it is not closed under images of bisimulation systems. 

Finally, let us consider the language H(@,|). Interestingly, here the difference in frame 
definable power between pure formulas and arbitrary formulas is much smaller. In fact, every 
elementary frame property that can be defined by a set of H(@, |)-sentences can already be 
defined by means of a single pure H(@, |)-sentence. A precise characterization is given in the 
following theorem. 


DEFINITION 26. A frame F is a finitely generated subframe of a frame G, if there is a finite set 
X of elements of the domain of G, such that F is the submodel of G generated by X (i.e., such 
that F is the smallest generated submodel of G whose domain contains all elements of X). 

We say that a frame class K reflects finitely generated subframes whenever it is the case for 
all frames F that, if every finitely generated subframe of F is in K, then F € K. 


THEOREM 27. Let K be an elementary frame class. Then the following are equivalent: 
1. K is defined by a set of H(@, |) sentences. 
2. K is defined by a single pure H(Q@, |) sentence. 


3. K is closed under taking generated subframes, and reflects finitely generated subframes. 


This result can be extended to formulas containing only a limited number of nominals: let us say 
that a frame class K reflects n-point generated subframes whenever it is the case for all frames 
F that, if every subframe of F generated by at most n elements is in K, then F € K. Then 
Theorem 27 can be refined to the following result [8, 136]. 


THEOREM 28. Let K be an elementary frame class and n € IN. Then the following are 
equivalent: 


1. K is defined by a set of H(@, |) sentences containing (all together) at most n nominals. 


2. K is defined by a single pure H(Q@, |) sentence containing at most n nominals. 
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Language | Frame classes defined by arbitrary formulas Frame classes defined by pure formulas 
H closed under ultrafilter morphic images, closed under images of bisimulation sys- 
and if every point-generated subframe of a tems, and if every point-generated sub- 
frame F is a proper generated subframe of frame of a frame F is a proper generated 
a frame in the class, then F is in the class subframe of a frame in the class, then F is 
in the class 
H(@) closed under ultrafilter morphic images closed under images of bisimulation sys- 
and generated subframes tems and generated subframes 
H(E) closed under ultrafilter morphic images closed under images of bisimulation sys- 
tems 
H(@, |) | closed under generated subframes and re- closed under generated subframes and re- 
flecting finitely generated subframes. flecting finitely generated subframes. 


Figure 5. Elementary frame classes definable in H, H(@), H(E) and H(Q, |) 


3. K is closed under taking generated subframes, and reflects (n + 1)-generated subframes. 


Note that every modally definable frame class is closed under generated subframes and reflects 
point-generated subframes. It follows by the above result that every elementary modally de- 
finable frame class (in particular, every frame class defined by a modal Sahlqvist formula), is 
defined by a nominal-free pure sentence of H(Q, |). 

The most important results of this section are summarized in Figure 5 which also contains 
analogous results for the languages H and H(E). Again, full details can be found in [136]. 


3.3. Interpolation and Beth Definability 


We will now turn to the properties of interpolation and Beth definability. The results in this 
section are mainly based on [8, 136]. 

Recall that the modal logic of a class of frames K has interpolation if whenever y — 4 is valid 
in K, then there exists a formula 0 (called the interpolant) such that y — 0 and 0 — ware valid 
in K, and all propositional variables occurring in 0 occur both in y and in w’. This definition 
can be generalized to hybrid logics in two ways, depending on whether only the propositional 
variables or also the nominals occurring in the interpolant are required to occur both in y and 
in %. We will say that a hybrid logic has interpolation over propositional variables or over 
propositional variables and nominals to distinguish between these definitions. 

The basic hybrid language H(@) lacks interpolation over propositional variables and nomi- 
nals [8], as can be seen by the valid implication i A ©: — (j — ©j). An interpolant to this 
implication (which should express that the actual world is related to itself) is not allowed to 
contain any nominals. It is easily seen, using a bisimulation argument, that no such interpolant 
exists. Interpolation over propositional variables does hold. In fact, it holds relative to many 
frame classes [140, 136]: 


THEOREM 29. H(Q) has interpolation over propositional variables relative to any frame class 
definable by a set of first-order universal Horn sentences. 


7This is sometimes called local interpolation or arrow interpolation, and in particular we are presenting it in its 
semantic version. We will not discuss global interpolation. 
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For H(Q@, |), we have better results: it has interpolation over propositional variables and nomi- 
nals relative to many frame classes [8, 136]: 


THEOREM 30. H(Q, |) has interpolation over propositional variables and nominals relative 
to any frame class definable by a set of nominal-free H(@, |) sentences. Moreover, H(Q@, |) 
has interpolation over propositional variables relative to any frame class definable by a set of 
H(Q, |)-sentences (possibly containing nominals). 


Theorem 30 covers many frame classes. Indeed, we saw in the previous section that every 
modally definable elementary frame class can be defined by a nominal-free sentence of H(@, |). 
It was shown in [30] that the interpolants can be effectively computed from a tableau proof (see 
also Section 5.3)*. The interpolation algorithm presented in [30] is conservative: on purely modal 
input it computes interpolants in which the hybrid syntactic machinery does not occur. 

Given that H(@) lacks interpolation over propositional variables and nominals and H(@, |) 
has it, and given that 71(@, |) has an undecidable satisfiability problem (as we will see in the next 
section), it is natural to ask whether there is any decidable hybrid language with interpolation 
over propositional variables and nominals. The answer is negative [135]: every extension of the 
minimal hybrid language H (satisfying certain regularity conditions such as allowing substitution 
of one nominal by another) either lacks interpolation or is undecidable. Moreover, H(@, |) is the 
least expressive extension of 71(@) (satisfying the same regularity conditions) with interpolation 
over propositional variables and nominals. 

The following can be seen as a weak version of this result. The proof is illustrative. 


THEOREM 31. Jf H(@) has interpolation over propositional variables and nominals on a 
frame class K, then H(@) is expressively complete for H(@, |) on K (i.e., for each formula 
p € H(@, |), there exist a formula vy" E€ H(@) such that y and ¢' are equivalent on K). 


Proof. Assume that H(@) has interpolation over propositional variables and nominals on K. We 
will show that every 11(@, |) sentence yọ is equivalent (on K) to an H(@)-formula, proceeding 
by induction on the length of y. The only interesting case here is when y is of the form |x.w(2). 
Let ¢ and j be nominals not occurring in |x.u(a). By induction, we know that y(i) and (j) 
are equivalent to 7{(@)-formulas (i) and w’(j) respectively. Now, the following implication is 
valid: 
KEIN (i) —G> VU). 

Any interpolant 0 for this implication is equivalent to |x.y(a). For, consider any model M and 
world w such that M, w } |a.w(a). Let M[i/w] be the model that differs from M only in the 
fact that w is the denotation of i. Since i does not occur in |7.~(a), we have that M[i/w], w H 
{x.u(x), hence M{i/w],w H i A y(i). It follows that M[i/w], w H 0. Since 7 does not occur 
in 0, it follows that M,w — 0. Conversely, suppose M,w —- 6. Let M[j/w] be the model 
that differs from M only in the fact that 7 denotes w. Since j does not occur in 6, we have that 
M({j/w],w = 0. It follows that M[j/w],w = j — (j), and hence M[j/w], w H |r.v(z). 
Since j does not occur in | z.¢(a), it follows that M, w = |x.w(z). Q 


To conclude our discussion on interpolation, we consider the notion of uniform interpolants. As 
is discussed in Chapter 8 of this handbook, the modal logics K, S5, Grz and GL enjoy a very 
special form of interpolation, called uniform interpolation. For any formula y, let PROP(y) be 
the set of propositional variables occurring in y. Then a modal logic has uniform interpolation 


8Theorem 30 is related to a result by Feferman and Kreisel [60, 59] who proved that the bounded fragment of first- 
order logic has interpolation by means of a cut free sequent calculus. 


846 Carlos Areces and Balder ten Cate 


if for every formula y and for any P C PROP(y), there is a formula yp (called a uniform 
interpolant) such that for any formula ~, if PROP(¢) MN PROP(y) C P and y —> y is derivable, 
then yp — yw is derivable. 

We can generalize the definition to hybrid logics, and say that a hybrid logic has uniform 
interpolation over propositional variables if for every formula ọ and for any P C PROP(y), 
there is a formula yp such that for any formula Y, if PROP(wW) O PROP(y) C P, and all 
nominals occurring in w occur in y, then y — w is valid iff pp — y is valid. Note the 
requirement imposed on nominals in this definition. It turns out that the H(@)-logics of the 
frame classes corresponding to the modal logics K, $5, Grz and GL have uniform interpolation 
over propositional variables [20, 136]. 

Finally, to close this section we turn to the Beth definability property. Recall that a logic is 
said to have the Beth Definability property if, intuitively, every implicit definition can be made 
explicit. More precisely, let I (p) be any set of formulas containing the propositional variables p 
and possibly other propositional variables and nominals. T (p) defines p implicitly if in all models 
in which both T (p) and T (p') are true at every state, also p +> p’ is true at every state (here, p’ is 
a propositional variable not occurring in T (p), and T (p) is obtained from T (p) by replacing all 
occurrences of p by p’). In other words, T (p) defines p implicitly if r(p) UT'(p') =° p > p', 
where |-9!° denotes global entailment. The Beth property states that whenever T (p) defines p 
implicitly, there exists a formula 0 in which p does not occur, such that '(p) 9° p = 0°. 
Clearly, 6 is an explicit definition of p, relative to the theory T (p). 

The Beth definability property for a logic is typically established as a corollary of the inter- 
polation property for propositional variables. In particular, the following theorem can be shown 
using the above interpolation results. 


THEOREM 32. H(@, |) has the Beth definability property relative to any frame class defined 
by a set of H(@, |) sentences, and ‘H(@) has the Beth definability property relative to any frame 
class defined by a set of first-order universal Horn formulas. 


Surprisingly, the minimal hybrid language H lacks the Beth property relative to the class of 
all frames [20]. 


4 DECIDABILITY AND COMPLEXITY 


In this section, we will review the complexity of the satisfiability problem for various hybrid 
logics. First, let us consider the language H(@). We start with some good news: the satisfiability 
problem of H(@) is PSPACE-complete [6]. We provide a game based argument for the upper 
bound. 


THEOREM 33. H(@)-satisfiability on the class of all frames is PSPACE-complete. 


Proof. We only discuss the mono-modal case (the multi-modal case is a simple extension). 
The lower bound follows from the PSPACE-hardness of classical modal logic. We show the 
upper bound by defining, given a formula y, the notion of a y-game between two players. We 
will show that the existential player has a winning strategy for the y-game iff ọ is satisfiable. 
Moreover, every y-game stops after at most as many rounds as the modal depth of p and the 
information on the playing board is polynomial in the length of p. This implies that a PSPACE 
algorithm exists. Fix a formula ọ and let d be the number of different nominals appearing in 


°This is sometimes called the global Beth property. We will not discuss the local Beth property here. 
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y. A -Hintikka set is a maximal consistent set of subformulas of p. We denote the set of 
subformulas of y by SF(y). The y-game is played as follows. There are two players, Vbelard 
(male) and Jloise (female). She starts the game by playing a collection {Xo,...,Xi},1 < d 


of Hintikka sets and specifying a relation R on them. Jloise loses immediately if one of the 
following conditions is false: 


1. Xo contains y, and all others X; contain at least one nominal occurring in y. 
2. no nominal occurs in two different Hintikka sets. 

3. for all X;, for all Q;wW € SF(y), Q;w € X; iff {i, Y} C Xp, for some k. 

4. for all Oy € SF(y), if R(X1, Xx) and Ow ¢ Xi, then Y ¢ Xp. 


Now Vbelard may choose an X; and a “defect-formula” Ow € X;. dloise must respond with a 
Hintikka set Y such that 


1. WEY and for all O0 € SF(y), OO Z X, implies that 6 ¢ Y. 
2. for all Q; € SF(y), Qiy € Y iff {i, Y} C Xz, for some k. 


3. if i € Y for some nominal i, then Y is one of the Hintikka sets she played at the start. In 
this case the game stops and Jloise wins. 


If Jloise cannot find a suitable Y, the game stops and Vbelard wins. If Jloise does find a suitable 
Y (one that is not covered by the halting clause in item (3) above) then Y is added to the list 
of played sets, and play continues. Vbelard must now choose a defect Ow from the last played 
Hintikka set with the following restriction: in round r he can only choose defects Ow such that 
the modal depth of Ow is less than or equal to the modal depth of y minus r. Sloise must respond 
as before. She wins if she can survive all his challenges (in other words, he loses if he reaches a 
situation where he cannot choose any more defects). 

The y-game stops after at most modal depth of p many rounds. The information on the board 
is at any stage of the game polynomial in the length of y. We claim that Jloise has a winning 
strategy iff ọ is satisfiable. 

The right-to-left direction is clear: dloise has a winning strategy if ~ is satisfiable, for she 
need simply play by reading the required Hintikka sets off the model. For the other direction, 
suppose Jloise has a winning strategy for the y-game. We create a model M for ọ as follows. 
The domain M is built in steps by following her winning strategy. Mo consists of her initial 
move {Xo,...,Xn}. Suppose M; is defined. Then M;+1 consists of a copy of those Hintikka 
sets she plays when using her winning strategy for each of Vbelard’s possible moves played in 
the Hintikka sets from M; (except when she plays a Hintikka set from her initial move, then of 
course we do not make a copy). Let M be the disjoint union of all M; for 7 smaller than the 
modal depth of y. Set R(m, m’) iff for all Ow € SF(y), Ow ¢ m = p ¢ m holds, and set 
V(p) = {m € M | p € m}. The rules of the game guarantee that nominals are interpreted as 
singletons. 

We claim that the following truth-lemma holds. For all m € M which she plays in round j 
(i.e., m E€ M,;), for all y of modal depth less than or equal to the modal depth of y minus j, 
M,m H w if and only if Y € m. We only discuss the case of ©, if Ow € m, then Vbelard 
challenged this defect, so Sloise could respond with an m’ containing Y. Since for all Oa € 
SF(y), Ow Z m > p g m' holds, we have R(m,m’) and by induction hypothesis M,m — 
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Ow. If Ow ¢ m but R(m,m’) holds, then by our definition of R, y ¢ m’, so again M,m jE 
Ow. Since dloise plays a Hintikka set containing y in the first round, M satisfies y. QO 


Since satisfiability of basic modal formulas on the class of all frames is already PSPACE-complete, 
we can conclude that, in this case, the addition of nominals does not increase the complexity of 
the satisfiability problem (up to a polynomial). This is not always the case: 


PROPOSITION 34. H-satisfiability on the class of symmetric frames is EXPTIME-complete. 
Proof. For any modal formula y, let y’ = i A O7i A OOOi A O(~i — y™), where i is any 
nominal and y™ is obtained from y by relativising all modalities with —i (that is, Oy becomes 
(77 A p) and Oy becomes O(~i — y)). It can be easily seen that if y’ holds at a world w 
in a symmetric model M then vy holds globally in the submodel of M generated by w, minus 
the world w itself. Conversely, a symmetric model on which y holds globally can easily be 
turned into a model for vy’. It follows that, on symmetric frames, y’ is satisfiable iff y is globally 
satisfiable. 

The global satisfiability problem for modal formulas on the class of symmetric frames is 
known to be EXPTIME-complete [50]. Hence, the satisfiability problem for H on the class of 
symmetric frames is EXPTIME-hard. That the problem is inside EXPTIME will follow from 
Theorem 39. Q 


Note that the proof uses only a single nominal. The satisfiability problem for the modal logic of 
the class of symmetric frames, KB, is only PSPACE-complete [50]. Hence, assuming PSPACE 
#~ EXPTIME, adding a single nominal already makes the satisfiability problem more complex. 
A similar blowup holds for tense logic: the satisfiability problem of the basic temporal logic is 
PSPACE, but the addition of a single nominal moves the complexity to EXPTIME. The complex- 
ity drops though when considering linear or branching time models (to NP-complete in the first 
case and to PSPACE-complete in the second) [7, 110]. 

Adding nominals can even result in logics that are undecidable and lack the finite model 
property, as was first observed in the context of description logics [100, 103]. The example 
below is taken from [20]. Consider the bi-modal language with modalities (R1) and (R2), and 
let KB23 be the frame class defined by the following modal Sahlqvist formulas: 


Ni<r<3(R1)Pk > Vicrei<3(Ri)(Pe A pi) (at most 2 Rı-successors) 
Ni<k<a (R1) (R1) Pk = Vi<k<ı<a (R1) (R1) (Pk A pi) (at most 3 two-step R1-successors) 
p — [R2] (R2)p (R2 is symmetric). 


PROPOSITION 35. The modal logic of KB23 has the finite model property and is decidable. 


Proof. First, consider the mono-modal logic axiomatized by the first two axioms. This logic is 
complete for a class of frames that is closed under taking subframes, and it has the bounded width 
property: no point has more than two successors. It follows that this logic has the finite model 
property and is decidable. Second, consider the mono-modal logic given by the last axiom. This 
logic, which is complete for the class of symmetric frames, has the finite model property [49] and 
its satisfiability problem is complete for PSPACE [50]. Since decidability and the finite model 
property are preserved under taking fusions [69], the result follows. Q 


PROPOSITION 36. The H-logic of KB23 is undecidable and lacks the finite model property. 
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Proof. For any mono-modal formula y with modality (R1), let p* = iA(R2)7iA[Ro][Ri](Ro)iA 
[Rə](~i — yp). Here again y™ is obtained from ¢ by relativising all modalities with ~i as 
above. By the same argument as in the proof of Proposition 34, y’ is satisfiable on KB23 iff y 
is globally satisfiable on the class of (mono-modal) frames in which each point has at most two 
successors and at most three two-step successors. Global satisfiability of modal formulas on the 
latter frame class is undecidable [133]. It follows that the H-logic of KB23 is also undecidable, 
and hence, since it is recursively enumerable (as follows from the elementarity of KB23), it lacks 
the finite model property. QO 


Next, let us consider the language H(@Q, |). As was observed in [6], H(@, |) is a conserva- 
tive reduction class of first-order logic. Following [39], we call a fragment of first-order logic 
a conservative reduction class if there is a computable translation 7 mapping first-order formu- 
las to formulas in the fragment, such that for all formulas a, T(œ) is satisfiable iff a is, and 
T(a) has a finite model iff a has. Every conservative reduction class has an undecidable (in 
fact IT?-complete) satisfiability problem, as well as an undecidable (in fact =9-complete) finite 
satisfiability problem [39]. 


THEOREM 37. H(Q, |) is a conservative reduction class. 
Proof. The class of first-order formulas with equality in a single binary relation is known to be 


a conservative reduction class [39]. Now, consider the following translation from this first-order 
language to H(@, |), where i is a fixed nominal: 


(x = y)* = @,y 

(-~)* = ng“ 
(enp = yr Ay 
(Grp) = @;(R)lx.(y*). 


Clearly, (-)* is a computable function. Moreover, a first-order sentence y is satisfiable (in a finite 
model) iff y* is satisfiable (in a finite model). First, suppose M | y. Let M’ be the model 
obtained from M by adding a new state w, labelled with nominal 7, extending the relation R 
such that (w,v) € R for all states v in the domain of M. Then, clearly, M’ = y*. Moreover, 
M is finite if M is. Conversely, suppose M, w  y*. Let v be the state in M labelled by 
the nominal 7, and let M’ be the submodel of M whose domain consists of all successors of v. 
Then, clearly, M’ = w. Moreover, M’ is finite if M is. Q 


Even though the satisfiability problem for H(@, |) is undecidable, in certain cases H(@, |) is 
still computationally more attractive than the full first-order language. For instance, the satis- 
fiability problem for H(@, |) becomes decidable if we restrict the out-degree of the nodes in 
the model [139]. Figure 6 lists the results for mono-modal formulas. Here, for a given «K, we 
consider the class of frames were every node has strictly less than « successors. In particular, if 
k = w, then each state can only have finitely many successors, and if & = 1, the relation is the 
empty relation. 

The undecidability of H(@, |) does not depend on the presence of nominals or propositional 
variables: even without these, the satisfiability problem is undecidable. Similarly, the undecid- 
ability does not depend on nested occurrences of |. One successful way to syntactically restrict 
the language in order to obtain decidability, is to restrict the interaction between | and the modal- 
ities [105, 139]. In particular, it was proved in [139] that decidability is regained when formulas 
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Nr. of successors H(Q, |) First-order correspondence language 
K=1 NP-complete NEXPTIME-complete 
K=2 NP-complete Non-elementary decidable 
3K <w NEXPTIME-complete II?-complete (co-r.e., not decidable) 
K=W X9-complete (r.e., not decidable) = t-complete (highly undecidable) 
K> WwW IT?-complete (co-r.e., not decidable) II?-complete (co-r.e., not decidable) 


Figure 6. Complexity of the satisfiability problem on mono-modal models with bounded out- 
degree 


of the form ---O(--- |a.(---O---)--++)-+++ are excluded. In other words, the undecidability of 
H(Q, |) is caused by formulas that, when put in negation normal form, contain a | -binder that is 
both in the scope of a box operator and that contains in its scope a box operator. This result was 
shown to be tight [139]. 


To round off this section, we will discuss two useful complexity results that can be used to prove 
upper bounds for the complexity of various hybrid logics: the loosely V-bounded fragment with 
constants and the hybrid j1-calculus. 

Consider any first-order language not containing function symbols, but possibly containing 
constants. A formula of such a language is called loosely V-guarded if it is built up from possibly 
negated atomic formulas using conjunction, disjunction, existential quantification and loosely 
guarded universal quantification, i.e., universal quantification of the form Vz(y — w), where £ 
is a sequence of variables and ọ is an atomic formula containing all free variables of w. 


THEOREM 38 ([82, 138]). The satisfiability problem for loosely V-guarded first-order formulas 
is 2EXPTIME-complete. It is EXPTIME-complete when there is a uniform bound on the number 
of variables occurring in the formula (but not necessarily on the number of constants). 


Many hybrid logics can be translated into the loosely V-guarded fragment using only a limited 
number of variables. For such logics, Theorem 38 provides an EXPTIME upper bound. 

The hybrid js-calculus [124] extends the modal j-calculus (cf. Chapter 12 of this hand- 
book) with nominals, converse operators and the universal modality. It expressively subsumes 
many propositional dynamic and temporal logics, such as (hybrid) PDL and CTL. Sattler and 
Vardi [124] showed by means of automata that the satisfiability problem for the hybrid -calculus 
is EXPTIME-complete. Beside the fact that this result singles out a very expressive hybrid lan- 
guage that is still decidable in EXPTIME, it is interesting because the proof is based on tree 
automata. For any formula y, an automaton A, on infinite trees is given that accepts precisely 
the “tree models” of y. Checking whether y is satisfiable then reduces to solving the emptiness 
problem for Ap. The catch, in the case of the hybrid p-calculus, is that the standard tree model 
property fails for this language. The key idea in the proof is that a model of a hybrid j:-formula 
y can be transformed into a forest by properly choosing points to witness diamond formulas. 
See [124] for details. 

Below, we will give instead an alternative proof by providing a polynomial time satisfiability 
preserving translation of the full hybrid j-calculus into its nominal-free fragment. But first, 
let us review the syntax and semantics of the language. The hybrid ji-calculus makes use of 
set variables, which we will write as x, y,..., and which should not be confused with the state 
variables of hybrid languages such as H(@, |). The syntax is defined by the following inductive 
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definition’®: 

gu=plile|p| pny ]| (Ry (Rye | Ey | uzp, 
where p € PROP, i € NOM, R € REL and where z is a set variable occurring only positively in 
y (i.e., under an even number of negation signs). Since the language contains set variables, the 
semantics is defined with the help of assignments. Here, an assignment will be a function g that 
assigns to each set variable a subset of the domain of the model. The semantics, then, is given by 
the following truth definition. 


M,g,w p iff w €V(p) for p € PROP U NOM 

M,g,w = x iff w € g(x) 

M,g,w H| 7p iff M,g,w E p 

M,gwH=gpAayp iff M,g,w =| pand M, g, w =| wy 

M,g,wE(R)y iff thereisav € W such that R(w, v) and M, g, v = yp 
M,g,wE(R)p iff thereisav € W such that R(v, w) and M, g, v Ey 

M, g, w H Ey iff there is av € W such that M, g, v Ey 

M,g,w | uzp iff foral W’ C W,if{v € W |M, gẹ v H p} CW’ then w € W. 


THEOREM 39 ([124]). The satisfiability problem for the hybrid -calculus is EXPTIME-compl- 
ete. 


Proof. We define a polynomial time satisfiability preserving translation from the full hybrid 
-calculus to its nominal-free fragment, i.e., the modal -calculus with converse operators and 
the existential modality. Since the latter language is EXPTIME complete [143, 48], the result 
follows. 

Consider any formula y of the hybrid -calculus containing nominals 71,...,2,. For each 
nominal 2;,, introduce a new distinct propositional variable q,. In the translation we will define, 
each nominal will be uniformly replaced by the corresponding propositional variable. Clearly, 
we cannot force these propositional variables to denote singleton sets. We can, however, ensure 
that the formula in question does not distinguish between states named by the same nominal. 
To this end, we will use (=)~ as a shorthand for the formula ug.(Y% V Vpcn(qr A E(qn A x))), 
which says that ~ holds either at the current state, or at a state satisfying the same nominal as the 
current state, or in general at any state reachable from the current world in finitely many steps 
along the “satisfies the same nominal” relation. Now, define y* inductively, as follows: 


(ik) = (=)de 


* = pow. 
Finally, let yt = y* A A, <,, Epk. Note that y* does not contain any nominals, and is only 


polynomially longer than y. We will now show that y and y* are equi-satisfiable. One di- 
rection is trivial: if M,w |= y, then, assigning to each q, the same (singleton) denotation 


p = (=p 
v= (=z 
(y) = ~y" 
(PAx)* = Prax" 
(RI = (=) B) (=) 
(Ry) = (=)(R)(=)b 
Y) 
Y) 


10Our notation is slightly different from the one used in [124]. 
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as iz, we obtain that M,w H= * (note that, in this case, = is the identity relation). Con- 
versely, suppose M, w = yt, with M = (W,(R™) rere, V}. Let = be the smallest equiv- 
alence relation on W such that v = u whenever v and u both satisfy qx for some k < n. Let 


— ae 


M = (WJ =, (RM) rere, V’), where W/= is the set of =-equivalence classes of W, 


RM (uJ, [u]) iff there are v’ € [v] and u’ € [u] such that RM (v’, u’), 
[v] € V'(p) iff there is av’ € [v] such that v’ € V(p), and 
[v] € V'(ik) iff there is av’ € [v] such that v’ € V (qp). 


By construction, V’ (ix) is a singleton set for each k < n. Moreover, it follows directly from 
the definition of (-)* and M that, for all formulas w of the hybrid ju-calculus, and for all worlds 
veEwW, 

M,[voJ Ew iff M,v = y*. 


In particular, M, [w] H g. Q 


5 PROOF THEORY 


In this section we discuss proof methods for hybrid logics, and show examples of how to use 
them. We will first present two “classical” proof systems (a sequent calculus and a natural de- 
duction calculus), and then two others (a tableau calculus and a resolution calculus), which are 
usually considered more suitable for implementations. We will focus on the languages H(@) 
and H(@, |). 


5.1  Sequent Calculus 


The first modern results on proof theory for hybrid logics can be found in the work of Seligman 
in the area of Situation Theory [128, 129]. This work deals with strong (V-based) systems, but 
many of the key ideas underlying hybrid deduction (in particular, the deductive significance of 
@) were first explored in these papers. 

The calculus S7,(@,,) in Figure 7 is from [130] where a sound and complete sequent calculus 
for hybrid logics is developed from a sequent calculus for first-order logics by a series of trans- 
formations. In the figure, IT F- A is a sequent where [ and A are sets of hybrid formulas and y, T 
is taken to be {y} UT. The techniques used are quite general and can be applied to a wide range 
of hybrid and modal logics. Notice that the calculus is cut free. It can be proved that the cut rule 
is admissible. 

An interesting feature of S1(@, 1) is that the calculus is not restricted to @-formulas, as the 
other calculus we are going to discuss in the following sections. Intuitively, an @-prefixed se- 
quent calculus can be generalized to deal with all formulas by using nominals as follows. A 
single nominal a on the left side of a sequent is enough to anchor all non @-prefixed formulas to 
the same element and so removes the need for them to share an @ prefix. The price to pay for 
this is that the calculus does not have a subformula property, as a proof may contain any number 
of @-prefixes which are not present in the end sequent (introduced using the ^@ rules). But it is 
easy to prove that only “one layer” of prefixes is needed in any proof, and define a version of the 
subformula property that takes this into account. 

The presence of nominals and the @ operator in the calculus above is crucial. When the 
underlying modal logic is temporal logic, more flexibility is possible: Demri [57] presents a 
sequent system for nominal tense logic, which does not contains @. 
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) gp TFA,» 
(N1) a,b, Ta] F Afa] 
a,b, Tb] = Afb] 
Ge) TRA er oTFA 
a ay,T FA ci TFA, `% 
y, TFA 4rFA TFA, 9, ¢% 
ya (PVY) TFA wy TFA, (eV 4) 
1 (rja, @ay, FET TFA,@ap TFA, (r)a 
we (rp, TFA Ka TEA, (r)p 
(1s) a, p[x/a], TF A (Le) a, T F A, y[x/al 
Hs a,ljx.y,TFA ns a, T F A, Jz. 
v ap, TFA v a, TF A,p 
("@r) a, Qay, TF A C @r) a, T F A, @ayp 
Qy,TFA a, T F A, Qay 
^@ a, 9 ^@ , , 
ee) ap, TFA e a, TH A,p 
> a, [FA 3 oes T5 TFA 
— t ————— t 
(name) TEA (term) TEA (term) TFA 
Restrictions: 
1 if a does not occur in y, T, A. 
2 if a does not occur in T, A. 
3 if all formulas in T, A are @-prefixed. 


Figure 7. Rules for the Sequent Calculus S7,(@,1) 


EXAMPLE 40. We prove the sequent | 7.(R)(x A p) F pin Syx@,1): 


b, Qa (Ryb, a, p F p 

et R ns (>n), and (Va) 

b, Qa (R}b, Qi (a A p) F @ap 
Q@q(R)b, Qi (a A p) F @ap 

a, Qa (R}b, Qo (a A p) F @ap 

a, (R)b, @o(a A p) F p 

a,(R)(a ^p)F p 

a, |x.(R}(x Ap)F p 
{a.(R)(a@ Ap) F p 
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5.2 Natural Deduction Calculus 


Seligman proposed also a natural deduction system (again, not restricted to @-formulas) in [129]. 
However, the paper only proves soundness and completeness and does not discuss whether the 
calculus is normalizing. Bratiner introduced in [42] an @-prefixed natural deduction calculus 
for H(@, |,V) and its sublanguages and established normalization. Figure 8 shows the rules 
corresponding to the H(Q, |) fragment. 


Qay Qay 
(Ar) @ wad) @alp AY) @al(p AY) 
PAD Aer) (Nee) eG 
[@a 4] 
Qay @Qalp > Y) Gay 
=) (>z) a 
alp > 4) aW 
[@a79] 
@aL @aL 
1 a a 
L 
(11) @.y (L2) @.1 
Qay -Qay 
@ @ 
(Gr) @.@,9 (Gz) OG 
[@a(r)¢| 
Qey @al[r]p @alr)e 
2 
(ec (Ne) 
[aad 
3 Qcglæ/c] @alz.p @ac 
alt vle/d 
@ac Qay @ac @a(r)b 
R N pinna N —— 
(Ref) Ga (Nom,) Ge (Nom2) @,(r)b 
Restrictions: 
1 & is a propositional variable. 
? cis not free in @,[r]y or in any undischarged assumptions other than the specified occur- 
rences of Qa(r)c. 
3 cis not free in @,| x.y or in any undischarged assumptions other than the specified occur- 
rences of Qac. 
4 is a propositional variable or a nominal. 


Figure 8. Rules for the natural deduction calculus NDẹ(a,1) 


The system ND +,@,|) can be extended in a complete way with additional inference rules 
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corresponding to first-order conditions on the accessibility relations expressed by geometric the- 
ories!!. And as we said, the system ND x @,)) enjoys normalization (even when extended with 
rules for geometric theories), and a suitable version of the subformula property that takes into ac- 
count the use of @-formulas. See [42], for further details. In [43] Bratiner compares his system 
with Seligman’s (actually, a slight variation of Seligman’s to ensure closure under substitutions), 
providing translations of proofs in both directions. These translations allows us to transfer re- 
duction rules between Braiiner’s and Seligman’s calculus, but they are not sufficient to ensure 
normalization of the latter. Hence, the normalization problem for Seligman’s calculus is still 
open. 


EXAMPLE 41. We prove that |x.(R)(a A p) — pis a tautology in NDj,(a, 1): 


3 3 
ea as ety ap) us 
[@,-p]? Qyp pony) 
ai (2) 
GL (L2) 
eyen Sw 1) TAD h 
@,(RY(yAP) 4 GR uap A 
G0 3 (>z) 
Q@,p (11) 


5.3 Tableau Calculus 


In Figure 9 the rules for a tableau calculus for H(Q, |) are given. This calculus was introduced 
in [29], where tableau calculi for a family of quantified hybrid logics are presented (these are 
extensions of the propositional calculus defined in [25]). As in the case of natural deduction, the 
calculus is @-based: to prove the unsatisfiability of p, apply the rules in Figure 9 to Q;ọ for i 
a nominal not in ọ. If a closed tableau is found (i.e., a tableau in which each branch contains a 
pair of formulas @;7 and @;—7)), then the original formula is unsatisfiable. 

Completeness of the tableau calculus is proved for frame classes that can be axiomatized by 
pure, nominal free hybrid sentences!*. Moreover, the tableau calculus can be used for effectively 
computing interpolants for a pair of formulas y, w such that y — w is a validity. The following 
result is proved in [30] using Fitting’s argument for proving the same property for first-order 
logic [63]. 


THEOREM 42. Given a closed hybrid tableau for p — using the rules of Tx (@,\), the 
interpolant can be computed effectively. 


11A first-order formula is geometric if it is built out of atomic formulas of the form R(x, y) and a = y using only 
the connectives L, A, V and 3. A geometric theory is a finite set of closed first-order formulas each having the form 
VZ(y~ — w) where the formulas y and w are geometric. 

12The completeness proof is interesting: a valid hybrid sentence is translated into a valid first-order sentence in the 
correspondence language for which first-order closed tableau should exist; the tableau proof is then translated back into 
a hybrid tableau proof. 
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Constant Rules: 


Negation Rules: 


Conjunctive rules: 


Disjunctive rules: 


Diamond Rules: 


Box Rules: 


@ rules: 


Downarrow Rules: 


~Q, y 
@s(p AV) 
@sy 
(om 
@;(y V 4) 
M ap | Gad 
((r)) at 
Qiy 


for t new in branch 


Qsirle @s(r)t 


(in) Se 


@,Qiyp 


(Oa 


(Ref) T.s 


@s| x.y 


O & gle/al 


@s(r)p 


[s on the branch] 


3@,T 
(oT) = 
~Q, 
(=@) a 
=@, V =@, = 
ei lev) Bs - D 
msp =Q, Y 
(=A) =. (p A p) @Q. (p = Y) 
=Q, | =s% 7@sp | QsyY 
BOR 
Cr) ane 
~Q, y 
for t new in branch 
3@, @,(r)\t 
(ry) Sarre Stet 
3@,@ 
CO an 
(Nom) ao (Bridge) 2t mune 
~Q, |x. 
OD z@pls/a] 


In a slightly different direction, Tzakova [142] presents a general approach to hybrid tableaux 
using Fitting-style prefix calculi. Such tableau use nominals both as part of the object language 


Figure 9. Rules for the tableau calculus Ty/(@,1) 


and as meta-logical labels. 


Tableau methods have played a crucial role in modern automated reasoning for modal logics, 
and the best state-of-the-art provers for modal-like logics (such as the description logics provers 
RACER [84, 83] or FACT [90, 89]) are based on tableaux (see Chapter 13 of this handbook for 
further details). A variation of the hybrid tableau calculus of Figure 9 has been equipped with 
heuristics to ensure termination in [38]. The ideas used are related to the techniques used for 


terminating tableaux for the description logic SHOTQ [92]. 


EXAMPLE 43. We prove that |v.((R)(x A p) — p) is a tautology in Ty(@,1): 
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1. 7=@;(|x.((R)(“% A p) > p)) Negation of the input formula 
2: ~Q; ((R}(i ^ p) > p) (~ļ)in1 
3. @,((R)(i A^ p) (3 >) in 2 
4. —=~@;p (= —) in 2 
5. @,(R)j ((R)) in 3 
6. @;(i Ap) ((R))in3 
7. @;i (A) in 6 
8. Q;p (A) in 6 
9. Qip (Nom) in 7 and 8 
x Clash between 4 and 9 


5.4 Resolution Calculus 


As we just mentioned, the most successful automated theorem proving implementations for 
modal logics are based on the tableau method. Much of their outstanding performance is due 
to the heavy use of several heuristics and optimizations [93]; however, a number of these tech- 
niques do not work when the underlying logic allows some form of equality as in the case of 
hybrid logics. When nominals and satisfaction operators are added, the performance of tableau- 
based theorem provers is affected. This motivated research on possible alternatives, such as 
the resolution calculus. The best automated theorem provers for first-order logic are based on 
resolution, and we have already seen many similarities between hybrid and first-order logics. 


Resolution calculi for H(@, |) and its sublanguages were introduced in [10, 11]. In a re- 
cent paper [14], the calculus for H(@) was refined to include ordering and selection functions 
(see [17] for the definitions of these standard notions). The rules are shown in Figure 10. In the 
figure, S(C) is a selection function and > is an admissible order; furthermore, the main premise 
of each rules is on the right. The calculus works on formulas in negation normal form (i.e., nega- 
tion can only appear on atomic formulas), and hence an explicit rule for negation is not required. 
To extend the calculus to 7{(@, |), simply add the rule 


CLU {Qrp} 


O oroe} 


Given a formula y (in negation normal form), let ClSet(p) = {{@;y}}, where i is a nominal 
not occurring in y. Define ClSef* (p) — the saturated set of clauses for p — as the smallest set 
that includes ClSet(p) and is saturated under the rules of Figure 10 (where saturation means that 
whenever there are sets matching the antecedent of any rule in C/Set* (p) then also the sets in the 
consequent should be in C/Set* (p)). Then y is unsatisfiable if and only if {} € ClSet* (wy). 


The calculus R4,(@) is implemented in the automated theorem prover HyLoRes [15], which 
uses an ordering that ensures termination while preserving soundness and completeness. 


EXAMPLE 44. We prove that |x.(R)(x ^A p) — p is a tautology in Ry,a,;). Consider the 
clause set corresponding to the negation of the formula: 
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(A) CLU {@: (91 A p2)} (v) CLU {@: (91 V p2)} 
CLU {0:91} CLU {@i¢i, Qipe} 
Cl U {Qryo} 
Ch U {Q:y} Cle U {Q,7y} 
RE 
(RES) Ch U Cl2 
(fr) Ch U{Q@i(r)s} Cl2 U {@;[r]y} ((r)) CLU {@:(r)}p} forn a new nominal 
Ch U Cl2 U {@sy} CLU {@;(r)n} and y ¢ NOM 
CLU {@,y} 
CLU {@:@.9} CLU {0t} 
@ we REF oe 
(e) CLU {0:9} PERN Cl 
CLU {@,t} Cl U{@st} CleU{y(s)} ifs + tand 
YM = i PARAM 
(SIM) CLU {@:s} ee ( ) Ch U Cle U {yp(s/t)} p(s) > Qst 
Restrictions: Let y and w be the displayed formulas in each of the above rules: 
e Let C = C’U{¢} be the main premise, then either S(C) = {p} or, otherwise, S(C') = Ø 
and {p} > C”. 
e Let D = D' U {y} be the auxiliary premise, then {4} > D’ and S(D) = 0. 


Figure 10. Rules for the resolution calculus R4,(@) with Order and Selection Functions 


1. {@;(({w.(R) (x A p))A7p)} by (A) 
2. {@,|x.(R)(« A p)} {Qip} by (1) 
3. {@;(R) (iA p)}, {Q:7p} by ((r)) 
4. {@;(R)j}, {@;(iAp)}, {@:-p} by (A) 
5. {ji}, {@;p}, {@ p} by (PARAM) 
6. {x}. {@,-p} by (RES) 
7. i 


6 RELATION WITH OTHER FIELDS 


In various areas, hybrid logics has been proposed as a convenient extension of modal logics, 
either because they give rise to smoother proof systems, or because of their greater expressive 
power. In this section we briefly discuss a number of cases, and provide pointers to the literature. 


Temporal Logic. As indicated in the work of Prior and Bull, hybrid languages allow us to make 
explicit references to specific times (days, dates, years, etc.), and also to cope with temporal 
indexicals (such as yesterday, today, tomorrow and now). In addition, many temporally rele- 
vant frame properties (such as irreflexivity, asymmetry and trichotomy) that cannot be defined 
by means of modal formulas can be defined with nominals [28]. When nominals and satisfaction 
operators are added to an interval-based logic, the result is a Holds(t, ~)-driven interval logic 
similar to those introduced in AI by James Allen [2] (where the satisfaction operators play the 
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role of Holds). By making explicit temporal references possible (combining nominals, satis- 
faction operators and temporal modalities, one can directly express temporal relations between 
instants or intervals), hybrid logics remove a serious obstacle to a modal analysis of temporal 
representation and reasoning. 

Nominal tense logics have been studied in detail in [21]. The complexity of the satisfiability 
problem for a number of hybrid temporal logics is investigated in [7, 65]. The minimal hybrid 
tense logic H((R~+)) is EXPTIME over the class of all frames and the class of transitive frames, 
but the complexity drops to NP-complete over the usual frames for linear time (strict total orders), 
and to PSPACE-complete over the usual frames for branching time (transitive trees). In [7, 110, 
65], results are also given for hybrid languages with the Since and Until operators. Hybrid 
interval logics were recently studied in [95]. 


Indexicality and Direct Reference. Hybrid languages are also a powerful resource for studying 
indexicality in natural language, as an alternative to the more classical use of multi-dimensional 
modal logic. In the multi-dimensional modal approach, formulas are evaluated at sequences of 
points, where one point of the sequence is thought of as the point of evaluation, while the oth- 
ers are used as memory locations to store references [96, 146, 66, 52, 53]. Hybrid languages 
move multi-dimensional logic’s sequence of evaluation points from the meta-language to the 
object language, with hybrid variables acting as names for indices (see [24]), and allowing in 
this way a natural treatment of such indexicals as ‘today.’ Moreover, when equipped with the 
@ operator, hybrid languages offer the ‘de-scoping’ behavior typical of such multi-dimensional 
operators as here and there. There are also links between hybrid logic and mathematical as- 
pects of multi-dimensional modal logic, particularly the multi-dimensional modal perspective on 
cylindric algebra (cf. [106]), as | and @ can be considered as explicit substitution devices. 


Feature Logic. Most unification-based approaches to natural language grammar, such as PATR- 
II, use attribute value matrices (AVMs) to represent feature structures, where re-entrance in the 
feature structures is represented by “tags” in the AVMs [123]. There is a tight connection be- 
tween AVMs and deterministic multi-modal logic, except that there is no clear way to express 
re-entrance in modal logic. As it turns out, the tags that are used to enforce re-entrance in AVMs 
correspond in a very natural way to nominals in hybrid logic. Thus, adding nominals is enough 
to make re-entrance expressible. 

Previous approaches to encoding re-entrance in modal logic used more complicated tech- 
niques. In particular, Kasper-Rounds logic is essentially a fragment of deterministic propo- 
sitional dynamic logic with program intersection, where the intersection is used to encoding 
re-entrance. See [33, 23, 120] for further details. 


Dynamic Logic. As we discussed in Section 2.2, hybrid languages were rediscovered, many 
years after the work of Prior and Bull, by a group of logicians at the Sofia University in Bulgaria. 
Gargov, Passy and Tinchev were interested in neat axiomatizations of operators in PDL, and they 
realized that certain operators (e.g., union of programs) are easily captured, whereas others (e.g., 
program intersection or complement) require extra expressive power. In [113] it is shown that 
adding nominals is enough to enable natural and succinct characterization of these operators. 
Adding other kinds of “constants” to the language permits the representation of notions like 
determinism and looping [73]. In addition, the work of the Sofia school shows how nominals can 
be used to simplify the construction of models during completeness proofs [114]. See [115] for 
an excellent overview on combinatory dynamic logics. 

For a modern discussion of PDL with nominals (in the framework of description logics) and 
some new complexity results see [56, 55]. 
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Description Logics. Descriptions logics (DLs) are a family of formalisms that allow the rep- 
resentation of, and reasoning about, conceptual knowledge, in a structured and semantically 
well-understood manner [16]. They evolved from the original knowledge maintenance system 
KL-ONE of Brachman and Schmolze [41]. Description logics are discussed in detail in Chap- 
ter 13 of this handbook. 

In [125] Schild identifies a close connections between description logics and modal logics, and 
uses it to transfer complexity and axiomatization results between the two areas. This connection 
is established at the level of concepts: concepts in description logic are shown to correspond to 
formulas in modal logic. Description logics, however, usually have two levels of representation. 
The first level is that of concepts, which, like modal formulas, denote subsets of the domain. 
The second level is that of terminology boxes (TBoxes) and assertion boxes (ABoxes). Using 
these, one can specify global conditions on models, such as the ‘concept inclusion’ C E D, 
which requires that every individual satisfying the concept C should also satisfy the concept D, 
and the ‘assertion’ a:C’, which requires that the individual a satisfies the concept C. The basic 
modal language is not rich enough to express such constructions. By lifting the correspondence 
to Converse PDL, Schild managed to account for inference with TBoxes. De Giacomo and 
Lenzerini [56, 55] further extended these results by encoding also ABoxes in Converse PDL. 

While the embedding of DLs into Converse PDL have proved useful, it has two important 
disadvantages. Complexity-wise, the satisfiability problem of Converse PDL is already EXP- 
TIME-complete and, hence, optimal complexity results cannot always be obtained with this tech- 
nique. Moreover, the model theory of Converse PDL is complicated, due to the presence of the 
Kleene star (which requires a weak form of induction). Using the extended expressive power of 
hybrid languages, assertions can be encoded using satisfaction operators, and concept inclusions 
can be expressed using the universal modality A. See [12, 4, 36] for detailed discussions on the 
connections between hybrid and description logics. 

Nominals have in fact been independently introduced in DLs. Very early systems like CLAS- 
SIC [40] and LOOM [104] already included a form of nominals in the late 80s. Such systems 
allowed a concept constructor called O (for “one-of”) which permitted enumeration of individu- 
als in the domain of a model. One-of expressions are in fact the same as disjunctions of nominals. 
The interest in the O operator dropped during the following years because of complexity issues 
(as we have seen in Section 4, the presence of nominals can lead to an increase in complexity, 
and even to undecidability, in the presence of other operators). However, the topic has recently 
regained interest, as direct reference to individuals seems to be a must for languages for the se- 
mantic web, one of the most important modern applications of DLs [94, 91]. The O operator is 
now part of the W?C-recommended web ontology language OWL [107]. 


Information Systems. Nominals have turned up in yet another setting, namely the Polish tra- 
dition of modal logics for information systems initiated by Pawlak (see [112]). Themes in this 
tradition include the development of modal logics of similarity (or relative similarity) and there 
are strong links with the tradition of rough-set theory. Konikowska [97] has proposed adding 
nominals to such logics. Her work is motivated primarily by proof-theoretical considerations: 
the ability to name states leads to simpler and more intuitive proof systems. 


Logics of Space. Nominals have found several applications in modal logics of space. In this 
chapter, we have treated hybrid languages from a relational perspective, viewing them as lan- 
guage for describing relational structures. Another well known semantics for modal logics is in 
terms of topological spaces [108]. A topological space is a tuple (X, Q) where X is a nonempty 
set and Q is a collection of subsets of X satisfying three conditions: X and É are elements 
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of Q, every union of elements of Q is in Q, and every intersection of finitely many elements 
of Q is in Q. A topological model for the basic modal language, now, consists of a topolog- 
ical space (X, Q) and a valuation V : PROP — (X). The truth definition for modal for- 
mulas with respect to such topological models is similar to the one for Kripke models, except 
that the modal operator O is interpreted as follows (where m € X): (X,0,V),m = Oy iff 
JO € Q such that m € O and for all m’ € O, (X,0,V),m’ H y. This topological semantics is 
useful for spatial reasoning [19, 1] and modelling knowledge [54]. As in the relational semantics, 
we can study notions such as validity of a modal formula on a topological space, and modally 
definable properties of topological spaces. It turns out that, as a language for defining properties 
of topological spaces, the basic modal language is very weak. In particular, none of the familiar 
topological separation axioms is modally definable [70]. 

Nominals can be introduced in topological models in the same way as in Kripke models: 
they are simply propositional variables whose valuation is always a singleton set. It was noted 
in [70] that, with the help of nominals, more properties of topological spaces can be defined, 
including the separation axioms Tọ and T}. Sustretov [134] has recently proved a topological 
analogue of Theorem 22, characterizing the properties of topological spaces that can be defined 
by means of H(@Q)- and #{(E)-formulas. Heinemann [87, 86] has investigated hybrid extensions 
of the bi-modal logic of knowledge and effort presented in [54], in order to obtain complete 
axiomatization of frame classes that, while relevant for applications, are not expressible in the 
basic modal language. In [87], Heinemann provides an axiomatization of the class of linear 
set spaces, using nominals that denote pairs in X x Q. In [86], instead, two sorts of nominals 
are introduced, ranging over elements of X and Q, respectively, and topological notions like 
separation and connectedness are axiomatized. 

Nominals have also found applications in logics of metric spaces [101]. 


Second Order Propositional Modal Logic. In [61], the extension of the basic modal language 
with propositional quantifiers 3p and Vp is studied. This language is called second order proposi- 
tional modal logic (SOPML). It was shown in [136, 137] that there is a close connection between 
SOPML and H(@, |): 


THEOREM 45. Every nominal free H(Q, |)-sentence is equivalent to a formula of SOPML. 
Conversely, if a formula of SOPML has a first-order equivalent, then it is equivalent to a nominal 
free H(@, |)-sentence. 


Theorem 45 shows that, in some sense, nominal-free 71(@, |) is the intersection of SOPML and 
first-order logic. This connection was used in [136, 137] to transfer a number of expressivity and 
frame definability results from 7((@, |) to SOPML. For example, a first-order formula with one 
free variable is equivalent to a SOPML-formula iff it is invariant under generated submodels; and 
an elementary class of frames is definable in SOPML iff it is closed under generated submodels 
and reflects point-generated subframes (see Theorem 27). For more information about SOPML, 
see Chapter 10 of this handbook. 


Modal Predicate Logics. | Nominals can also be added on top of a first-order modal basis 
(cf. Chapter 9 of this handbook). Blackburn and Marx [29] investigate tableau systems for such 
first-order hybrid logics, while Bratiner [44] discusses natural deduction systems. As in the 
propositional case, the outcome seems to be a better behaved logical system, that comes with 
general completeness results. 

First-order hybrid logics also have advantages in relation to interpolation and Beth definabil- 
ity. Fine [62] showed that interpolation and the Beth definability property fail for quantified S5 
with varying domains, and also for any quantified modal logic between K and S5 with constant 
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domains. In [9] it is shown that these properties are regained when state variables, satisfaction 
operators and | are added to the language. Actually, interpolation and the Beth property hold 
relative to any bounded fragment definable class of skeletons (the first-order modal analogue of 
frames), with either varying, expanding, contracting or constant domains. Moreover, the inter- 
polant can be obtained constructively using the techniques of [30]. 

For further details on first-order hybrid logics, see Chapter 9 in this handbook. 


Labeled Deduction. In [68] the notation /:y is introduced, where the meta-linguistic symbol 
: associates the meta-linguistic label / with the object language formula y. Labeled deduction 
proceeds by manipulating such expressions, using the labels to guide proof search. Labelled 
deduction has been successfully used to provide complete and well behaved calculi for a wide 
range of logics, including non-classical logics where the notion of “state” is usually crucial (see, 
e.g., [145]). For example, Simpson defines in [132] a family of labeled natural deduction calculi 
for modal intuitionistic logics and shows that they have good proof theoretic properties; while 
Kurtonina [99] uses labels to provide complete calculi for categorial type logics, for a variety of 
frame classes. 

One way to see why hybrid languages are proof-theoretically natural, is to observe that nomi- 
nals and satisfaction operators can capture the main ideas of labeled deduction. Hybrid languages 
“internalize” labeled deduction into the object language: nominals are essentially object-level la- 
bels, and the formula @,y asserts in the object language what I: asserts in the meta-language. 
Internalization in the particular case of tableaux is discussed in [25], while the case of sequent 
calculus is presented in [130]. We have seen examples of such calculi in Section 5. In a recent pa- 
per, Braiiner and de Paiva discuss similar internalized calculi for hybrid versions of intuitionistic 
modal logics [45]. 


Model Checking. In this chapter we take satisfiability and consequence as the main inference 
problems, but other reasoning tasks are also relevant for many applications. 

In [64] Franceschet and de Rijke investigate the following model checking problem for a 
number of hybrid logics: given a model, or a model and an assignment in case of languages 
with binders, and a formula y decide whether there is a state in the model satisfying y. They 
provide algorithms for model checking and investigate their complexity. Their main results are 
summarized in Figure 11, where k is the length of the input formula, n and m are the number 
of nodes and edges in the model, respectively, and r is the nesting degree of hybrid binders. 
Names listed as DH(-) correspond to hybrid extensions of converse propositional dynamic logic. 
We can see that the presence of binders makes model checking PSPACE-complete (as complex 
as model checking full first-order logic), and it is, in general, exponential in the nesting level 
of binders. The paper discusses the impact of these results in applications like querying and 
constraint evaluation over semistructured data. 

In [65], a different kind of model checking is investigated, which is used in formal verification. 
There, a Kripke structure typically represents a computational system, and paths through the 
structure denote different possible computations. In linear time model checking, formulas are 
evaluated not on the Kripke structure itself, but on the set of paths through it. Actually, two 
versions of the linear model checking problem can be defined: the existential linear time model 
checking problem is to determine whether a given formula is satisfied in some path of the model, 
while the universal linear time model checking problem asks whether the formula is satisfied in 
all paths. 

Unraveling a Kripke structure into a tree carries some complications in the presence of nomi- 
nals: if the original structure makes a nominal 7 true in a state which is involved in a cycle (i.e., the 
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H((R—1),E,@) | Ok: (n+ m) 
H(U, S,E, @) O(k-n-m) 


DH(E, @) O(k- (n+ m)) 
H(L) PSPACE-complete 
H(E, @, |) PSPACE-complete 
H,(E, @, |) O(k- (n+ m)-n") 
DH,-(E, @, |) O(k- (n+m)-n") 
H(A) PSPACE-complete 
H(E, @, 3) PSPACE-complete 
H,(E, @, 3) O(k - (n+ m): n?) 
DH, (E, @, 3) O(k - (n+ m): n?) 


Figure 11. Complexity of model checking different hybrid languages 


state is reachable from itself), the “nominal” 7 will be true in more than one state after unraveling 
(actually, the denotation of 2 will be an infinite set). The authors chose to allow such behavior: 
the only restriction they make is that nominals denote a single state in the original structure, no 
other conditions are imposed. Under this interpretation, the complexity of linear time model 
checking for temporal languages coincides with their hybrid extensions: NP-complete (CONP- 
complete) for H((R~'), @) for existential (universal) linear time model checking, and PSPACE 
for H(U, S, @). 


The Bounded Fragment. We mentioned the bounded fragment of first-order logic in Section 3.2 
and in Theorem 16 we established its tight connection with H(@, |). 

Bounded formulas have been considered in the literature for a long time. In set theory, where 
bounded quantifiers are of the form Jz.(x € y A p) and Vx.(a% € y — y), the bounded fragment 
was introduced in 1965 by Levy [102], under the name Ag. Ap-formulas of set theory have 
the desirable property of being set-theoretically absolute, meaning that whether a Ag-formula 
p(a1,---,;2n) holds of sets aj,...,@, is independent of the universe of set theory in which 
d1,---,Qn reside (cf., for instance, [18]). Bounded formulas have also been considered in the 
context of arithmetic, where bounded quantifiers are of the form 3xz.(x < y A p) and Va.(a < 
y — p). In fact, there is a field of research of its own called bounded arithmetic, which is 
connected to complexity theory (in particular, to the polynomial hierarchy), propositional proof 
theory, and the length of propositional proofs [47]. 

Around 1966, Feferman and Kreisel [60, 59] characterized the bounded fragment as the gen- 
erated submodel invariant fragment of first-order logic. More precisely, they showed that a first- 
order formula is equivalent to a bounded formula iff it is invariant under generated submodels. 
Moreover, it was shown in [59] by means of a cut-free sequent calculus that the bounded frag- 
ment has interpolation. 


7 DISCUSSION 


Hybrid logics form a family of natural extensions of modal logic. The naturalness is confirmed 
by the fact that nominals have been re-invented on several occasions. Hybrid logics offer two 
important advantages over modal logics: increased expressive power (e.g., in temporal logic, 
irreflexivity becomes definable when nominals are added to the language) and a simpler proof 
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theory (there are many proof systems for hybrid logic, and they come with powerful general 
completeness results). The general question, then, is: 


How much do we gain by extending our language (e.g., how much extra expressive 
power), and what price do we pay (e.g., what are the complexity theoretic conse- 
quences)? 


For a number of hybrid languages, we have explored these question systematically in this chap- 
ter. In particular, the expressivity of various hybrid languages has been characterized by means 
of analogues of the Van Benthem theorem and the Goldblatt-Thomason theorem. Concerning 
complexity, we saw that nominals and satisfaction operators often do not increase the complex- 
ity, although in exceptional cases, adding a single nominal can already cause undecidability. For 
languages containing the |-binder, on the other hand, undecidability seems to be the rule, rather 
than the exception. 

We would like to close this chapter by observing that “hybridization”, as an operation on 
logical languages, can be applied in many contexts. As we discussed, nominals have a natural 
interpretation not only in the relational (Kripke) semantics, but also in topological and alge- 
braic semantics. The hybrid machinery can be added to the basic modal language, or on top of 
first-order or higher-order modal languages, and with either a classical or an intuitionistic base. 
Some of these combinations have been investigated (for instance, several recent papers study 
topological modal language containing nominals), other remain to be explored. 
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1 INTRODUCTION 


When can we say that a logic is a combination of others? In general, any logical system 
having more than one connective can be considered as a combination of logical systems 
having fewer connectives. In particular, any multimodal logic can be considered as a 
combination of, say, unimodal logics. So, in this general sense, any result on multimodal 
logics can be considered as a result on combining modal logics. What makes this chapter 
special among other ones studying multimodal logics is that here we investigate the 
following kind of problems: 


Given a family L of modal logics and a combination method C, do certain properties 
of the ‘component logics’ L € L transfer to their ‘combination’ C(L)? 
Most of the combination methods considered in this chapter satisfy the following three 
criteria: 
(C1) They are finitary, that is, C is defined only on finite families L of modal logics. 
(C2) The combination C(L) of (multi)modal logics from L is a (multi)modal logic itself. 
(C3) The combined logic C(L) is an extension of each component logic L € L. 


For each considered combination method, we discuss in detail the possible transfer of 
the following two kinds of properties: 
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e Axiomatisation/completeness. 
There are two versions, depending on whether the combination method results 
in a syntactically or semantically defined logic. In the former case, the question 
is whether the combination of recursively (finitely) axiomatisable components re- 
mains recursively (finitely) axiomatisable, and in the latter, whether the Kripke 
completeness of the components transfers to their combination. 


e Decidability /complexity of the validity/satisfiability problem. 
We study whether decidability of the validity problem transfers from the compo- 
nents to their combination and if so, what is the change in complexity. We also 
discuss the possible transfer of the finite model property. 


For transfer results about several other properties (like versions of interpolation, decid- 
ability of various consequence relations, etc.) see [23] and the references therein. Com- 
binations of deductive calculi (such as combined tableaux) are not considered either, see 
Chapter 2 of this handbook for some examples. 

Combination methods not satisfying (C1)—(C3) are in general out of our scope, 
though see Section 5 for a discussion. 


Notation and terminology. We will mainly consider possible world (or Kripke) 
semantics. Kripke models are pairs M = (F¥, WV) that are based on relational structures 
& = (W, Ri,..., Rn), where n > 0 is a natural number, W is a non-empty set and the 
R; are binary relations on it. Such structures are called n-frames (or frames, for short). 
We say that an n-frame 6 = (U, S1,..., Sn) is a subframe of an n-frame § (6 C §, in 
symbols) if U C W and S; = R;N(U x U), fori = 1,...,n. A path of length k from 
point x to point y in an n-frame F is a sequence (£o, ..., £k) of points such that zo = 2, 
£k = y and ziRj£i+1, for each i < k and some j, 1 < j < n. We call an n-frame § 
rooted if there exists some x € W such that for every y € W, y Æ x there is a path from 
x to y. Such an z is called a root of §. We say that § is of depth k if k is the length 
of the longest path in ¥. If such a longest path does not exist, then we say that Ẹ is of 
infinite depth. An n-frame § is called tree-like if it is rooted and R = U}_, R; is weakly 
connected on the set {y € W | yRa} for every x € W. If a tree-like frame is well-founded 
(i.e., there are no infinite descending R-chains ... Rv2Rx1Rxo of points) then we call § 
a tree. The depth d(x) of a point x in a tree % is defined to be the length of the unique 
path from the root to x. If for no n < w the point x is of depth n, then we say that x 
is of infinite depth. By the co-depth of a point x in a tree § we understand the depth of 
the subtree of ¥ with root x. 

Given a natural number n, the n-modal language MCL, has propositional variables 
D,q,8,-.., Boolean connectives =, A, V, >, =, T, L, and (unary) modal operators 
1,---,On and O1,...,On. M&L£,-formulas are formed inductively in the usual way. 
Given an MC,,-formula p, we let suby denote the set of all subformulas of y, and 
md(y) denote the modal depth of p. We will also use the following abbreviations. For 
every formula g, let 


0 


p=y and, forn <w, ntlo = 00", O8"p= N ko, 
k<n 


The truth-relation (M, w) = p’ connecting syntax and semantics is defined by induc- 
tion on the construction of y as usual. We say that ọ is true in M (M | ọ, in symbols), 
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if M,w H ọ for all x € W. A formula y is said to be valid in a frame ṣọ ( E= y, in 
symbols), if M = w for every model Mt that is based on F. Given a set X of formulas, 
we set 


Fro = {F| FE y, for all ye £}. 


If Mt H y for all y € X then we say that Mis a model for X. Similarly, y is said to be a 
frame for L, if § € Frd. 

By an n-modal logic (or modal logic, for short) we mean any set L of ML,,-formulas 
that contains all valid formulas of classical propositional logic, the formulas 


(K) i(p > q) eh iP `> i@), 


and is closed under the rules of Substitution, Modus Ponens and Necessitation, for i = 
1,...,n (see Chapter 2 of this handbook). 

Let us briefly discuss two of the most common ways of defining a modal logic: the 
‘syntactical’ way (via axioms) and the ‘semantical’ way (via a class of intended frames). 
First, given a set © of MZ,,-formulas and an n-modal logic L, we say that L is az- 
iomatised by X, if L is the smallest n-modal logic containing X. If X can be chosen 
a recursive (or finite) subset of all MZL,-formulas, then we say that L is recursively 
(finitely) axiomatisable. And second, given a class C of n-frames, the set 


LogC = {y | 5 E y, for all FEC} 


is always an n-modal logic. An n-modal logic L is called Kripke complete if L = LogC for 
some class C of n-frames. In this case we also say that L is characterised (or determined) 
by C. As is well-known, there exist incomplete modal logics, and similarly, there are 
Kripke complete logics that are not recursively axiomatisable (see Section 3.4 for some 
examples). 

The validity problem for an n-modal logic L is the problem of deciding whether a 
given MCL,,-formula belongs to L or not. If this problem is decidable (or recursively 
enumerable) then we also say that the logic L is decidable (or recursively enumerable). 
A related problem is the satisfiability problem for L: given y, decide whether ọ is L- 
satisfiable, that is, whether there exists a model Wt for L and a world w in W such that 
DM, w H ọ holds. It is easy to see the connection between the two: y E€ L iff ay is not 
L-satisfiable. Given a recursively enumerable logic L, we can have a decision algorithm 
for L if we can enumerate those formulas that are not in L. Clearly, this can be done if: 


e the class of finite frames for L is recursively enumerable (up to isomorphism, of 
course), and 


e L has the finite model property”, that is 
L = Log {%3 € Fr L | F is finite}. 
This chapter is not self-contained in the sense that we discuss well-known modal logics 


like K, S5, KD45, K4, S4, K4.3, GL, Grz, Alt, etc. without defining them. We 
also use without explicit reference standard notions and results from basic modal logic, 


lWe consider here what are usually called normal modal logics only. 
2It would be more precise to call this finite frame property. However, as is well-known, it is equivalent 
to saying that L = {p| M | y, for all finite models IN for L}. 
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such as p-morphisms and disjoint unions, generated subframes, unravelling, results on 
Sahlqvist formulas and canonicity, etc. For notions and statements not defined or proved 
here, see other chapters in this handbook or [12, 10]. 


2 FUSION OF MODAL LOGICS 


Within the constraints (C1)—(C3) above, the formation of fusions (also known as in- 
dependent joins), is the simplest and perhaps the most natural way of combining modal 
logics: 


DEFINITION 1. Let Lı and Lz be two modal logics formulated in languages M Ln and 


ME,» in such a way that they have disjoint sets of modal operators (say, 0,,..., Op, and 
nt1,--+;On+m; respectively). Then the fusion 
I; 8 L2 


of Lı and Lz is the smallest (n + m)-modal logic L containing both Lı and Lo. 

It is easy to see that if each L; is axiomatised by a set X; of axioms (written in the 
respective languages) then Lı @ Lə is axiomatised by the union ©; U Xə. This means 
that no axiom containing modal operators from both of the languages of Lı and L is 
required to axiomatise Lı ® Lə. In other words, in fusions the modal operators of the 
component logics are kind of ‘independent, they ‘do not interact’. 

The formation of fusions is clearly an associative binary operation on modal logics. 
Therefore, one can define the fusion 


of n modal logics in a straightforward way, for any natural number n > 2. Observe 
that well-known multimodal logics like K„ or S5,, are the fusions of their unimodal 
‘counterparts’: 


kK, =K®-:-@K, $5, =S5@---@S5. 
SS. SS Vr SS 
The formation of fusions as a combination method does satisfy criterion (C3), as the 
following result of Thomason [78] shows: 


THEOREM 2. The fusion of consistent modal logics is a conservative extension of the 
components. 


2.1 Transfer results 
We begin with the following result of Kracht and Wolter [48], and Fine and Schurz [16] 
stating that Kripke completeness of the components transfers to their fusion: 


THEOREM 3. If modal logics Lı and Ly are characterised by classes of frames Cı and 
C2, respectively, and if Cı and C2 are closed under the formation of disjoint unions and 
isomorphic copies, then the fusion Lı Q Lz of Lı and Lz is characterised by the class 


Cı 8 C2 = { (W, Ri,- , Rn, S15- Sm) | (W, Ri,...,Rn) E€ Ĝi, (W, S1,- ., Sm) € Co}. 
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It should be clear that if Cı and Cə determine logics Lı and Lə, respectively, then 
all frames in Cı ® Cg are frames for the fusion Lı ® Lə. Let us outline the proof of the 
converse statement, i.e., that Cı ®Cz actually characterises Lı & Lə. To simplify notation, 
we assume that Lı and Lz are unimodal logics with the boxes O; and O2, respectively. 
The fusion L = Lı ® Lə is then a bimodal logic in the language M L2. 

With each ML2-formula y of the form O,w (i = 1,2) we associate a new variable q, 
which will be called the surrogate of y. For an M£2-formula y containing no surrogate 
variables, denote by y1 the formula that results from y by replacing all its subformulas of 
the form O24, which are not within the scope of other O2, with their surrogate variables 
qozy: So yt is a unimodal formula containing only Oj. Let 


61 (~) = {p | p is a variable in y} U {x € sub Oe | Dow € subg}. 


The formula y? and the set ©? (y) are defined symmetrically. 

Suppose now that y is satisfiable in a model based on a frame for L. We need to 
construct a frame in Cı © C2 satisfying y. As we know only how to build frames for the 
unimodal fragments of L, the frame is constructed step-by-step alternating between 0, 
and 2- 
Note first that since Lı is characterised by C1, there is a model Mt based on a frame 
in C, and satisfying y! at a point r. Our aim now is to ensure that the formulas of the 
form O% have the same truth-values as their surrogates qu,». To do this, with each 
point x in Mt we can associate the formula 


gn = NY € Ote) | ON, x) H yta Ato" | yo € Ot), (M2) FY}, 


construct a model M, based on a frame in Cy and satisfying yÊ in a world y, and then 
hook M, to M by identifying x and y. After that we can switch to O; and in the same 
manner ensure that formulas 0,7 have the same truth-values as qo,y at all points in 
every Mtz, and so on. In this construction we use the fact that Cı and C2 are closed under 
isomorphic copies and disjoint unions: the My should be mutually disjoint and the final 
model is the union of the models constructed at each step. Note that this construction 
is a special case of fibring semantics that is called iterated dovetailing [19, 20]. 

However, to realise this quite obvious scheme, we must be sure that y is really 
satisfiable in a frame for Lə, which may impose some restrictions on the models we 
choose. First, in the construction above it is enough to deal with points x accessible 
from r in at most md(y) steps; no other point has any influence on the truth of y at r. 
Let X be the set of all such points. Now, a sufficient and necessary condition for Yy to 
be satisfiable in a frame for L (and so for y? to be satisfiable in a frame for L2) can be 
formulated using the following general description of formulas of type yz. 

Suppose T is a finite set of formulas closed under subformulas. Define the consistency- 
set C(T) of T by taking 


CT) = {va | ACT}, 


where for A CT, 
va = Nixi xe A}A Afox | x € P= A}. 


In particular, for all x € X, we have Ys € C(O1(y)). Given a formula ọ, define 


Diy) = {Y € C(O*(y)) |v ¢ L}, Daly) = {Y € C(O*(y)) | 4 £ L}. 
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The formulas in ©;(y) can be regarded as ‘state descriptions’ of the points in the possible 
models with respect to the formulas in O:(y). In particular, for all x € X, pz is satisfiable 
in a frame for L iff yy € %1(y). In other words, we should start with a model M satisfying 
yt nos) (V £ (y)) at a point r. Of course, the subsequent models M, must satisfy 
pen Smal) (yy Yo2(~x))? at all points x € X, and so on. The interested reader may find 
more details in [48], [16]. 


Since the closure under finite disjoint unions is enough when we work with finite 
frames, we obtain the following: 


THEOREM 4. If both Lı and Lə are modal logics having the finite model property, then 
their fusion Lı ® Lz has the finite model property as well. 


As is shown by Wolter [82], decidability of the components also transfers to their fusion: 


THEOREM 5. If Lı and Lə are both decidable modal logics then Lı Q Lz is decidable as 
well. 


Further results showing that other important properties (such as Halldén completeness, 
decidability of the global consequence relation, uniform interpolation property) of modal 
logics are preserved under fusions were obtained in [48, 82]. 

As is discussed in Chapter 6 of this handbook, from the algebraic point of view every 
modal logic L can be regarded as the equational theory of modal algebras generated by 
the equations {‘y = 1’ | y € L}. Thus, the problem of whether decidability is preserved 
under the formation of fusions of modal logics is an instance of the more general question: 
under which conditions does the decidability of two equational theories T} and Tə imply 
the decidability of the union Tı U Tə. The shared Boolean connectives impose special 
conditions on these equational theories; see the results of Ghilardi [29] that put the 
fusion construction to this more general context. Other extensions of Theorem 5 to 
fusions sharing not only the Booleans but also a universal modality and nominals are 
discussed in [30], and to fusions of non-normal modal logics in [6, 4]. 


2.2 Complexity of fusions 


Unlike the properties considered above, upper complexity bounds do not always transfer 
under the formation of fusions (the lower bounds are inherited by Theorem 2 as long 
as we take fusions of consistent logics). The known decision procedures provide a time 
complexity bound for the fusion that is non-deterministic and one exponent higher than 
the maximal time complexity of the components. However, in general it is not known 
whether this increase in complexity is unavoidable. In particular, it is not known whether 
PSPACE- or EXPTIME-completeness transfers under the formation of fusions (see 
Theorem 7 below for some special cases when it actually does). 

The following characterisation of the transfer of CONP-completeness was given by 
Spaan [77]. In order to formulate her theorem, we require the following notion. Say that 
a frame (W’, R’) is a skeleton subframe of a frame (W, R) if W’ C W and R’ C R. We 
use o to denote reflexive points and e for irreflexive ones. 

THEOREM 6. Suppose that the unimodal logics Lı and Lz are characterised by classes 
Cı and C2 of frames, resprectively, that are closed under the formation of isomorphic 


copies and disjoint unions. Then there are the following three cases for the complexity of 
Lı Q La (below {i,j} = {1,2}): 
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(1) Lı ® Lz is CONP-complete. 


(2) Ci consists of disjoint unions of singleton frames. In this case L18 Lə is polynomially 
reducible to Log(C;). 


(3) Ly 8 Lə is PSPACE-hard, whenever one of the following six cases holds: 


i) e<+-e—re and e—e are skeleton subframes of some frames in C; and C}, respectively; 


ii) o+e—+e and e+ are skeleton subframes of some frames in Ci and Cj, respectively; 


( 
( 
(iii) e+o—re and e+e are skeleton subframes of some frames in Ci and Cj, respectively; 
(iv) e—e—e and o—e are skeleton subframes of some frames in Ci and Cj, respectively; 
( 


v) eee and o—>e are skeleton subframes of a frame in C; and e<+e is a skeleton 
subframe of a frame in C;; 

(vi) e+e—+e and o—>» are skeleton subframes of a frame in C; and e—o is a skeleton 
subframe of a frame in C;. 


A close inspection of this result shows that almost all interesting fusions are PSPACE- 
hard. (An exception is the fusion Alt & Alt of two Alt logics that is CONP-complete 
by Theorem 6. We remind the reader that Alt is the cCONP-complete logic determined 
by all functional frames.) In fact, the proof of Halpern and Moses [35] can be easily 
modified to obtain the following result on a matching upper bound for several ‘standard’ 
fusions: 


THEOREM 7. Let n> 1 and L; € {K, T, K4, S4, KD45, S5}, for alll <i<n. Then 
Li 8--- 8 Ln is PSPACE-complete. 


Note that while K, T, K4 and S4 are PSPACE-complete themselves, KD45 and S5 
are CONP-complete. 


3 PRODUCT OF MODAL LOGICS 


The formation of Cartesian products of various structures—vector and topological spaces, 
algebras, etc.—is a standard mathematical way of capturing the multidimensional char- 
acter of our world. In modal logic, products of Kripke frames are natural constructions 
allowing us to reflect interactions between modal operators representing time, space, 
knowledge, actions, etc. The product construction as a combination method on modal 
logics was introduced in [74, 75, 24] and has been used in applications in computer science 
and artificial intelligence ever since (see, e.g., [68, 15, 7, 69, 18], and [23] and references 
therein). 


DEFINITION 8. The product of two n-frames frames §ı = (Wi, Rt,..., RẸ) and $2 = 
(Wa, Piece RZ) is the (n + m)-frame 


$1 x Fo = (Wy x Wz, Ry... RR, Ry... RE) 
where Wı x Wa = {(u,v) | u € Wi, v € Wo} and, for all u, u2 E€ Wi and 4, ve E€ Wa, 


(ui, v1) Ri, (ua, v2) iff uRiug and v =v (1<i<n), 


(u1, v1) RÍ (ua, v2) iff Uy = U2 and vı Riv (l<j<m). 
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Such a frame will be called a product frame. The subscripts h and v appeal to the 
geometrical intuition of considering the Ri as ‘horizontal’ accessibility relations in §1 x §2 
and the RÍ as ‘vertical’ ones; see Fig. 1 for an illustration. 


e1 
Ro 
Ri 
e— +e ° 
UL U2 V2 
Tı 2 
U2 © 
e”! 
U2 R2 
e R 
S B 
uo Rı © Uy e vo 
Tı 2 1 X 82 


Figure 1. Product frames. 


It is not hard to see that the product construction commutes with the three basic 
operations on frames: 


PROPOSITION 9. For all frames §, 6, 5, Hı, i € I, the following hold: 
(i) If § ts a p-morphic image of 9, then ¥ x © is a p-morphic image of H x 6. 
(ii) If § is a generated subframe of 9, then ¥ x © is a generated subframe of H x 6. 
(iii) If ¥ ts a disjoint union of Hi, i € I, then Ẹ x © is isomorphic to the disjoint union 
of Hi x 6, icl. 
Products of Kripke frames can be used to define a natural combination method on 
modal logics: 


DEFINITION 10. Let Lı and Lə be two Kripke complete modal logics formulated in 
languages M Ln and MCL,, in such a way that they have disjoint sets of modal operators 
(say, O1,...,0, and O,41,...,On4m, respectively). Then the product of Lı and L is 
the modal logic 


Lı x Lə = Log{Si x Fe | Fi E Fr Li, = 1,2}. 
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For example, Kn x Km is the (n + m)-modal logic determined by all product frames 
81 x Se, where §, is an n-frame and §2 an m-frame; S4 x S5 is the bimodal logic 
determined by all product frames §ı x § such that §, is reflexive and transitive, and § 
is an equivalence frame. 

Note that the product of Kripke complete modal logics is always Kripke complete by 
definition. It is important to emphasise that in order to make the product construction a 
well-defined combination method on Kripke complete modal logics, we have to consider 
products of all possible Kripke frames for Lı and Lə. The reason is that even if LogC, = 
LogC{ and Log C2 = Log C4, then we can have 


Log{Si x $2 | F: E€ Ci, i =1,2} A Log{hi x Fo | Fi € Ci, i = 1,2}, 


see [23] for examples. 

There are several attempts for extending the product construction from Kripke com- 
plete logics to arbitrary modal logics, mainly by considering product-like constructions 
on Kripke models, see [37, 23]. All the suggested methods so far result in sets of formulas 
that are not closed under the rule of Substitution, thus do not satisfy our criterion (C2). 
Van Benthem et al. [79] show that by defining a product-like operator on their topological 
semantics, one can get back the fusion of modal logics determined by transitive frames. 


Once the two-dimensional definition is given, there are essentially two ways of defining 
products of three or more modal logics. First, we can generalise in a straightforward 
way the definitions above. To simplify notation, from now on we will mostly consider 
products of unimodal frames and logics only. (However, we will discuss the multimodal 
versions in those cases when it does make a difference.) 


DEFINITION 11. Given a natural number n > 1, the product of frames §ı = (W1, R1), 
32 = (Wo, Ro), ..., Fn = (Wn, Rn) is the n-frame 


Fax x Fn = (Wi x- x Wn, Ri... Rn) 
where, for each i = 1,...,n, R; is a binary relation on W; x --- x Wn such that 


(uz,...,Un) Ri (vi,...,0n) iff u;Rivi and up = vz, for k Fi. 


Then, given Kripke complete (uni)modal logics L; formulated in the language having O; 
(¢=1,...,n), the product of I1,..., Ln is the n-modal logic 


Lı X: X Ln = Log{si X- X Fn | g: € FrLi, i =1,... n}. 


aea 
For example, K” = K x --- x K is the logic determined by all n-dimensional product 
frames; S5” is the logic determined by all product frames §ı X +- X n, where each §; 
is a (possible different) equivalence frame. 


The second way would be to define Lı x- - - x Ln as (((L1 x L2) x L3) X- -x Ln-1) X Ln. 
The easily established fact that the frame §1 X --+ X Fn is isomorphic to 


(((1 X F2) x F3) X X Fn-1) X Fn 


might seem to suggest that the two definitions are equivalent. However, the situation is 
not that simple. For example, it is not known whether the equalities 


Kt 2 K°xK and S5f Ž §53x $5 
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hold. The problem here is that K* is characterised by the class of products of four 
1-frames, while K® x K by the class of products of arbitrary (that is, not necessarily 
product) 3-frames for K? and 1-frames for K. Now, the thing is that these arbitrary 
K?-frames are not necessarily isomorphic to product frames (in fact, we do not even 
know what they look like; see Theorem 25). 

For this reason, we take Definition 11 above as the ‘official’ definition of higher dimen- 
sional product logics. Note, however, that in Section 3.3 we provide a characterisation of 
arbitrary (countable) frames for K x K and S5 x S5 (among many other two-dimensional 
product logics), and prove—with the help of this characterisation—that for many three- 
dimensional products the two definitions actually coincide. For instance, 


K? = (KxK)xK and S5 = (S5 x $85) x S5, 


see Corollary 23. 


3.1 General transfer results 


Compared to fusions, there are very few general transfer results for products. In fact, 
as we shall see in Sections 3.3 and 3.4, for many cases the lack of transfer of finite 
axiomatisability and decidability is the ‘norm’. 

In this section we discuss some basic properties of the product construction and the 
very few general transfer results about it. To begin with, observe that in the definition 
of product logics it is enough to consider only rooted frames for the component logics. 
Indeed, the inclusion 


Lı x- x Ln C Log{%i x +--+ x Fn | F: is a rooted frame for Li, i= 1,...,n} 


should be clear. To show the converse, suppose y ¢ Lı x --- x Ln, i.e., y is refuted at a 
point (u1,..., Un) in some model based on a product frame ¥) X --- X Fn, where F; isa 
frame for L;, i =1,...,n. For each i, let 6; be the subframe of §; generated by u;. Then 
6; is also a frame for L;, for i =1,...,n. On the other hand, it is readily checked that 
6, xX +--+ X Ön is isomorphic to the subframe of ¥ X --- x Fn generated by (u1,..., Un). 
Thus we obtain the following: 


PROPOSITION 12. For all Kripke complete modal logics [y,..., Ln, 


Lı x- X Ln = Log{gı X- x Fn | F: is a rooted frame for Li, i=1,...,n}. 


For instance, S5” is determined by products of universal frames (W;,W; x Wi), i = 
1,...,n. Moreover, each such ‘universal product frame’ is a p-morphic image of a cubic 
universal product frame, i.e., the nth power of the same universal frame (W, W x W). 
Indeed, it is easy to see that if a set W is such that there are surjections fi: W — Wi, 
fori =1,...,n, then the map f defined by 


fw, miea Wn) a (fi(wr), ee) fn(wn)) 
is a p-morphism from the frame (W, W x W)” onto 


(W1, Wi x Wi) xr XK (Wn, Wn x Wn). 
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Such a set and surjections can be found, for example, by taking the disjoint union of the 
W; as W and defining f; so that it is the identity map on W; and arbitrary otherwise. 
Therefore, we obtain: 


PROPOSITION 13. S5” is determined by the class of all cubic universal product frames. 


The formation of products as a combination method satisfies criterion (C3), as the 
following proposition shows: 


PROPOSITION 14. For all Kripke complete modal logics [,,..., Ln, 
LiD- 8 Ln C Lı x -X Ln. 


Proof. Given a product frame §1 x +++ X Fn = (Wi x +++ x Wn, Ri,...,Rn) such that 


each §; = (W;,R;) is a frame for L; (i = 1,...,n), fix some 1 < i < n. For every 
n — l-tuple ù; = (u1, ..., Ui—1, Uit1,---,Un) with uj E€ W}, for j Æ i, we take the set 
Wa, = {(u1,-+-,Un) | ui E Wi, (U1, . -p Ui—1, Uitti- -s Un) = Uih, 


and let Sa, be the restriction of R; to Wa,, i-e., Sz, = Ri O (Wa, X Wa,). Then we have: 
e (Wa, Sa,) is isomorphic to (W;, Ri); 


° (Wi Xe xX Wr, Ri) is the disjoint union of the frames (W3,,Sz,), for all n — 1- 
tuples u;. 


a 


As we shall see in Section 3.3, the inclusion in Proposition 14 is proper: product logics 
always include certain interactions between the modal operators of their components. 
Note, however, that the modal operators within each component are not affected by 
these interactions, that is, the product Lı x---x Ln of consistent Kripke complete logics 
Lı,..., Ln is a conservative extension of each of them. One can even show a slightly 
stronger statement: 


PROPOSITION 15. Let Ly,..., Ln, Ln+1 be consistent Kripke complete unimodal logics. 
Then the logic Ly x +++ x Ly X In41 is a conservative extension of Ly x ++: X Ln, ie., 
for every ML,,-formula p, 


pel,x:-:-x In, if pel x-::+* Ln x Inst. 


Proof. We prove this only for the case Lı = --- = Ln = L; the general case is considered 
in a similar way. First, it is readily checked that for any n + 1-dimensional product frame 


c= (Wi Kee Wn x Wn+i,Ri,---, Rn, Rn4i), 


the projection map f(w1,..., Wn, Wn+1) = (W1,--+,;Wn) is a p-morphism from the ‘n- 
reduct’ 
Tín) = (Wi Kee xX Wr x Wri, R1,- esi 


of § onto the n-dimensional product frame §~— = (Wi xX Wn, Ri, eases Ra) : 
Now suppose that y € L”+! and 6 is an n-dimensional product frame for L”. As 
L is consistent and Kripke complete, there exists a frame § for L. Then the product 
§ =6 x $ is a frame for L”+!, and so ¥ Ky. Since J = 6, we finally obtain 6 = y. 
Conversely, suppose that y € L”, and let Ẹ be an n + 1-dimensional product frame 
for L"*!. Then clearly §~ is a frame for L”, and so § E y. Q 
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A useful property of certain product logics that sometimes they are determined by 
their countable product frames: 
THEOREM 16. Let L; be a Kripke complete unimodal logic such that FrL, is first-order 
definable in the language having equality and a binary predicate symbol Ri, for each 
i =1,...,n. Then Lı x --- x Ln is determined by the class of its countable product 
frames. 


Proof. For each i, let T; denote the first-order theory defining FrL; in the language Ln 
having equality and binary predicate symbols Rı,..., Rn. Now let £X be the n+ 1-sorted 
extension of Ln that has the binary predicate symbols R,,...,R, of sort 0, countably 
many unary predicate symbols Po, Pi,... of sort 0, and for each sort i (i = 1,...,n) a 
unary function symbol f; taking an argument of sort 0 and returning a value of sort i. For 
each ¢ €T;, denote by ¢ the formula obtained by substituting f;(2) for all occurrences 
of each variable x in ¢ (i =1,...,n). Let 


v= {d' | GET; i=1,...,n}U {r}, 
where v is the following sentence: 


Vay (fila) = fiy) A A fala) 
AVa,...Vandy (Fily) = £1 Nt A frly) = Ta) 


A A vey (cRiy -> (fil) Ri fily) ^ \ fj(x) = fily))) 


j=l J 
Jj 


(here x and y are variables of sort 0, and x; is of sort i, for i = 1,...,n). Now suppose 
that y ¢ Lı x --- x Ln, for some MEL,,-formula y. Then ọ is not true in a model 
M = (F, VW) based on the product F1 x--- x Fn of frames F; = (W;, Si) such that F; ET; 
for i=1,...,n. Define a first-order £}?-structure J by taking 


= (Wi Xr X Wn, Wi, ..., Wn; Sty + Sn, Wo), UP) -< -3 Pri,- -3 Dn) 


where pr; : W1 x---x Wn > W; are the projection functions. It is easy to see that I = X. 
Since without the extra sorts and the projections I is nothing but the modal model MN 
considered as a first-order structure, we also have I 4 Vxy* (x) (where y* is the standard 
translation of p). In other words, ©’ = © U {Sxr-7y*(x)} is true in J. By the downward 
Lowenheim-Skolem—Tarski theorem, there is a countable first-order £L% -structure 


OE igs. UR reel why eh EEE uated) 
such that J | S’. For each i = 1,...,n, define 
Qi = {(f7(u), fi? (v)) | (u,v) € R7}, 


and for each j < w, 
= {(fi (w far(w)) | w E€ P7} 


Since J = a, the map h(w y= ee ia] e )) is an isomorphism between J and the 
first-order £*-structure 


PS (ees Uig WU One Olt Pp wanes pe) 
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Thus, I’ = © and I’  Vay* (x). Let 6; = (Ui, Qi), i = 1,...,n. Define a valuation 
W in the (countable) product frame 6 = 6, x --- x G, by taking W(p;) = PI for 
j <w. As without the extra sorts and the projections I’ is just a (countable) modal 
model N = (6, W) considered as a first-order structure, this means that y is not true in 
N. 

Note that in fact we have also proved that 


p E Lix- xX Ln if UEVazy* (2), (1) 


for any MCL,,-formula g. Q 


In many cases recursive enumerability of the components transfers to their product: 


THEOREM 17. Let L; be a Kripke complete unimodal logic such that FrL; is definable 
by a recursive set of first-order sentences in the language having equality and a binary 
predicate symbol R;, for each i = 1,...,n. Then the product logic Ly x +--+ x Ln is 
recursively enumerable. 


Proof. We use the notation of the proof of Theorem 16. Since now the sets T; are 
recursive, X is recursive as well. And since the consequence relation of first-order logic is 
recursively enumerable, it follows from (1) that Lı x --- x Ln is recursively enumerable. 

Q 


3.2 Connections with other formalisms 


The product construction shows up in various disguises, here we discuss three exam- 
ples: first-order logics, ‘interpreted systems’ for temporal epistemic logics, and modal 
extensions of description logics. 


First-order classical and modal logics 


Let us fix a natural number n > 0 and consider the fragment of classical first-order logic 
that 


e uses n individual variables £1,..., £n, 
e contains neither equality, nor individual constants, nor function symbols, and 


e whose atomic formulas are of the form P(z1,..., £n), where P is an n-ary predicate 
symbol. 


This fragment can be regarded as the ‘n-variable substitution- and equality-free fragment’ 
of classical first-order logic. The following map -* provides a one-to-one correspondence 
between formulas of this fragment and MC,,-formulas: 


Pi(a1,---;2n)° = pi (pAv) = Pny, 
Cy) = =, (Grip)? = OW (<i<n). 


It is not hard to see that, for every first-order formula of the fragment, 


y is first-order valid iff ọy° € S5”. 


Indeed, every first-order structure I = (D! POE EY sen » can be considered as a modal 
model M(I) = ((W,..., R;,...), UW), where 
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e W is the set of all variable assignments in J, i.e., the set of all functions from the 
variables £1,..., £n into DŽ; 


e aR;b iff a(a,;) = b(z;) for all variables x; different from z;, 1 < i < n; 


a 


The set W of all assignments in J can be regarded as the nt Cartesian power of the 
domain D. The underlying frame of M(IT) then turns into a product frame for S5”: 
the nth power of the universal S5-frame (D!,D! x D!). On the other hand, S5” is 
determined by such cubic universal product frames by Proposition 13. 

The idea of such a ‘modal approach’ to classical first-order logic was suggested by 
Quine [66] and Kuhn [51] and fully realised by Venema [80]. ‘Approximating’ first- 
order logic with logical systems of propositional character was an important motive 
in the algebraic treatment of classical first-order logic; see the work of Tarski and his 
school [38, 39, 1, 11, 13, 34, 62]. The modal algebras (see Chapter 6 of this handbook) 
corresponding to the product logic S5” are known in the algebraic logic literature as 
diagonal-free cylindric set algebras of dimension n. 

As is shown in [23], a similar connection can be established between n-variable frag- 
ments of quantified modal logics L (with constant domains) and n+1-dimensional product 


logics of the form 


i 
LxS5x--- x S5. 


Temporal epistemic logics 


Here we briefly discuss the connections to the ‘interpreted systems’ approach proposed 
by Fagin et al. [15] which gives rise to various combinations of propositional temporal 
and epistemic logics ranging from fusions to products of these logics. 

Suppose S is a non-empty set (of ‘states’) and ¥ = (T, <) is a strict linear order (the 
‘flow of time’). Suppose also that R is a non-empty set of functions from T to S' (the 
available ‘runs of events’ over ¥), and let R,,...,R, be binary relations on T x R. Then 
the tuple 

6G =(T,R,<, Ri,..., Rn) 


is called a interpreted system. A valuation U in © is a function from the set of proposi- 
tional variables into the set 2° of all subsets of S. The pair M = (G, V) is called a model 
based on ©. 

We interpret the modal language MLn+1 at (timepoint,run) pairs in these models. 
1 represents the temporal operator ‘always in the future’, while O2, ..., On+1 represent 
the respective knowledge of n agents: 


f)) E p iff F(t) € B(p), 

f)) FGA iff (M, (t, f)) HE y and (t, f) E y, 
t, f)) F =y iff not (M, (t, f)) E ¢, 
f) 
f) 


= O19 iff (M, (t’, f)) | p whenever f’ > f, 


= Oy iff (M, (t, f’)) H p whenever (t, f} Ri-a (t’, f’) (i= 2,...,n 41). 
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We say that y is true in M if (M, (t, f)) H| p holds, for every (t, f ET x R. 

Given a propositional temporal logic LogC, determined by a class Cı of strict linear 
orders and an n-modal epistemic logic L determined by a class Cz of n-frames, we can 
obtain a ‘combined’ temporal-epistemic logic by considering all MZL,,,1-formulas that are 
true in all models that are based on interpreted systems of the form (T, R, <, Ri,..., Rn) 
such that (T, <) € Cı and (T x R, Ri,..., Rn) € C2. By Theorem 3, this combined logic 
is just the fusion of LogC, and L. 

By imposing various constraints on interpreted systems, we can reflect some interesting 
features of agents. An interpreted system G models agents who know the time if, for all 
tt ET, f, fF eR, andi=1,...,n, 


(t, f) Ri (t, f) implies t = t. 


In other words, if A; believes that at moment t relative to an evolution f the pair (t’, f’) 
represents a possible state of affairs, then t = t’. So at each moment t the agents are 
assumed to know that the clock is at t. Systems represented by structures of this type 
are known as synchronous. 

An interpreted system models agents who do not learn if, for all agents A;, f f ER 
and t,t’ € T, we have 


(t, f) Ri (t, f’) implies Vs > t ds’ >t (s, f) Ri (s’, f’). 


Intuitively, an agent A; does not learn if, whenever it regards w as a possible state of 
affairs at moment t, then it regards w as a possible state of affairs at every moment 
s > t as well. Under the condition that agents know the time, this means that if agent 
A; regards an evolution f’ as possible at t then it regards f’ as possible at every s > t. 
Similarly, an interpreted system models agents who do not forget if, for all A;, t,t’ € T 
and f, f’ € R, we have 


(t, f) Ri (t, f) implies Vs < t ds’ < t (s, f) Ri (s’, f’). 


Systems of this type are known also as systems with perfect recall. 
If an interpreted system models agents who know time, do not forget and do not learn, 
then, for all agents A;, t,t’ € T and f, f’ € R, we have 


(t, f) Ri (t', f’) implies t = t' and Vs (s, f) Ri (s, f’). 


Thus, the interpretation of MLn+1-formulas in G corresponds to evaluating them in the 
product of frames § = (T, <) and (R, S1,..., Sn), where 


fif iw w, ET t, f) R, fO iff VeeT t, f) Rit, fh. 


‘Modal’ description logics 


As is discussed in Chapter 13 of this handbook, originally description logics have been 
designed and used as a formalism for knowledge representation and reasoning only in 
‘static’ application domains. Later on, several attempts have been made in the literature 
in order to extend description logics with ‘dynamic’ features such as knowledge as time- 
or action-dependence, beliefs of different agents, etc. (see, e.g., [72, 71, 57, 32, 7, 3, 5, 
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84, 86, 88]). Here we briefly describe a simple ‘modal’ extension of the basic concept 
language ALC (see Chapter 13 of this handbook) and its connection to products. 

Imagine, for instance, a car salesman John who, besides standard ABox and TBox 
knowledge bases (see Chapter 13 of this handbook), also wants to include ‘modalised’ 
concepts such as describing a Customer as 


Homo-sapiens M (sometime in the past) Sbuys.Car, 
or a Potential_customer as 
[John believes] (eventually) Customer. 


Concept descriptions in the extended concept language Mee that is able to express 
these can be formed according to the following rules: 


C,D > A|T|1|-C|CNnD|CuUD |Yr.C |3r.C | D;C | oc; 


where A ranges over concept names, r ranges over role names, and i = 1,...,n. 

The intended semantics of MLA“ is defined as follows. An MLA“°- interpretation 
with constant domains and roles is a pair M = (F, I) in which F = (W, R,..., Rn) is an 
n-frame and J is a function associating with each w € W a usual ALC-interpretation 


TODA iene A E a 


(that is, A is a nonempty set, A>” C A for each concept name A, and r C A x A for 
each role name r). The (world-dependent) interpretation of concept names is inductively 
extended to arbitrary concept descriptions. Here we give the definition for the new 
‘modal’ constructors only: 


( Cy = N Cue. (O;C)" = U OM, 


wRiv wRiv 


Now given a Kripke complete n-modal logic L, we say that a concept description C is 
Lacc-satisfiable (with an empty knowledge base) if there is an ML/A*£°-interpretation 
(with constant domains and roles) M = (¥, J) and a world w in F such that F is a frame 
for L and O™ + Op. 

Now, by extending the correspondence between ALC (with m role names) and the 
modal logic K,» (see Chapter 13 of this handbook), it is straightforward to see that 
Lacc-satisfiability coincides with L x K,,,-satisfiability. 


38.8 Axiomatising products 


Product logics are defined in a semantical way: they are logics determined by classes of 
product frames, and so Kripke complete by definition. Therefore, the proper ‘transfer’ 
question to ask is how a possible axiomatisation for a product logic relates to axiomati- 
sations of its components. 

To begin with, observe that the following properties hold in every product frame of 
the form (W, Ri,...,Rp), for all i,j = 1,...,n, i Æ J: 


o left commutativity: Yx, y, z €E W (£Rjy ^A yRiz > Ju € W (Riu ^ uRjz)), 
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e right commutativity: Yx, y,z € W (cRiy AyR;z > Ju € W (xRju ^ uRiz)), 


e Church-Rosser property: Yx, y,z € W (xRjy A @Riz > Ju € W (yRiu ^ zRju)), 


see Fig. 2. 

Ye ft e” Use oe Mg age 

4 A 4 

| | | 
Rj Ry Rji R; Rj Rj 

| | | 

@----+0 e @ e@ (J 

£ Ri u x R; Y x R; Zz 


Figure 2. Left and right commutativity and Church—Rosser properties. 


These properties can also be expressed by modal formulas. One can easily check that 
an arbirtary (not necessarily product) n-frame is left commutative iff it validates the 
formulas 

com}; = Sjop = Si;p, 
it is right commutative iff it validates 
com;; = OVO FP > OOD, 


and it is Church—Rosser iff it validates 


chri; = oj jp jOuD- 


The corresponding left and right commutativity axioms can be combined into a single 


commutativity axiom 
DEFINITION 18. Given modal logics L; formulated in the language having O; (i = 


1,...,n), the commutator 


com; = comi; A com 


[Li Ln] 
of Lı,..., Ln is the smallest n-modal logic containing all the L; and the axioms comi; 
and chr;j, for all i,j =1,...,n, i Æ j. 
Note that the commutator of (finitely) axiomatisable modal logics is always (finitely) 
axiomatisable by definition. Moreover, since the axioms com;j and chr;; are Sahlqvist 
formulas, we also have: 


PROPOSITION 19. The commutator of canonical logics is canonical, and so Kripke 
complete. 


It is worth noting that even if all components are Kripke complete, their commutator 
is not necessarily so: non-examples are [K4, GL.3] and [GL, Grz.3], see Section 3.4. 

Commutators are natural candidates for axiomatising products. As com,; and chrij 
are valid in every product frame, by Proposition 14 we always have that 


[Dagens Ln C Lix- x In, (2) 


whenever L1,..., Ln are Kripke complete modal logics. Those tuples of logics L1, ..., Ln 
for which the converse inclusion also holds are called product-matching. 
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Axziomatising two-dimensional product logics 


We begin with a general result of Gabbay and Shehtman [24] stating that certain pairs 
of modal logics are always product-matching. 
Consider the first-order language with equality and a binary predicate R. A formula 
wy in this language is called positive if it is built up from atoms using only A and V. A 
sentence of the form 
VaVyVz (y(x, y, Z) > R(x,y)) 


is said to be a universal Horn sentence if w(x,y,Z) is a positive formula. We call an 
MeE-formula y a Horn formula, if there is a universal Horn sentence yy such that, for 
all frames %, 


Fy if FF vx. 


An MC£-formula is called variable free if it contains no propositional variables, i.e., all 
its atomic subformulas are constants L or T. 


DEFINITION 20. A modal logic is called Horn axiomatisable if it is axiomatisable by 
only Horn and variable-free formulas. 


It is not hard to see that if L is a Kripke complete and Horn axiomatisable logic then 
FrL is defined by the set 


Tz = {vu | p is a Horn axiom of L} U {y* | vy is a variable-free axiom of L} (3) 


of first-order formulas (here y* is the standard translation of p). Examples of Kripke 
complete Horn axiomatisable logics are K, D, K4, S4, KD45, T, S5. 


THEOREM 21. Let Ly and Lo be Kripke complete and Horn axiomatisable modal logics. 
Then 
Dy x Lo = (Ly, Lol. 


Proof. The heart of the proof is the following lemma that can be proved by constructing 
the necessary p-morphism in a step-by-step manner, see [23, Lemmas 5.2 and 5.8]. 


LEMMA 22. Let Lı and Lə be Kripke complete and Horn axiomatisable unimodal logics. 
Then every countable rooted 2-frame for [L1, Lo] is a p-morphic image of a product frame 
for Lı x Lo. 


Now, by Proposition 19, [L1, Lə] is determined by the class of commutative and 
Church-Rosser frames from Fr(L, L2). By (3), this class is first-order definable in 
the language with equality and two binary predicate symbols. Let y ¢ [L1, L2]. Then, 
using the standard translation y* of p and the downward Löwenheim-Skolem-Tarski 
theorem, it is not hard to see that we can have a countable rooted 2-frame § for [L1, Lo] 
refuting y. Now, using Lemma 22, we can find a product frame 6 for Lı x Lə having ¥ 
as its p-morphic image. By Proposition 9, it follows that 6 jÆ ọ, and so y ¢ Lı x Lə. 
Therefore, Lı x La C [L1, L2]. The converse inclusion has already been shown as (2). Q 


As a corollary of Theorem 21 we obtain that finite axiomatisability of two Kripke com- 
plete and Horn axiomatisable logics transfers to their product. An interesting corollary 
of Lemma 22 is the following: 
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COROLLARY 23. Let Lı, L2 and L3 be Kripke complete and Horn axiomatisable uni- 
modal logics. Then 


Lı x Ly x Lg = (Lı x L2) x L3 = Lı x (Lə x L3). 


Unfortunately, no other general result is known about axiomatisations of two-dimen- 
sional products. In Section 3.4 we shall see several examples of pairs of finitely axioma- 
tisable modal logics whose products are not even recursively enumerable. Such are, for 
instance, Log{ (N, <)} x Log{(N, <)}, K4 x GL.3 and S4 x Grz.3. 

Moreover, Theorem 21 cannot be generalised even to logics whose classes of frames are 
definable by universal first-order formulas. As the following theorem shows, for many 
transitive logics L, the pairs of ‘K4.3 and L’ and ‘Grz.3 and L’ are not product-matching: 


THEOREM 24. (i) [23] Let L be any Kripke complete logic containing K4 and having 
the two-element reflexive chain as its frame. Then K4.3 x L 4 [K4.3, L]. 

(ii) [24] Let Lı be any Kripke complete logic containing Grz and having the two- 
element reflexive chain as its frame. Let La be any Kripke complete logic containing S4 
and having either (a) the two-element reflexive chain or (b) the two-element cluster as 
its frame. Then Lı x Lo # (Ly, Lol. 


There are many open questions in the area. For instance, it is not known whether such 
‘standard’ products like K4.3 x K or K4.3 x S5 or K4.3 x K4.3 are product-matching, or 
even finitely axiomatisable (they are recursively enumerable by Theorem 17). In general, 
no examples for pairs of logics are known that are not product-matching, but whose 
product is finitely axiomatisable. 


Axziomatising higher dimensional product logics 


Tuples of more than two modal logics are almost never product-matching. To begin with, 
it is straightforward to see that all n-dimensional product frames (W, Ri,..., Rn) satisfy 
the following ‘cubifying’ properties whenever n > 3 and i, j,k =1,...,n are distinct: 


ijk = Vz, y, z, v EW (zRiv AzRjy^xzRgz — Ja,b,c,d € W 
(vRje n vRgb ^ yRic ^ yRea zRibA zRja ^aRid ^AbRjd ^ cR,d)). 


a d 
y y 
z 
Rj E b 
y Rr J 
x Bi VU x Vv 


It is not hard to see that, say, a 3-frame § for [K, K, K] satisfies property ®193 iff the 
following modal formula cub; 93 is valid in F (cf. [39, 3.2.67] and [52]): 


cubjo3 = [O1(Oepie A O3p13) A O2(Gipar A Ospe3) A ©3(Oips1 A O02p32) 
A 0102(p12 A por > O3q3) ^A 0103(p13 A p31 > O22) 
A 0203(p23 A p32 > 0141) —> O10203(q1 A q2 ^ q3). 
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Thus cubj23 belongs to K. On the other hand, Fig. 3 shows a 23-element frame for 
[K, K, K] (that is, a 3-frame satisfying com;; and chr;j for i,j = 1,2,3, i # j) that 
refutes cubı23 (see again [39, 3.2.67]). So [K, K, K] and K? are different. 


—_ ff 
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Figure 3. A frame for [K, K, K] that refutes cub123. 


Moreover, in many cases the addition of cubifying properties does not help either. As 
is shown by Johnson [44] in the algebraic setting of diagonal-free cylindric algebras, S5” 
is not finitely axiomatisable whenever n > 3. Generalisations of the cubifying properties 
are used in [52] to show that K” is not finitely axiomatisable either for n > 3. Moreover, 
the following general result of [42] shows how hopeless the situation really is: 


THEOREM 25. Letn > 3 and let L be any n-modal logic such that K” C L C S5”. 
Then L is not finitely axiomatisable. Moreover, it is undecidable whether a finite n-frame 
is a frame for L. 


On the other hand, if frames for the component logics do not allow branching (like in 
the functional frames for Alt), then counterexamples like the above one do not work, and 
in fact the cubifying properties follow from the Church—Rosser properties. The following 
result of [24] says that any tuple of Alt logics is product-matching. It can be proven in 
a way similar to the proof of Theorem 21 above. 


n 


OT 
THEOREM 26. For any natural number n > 1, Alt” = [Alt,..., Alt]. 


There are several interesting open questions concerning the axiomatisation of higher 
(> 3) dimensional product logics. For instance, it is not known whether logics like K” 
or S5” are axiomatisable using finitely many propositional variables, or whether S5” is 
finitely axiomatisable over K”. Though logics like K” or S5” are known to be recursively 
enumerable by Theorem 17, no intuitive ‘concrete’ axiomatisation is known for most of 
them. 
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3.4 Decision problems and complexity of products 
There are three basic approaches to establishing decidability of modal logics: 


(1) Given such a logic L, one can try to prove that L has the finite model property 
(fmp). Even without a recursive bound on the size of the models, this can yield 
decidability if L is recursively enumerable, and the class of finite frames for L is 
recursively enumerable as well (up to isomorphism, of course). This is the case for 
instance if L is finitely axiomatisable. 

(2) Even if a logic L does not enjoy the fmp, then one can try to show that it is charac- 
terised by some class of perhaps infinite models having a certain ‘regular structure,’ 
say, constructed from repeating finite pieces, so called ‘blocks’ or ‘mosaics.’ 

(3) The third approach is to try to reduce the decision problem for L to another problem 
that is already known to be decidable (say, to the decision problem for another 
modal logic, or a suitable monadic second-order theory, or some problem about tree 
automata). 


All three approaches have been successfully applied to uni- and multimodal logics; see 
e.g., [22, 12, 90]. As products of modal logics are special multimodal logics, in principle 
the same approaches can be applied to them as well. 

As concerns (1), there is an even more tempting way. One can try to show the finite 
model property w.r.t. the ‘intended’ models, that is, those that are based on product 
frames. (It is important to stress that in general there are frames for product logics 
which are not product frames.) 


DEFINITION 27. A modal logic L has the product fmp if L is characterised by the class 
of its finite product frames. 


Note that by Proposition 14, for every product frame § = 1 X +- X Fn and product 
logic L = Li x--- x Ln, 


FEL iff gi Li, foralll<i<n. 


Obviously, the product fmp implies the fmp. As we shall see below, the converse does 
not necessarily hold. 

We can enumerate the formulas that are not in a product logic L (and thereby obtain 
a decision algorithm for L whenever L is recursively enumerable) if 


e L has the product fmp, and 
e finite product frames for L are recursively enumerable (up to isomorphism). 


The latter property clearly holds if L is a product of finitely axiomatisable Kripke com- 
plete logics such as K, K4, K4.3, S5, etc., so this approach looks very promising. 
Unfortunately, it is easy to see that most products of well-known unimodal logics lack 
the product fmp. Here is an example for a simple bimodal formula that ‘forces’ infinite 
product frames even for logics like K4 x K or K4 x S5: 


1 Oop A OF O2(p > C107 7p) (4) 


(here Of abbreviates w A O,w). However, as we shall see below, two-dimensional 
product logics with at least one $5,,- or K,,-component can have the (usual, ‘abstract’) 
fmp. 
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Products with S5n- and K,,-like’ logics are usually decidable 


Filtration. 


Originating in the 1940s, the filtration method is one of the oldest and most well-known 
techniques for finite model property proofs in modal logic. Here we discuss how it can 
be used to show the fmp of two-dimensional product logics where one component is a 
special kind of Horn axiomatisable logic and the other is $5, or Ky. 

A QTC-logic is a modal logic axiomatised by a finite set of formulas where each axiom 
is either variable-free or of the form 


ip > Olp (j > 0) or ©, Onp > p. 


The following theorem is due to Shehtman [76]: 
THEOREM 28. Let Lı be a QTC-logic and Lz be either 85, or Kn. Then Li x Lə has 
the fmp. 

As it is easy to see that every QTC-logic is Horn axiomatisable, by Theorem 21 we 
obtain: 


THEOREM 29. Let Lı be a QTC-logic and Lz be either S5, or Kn. Then Ly x Lə is 
decidable. 


Proof. We illustrate the proof of Theorem 28 by showing that K4 x K has the fmp. 
Suppose y ¢ K4 x K for some M£>-formula y. We will construct a model refuting y 
that is based on a finite frame for [K4, K]. As [K4,K] = K4 x K by Theorem 21, this 
would suffice. 

As is well-known, every rooted Kripke frame is a p-morphic image of an intransitive 
tree. Therefore, by Propositions 9 and 12, we may assume that there exists a model 
M = (F, V) refuting y and based on the product ¥ = (W, Ra, Rə) of a transitive frame 
and an intransitive tree of depth md(y). Thus, (W, Rj) is transitive, (W, R2) is the 
disjoint union of intransitive trees of depth md(y), and Rı and Rz have the commutativity 
and Church—Rosser properties. For each x € W, let tree(x) = (Wz, Rox) denote the 
intransitive tree x belongs to. 

We define an equivalence relation ~ on W. For all x,y € W, let x ~ y iff there exists 
a relation E C Wz x Wy satisfying the following properties: 


e xEy 

e for every u € Wz there is v € Wy such that uv, 
e for every u E€ Wy there is v € Wz such that uv, 
e for all u € Wz, v,z € Wy, 


— if uEv and VRo,yz then there is 2’ € W, such that uR z2’ and z'Ez, 
— if uEv and ZRoyv then there is 2’ € W, such that zR2 zu and 2z'Ez, 


e for all u € Wy, v,z E€ Wz, 


— if uEv and vR2,.z then there is 2’ € W, such that uRz y2” and z'Ez, 
— if uEv and zRo zv then there is z’ € Wy such that zRo yu and z'Ez, 
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e for all u € Wz, v E€ Wy, and propositional variables p € suby, u € U(p) iff 
v E€ Up). 


(In other words, E should be a bisimulation between (Wz, Ro,., R3 1) and (Wy, Roy, R3 a 
w.r.t. suby that connects x and y.) 
Now we define a new model M~ = (§~, UV) based on F~ = (W~, RY, RY) as follows: 


e W~ = {[x] | x € W}, where [x] denotes the ~-equivalence class of z; 


e for allz,y E€ W, 


le] RZ] Ear’ Fy! (x~ x, y'~ y and 2’ Roy’); 


e RY is the transitive closure of the relation R? defined by taking, for all x,y € W, 


lR] iE o 3x'3y' (x~ x, y' ~ y and a’ Ray’); 


© G~(p) = {[x] | x € V(p)}, for all p € suby, and Y~ (q) = 9, for all other proposi- 
tional variables q. 


We claim that 
M” refutes y, and (5) 
(W~, RY, RZ) is a finite frame for [K4, K]. (6) 


Claim (5) follows from the fact that M~ is a filtration of M in the sense that, for all 
x,y E W, i = 1,2, the following two conditions hold: 


e if zRiy then [x] R7 [y], 
e if [x] R7 [y] then (M, y) K Y whenever O;Y € sub y and (M, x) H O,2. 


(Ry and R are known as the least filtration and the Lemmon (or least transitive) 
filtration, respectively; see e.g., [12, 31].) By induction on the construction of w, the 
reader can readily check that for every ~ € sub ọ and every x € W, 


(M2) Hy if (WM, [a]) EY, 


which yields (5). 

To prove (6), observe first that RY is transitive by definition. Using the definition of 
~, it is straightforward to show that ~ commutes with Rj. Then this fact can be used 
to show that RY and R7 commute and have the Church-Rosser property. 

Finally, we show that W” is finite. Observe first that since bisimilar paths are of equal 
length, if x ~ y then both the depth and the co-depth of x and y (in the trees tree(x) 
and tree(y), respectively) are the same. Moreover, for all x,y, z, if [7] R7 [y], [x] RZ [z] and 
y £ z then the submodels generated by fy] and [z] in M” are not isomorphic (as far as 
propositional variables occurring in y are concerned). So we have 


md(p) 


W~] < So mlo), (7) 


k=0 


where no(y) = 21st el and ngii(y) = 21940 2l . gnele), Q 
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Observe that the bound in (7) is non-elementary in the size of y. In fact, it is not 
known whether there exists an elementary decision algorithm for K x K or K4x K. Note 
however that products of K with ‘richer’ dynamic and temporal logics, such as PDL x K 
and PTL x K are known to be non-elementary; see [23]. The same applies to products 
with S5, whenever n > 2. 

On the other hand, if one component-logic is not K but (unimodal) S5, then one can 
do better. As is shown by Gabbay and Shehtman [24], in these cases the equivalence 
relation ~ on worlds becomes more easily ‘characterisable’. Namely, for each world x in 
W, let 


U(x) = {Y € suby | (M, x) E Y}, 


and for x,y E€ W, put 
ur~y iff E(x) = =X(y) and {X(z) | eRez} = {D(z) | yR2z}. 


As now each world [2] in M“ is uniquely determined by the pair (U(x), {X(z) | eR2z}) 
of sets, we have the better, double-exponential bound 


mapa ole ge 


on the size of the filtrated model. So the filtration method yields a CON2EXPTIME 
decision algorithm for products of QTC-logics with S5. 


Quasimodels. 


If L is Kripke complete but not a QTC-logic then L x K, and L x S5, are out of 
the scope of Theorem 28. Yet, many of these products can be shown to be decidable 
by the quasimodel method. This method was first developed in the series of papers 
(84, 85, 86, 88] on description logics with various modal and temporal operators, and 
then extended to products in [83, 23] and to fragments of first-order modal and temporal 
logics in [87, 43, 89]. 

The idea is to finitise the ‘K,,- (or S5,,-)bit’ of the models first, then build some kind of 
structure that manages to keep enough information about its ‘two-dimensional’ character 
on the one hand, and can be used to prove decidability (even if it is not necessarily finite) 
on the other. 

We fix a Kripke complete modal logic L and an M£2-formula y, and define the notion 
of an L x K-quasimodel for p as follows. By a type for p we mean any subset t of sub p 
which is Boolean-saturated (in the sense that, for instance, 


ewAxet iff ~etand x€ t, for every Y A x E suby, 
e Wet iff y ¢t, for every aw € suby, 


and so on for the other Boolean connectives). A quasistate candidate for ọ is a pair 
((T, <),t), where (T, <) is a finite intransitive tree of depth < md(y) and t a labeling 
function associating with each x € T a type t(x) for y. (So we can think of a quasistate 
candidate as a tree of types.) Two quasistate candidates ((T,<),t) and ((T’,<’),t’) 
are called isomorphic if there is an isomorphism f between the trees (T, <) and (T’, <’) 
such that t(x) = t'(f(x)), for all x € T. A quasistate candidate ((T,<) ,t) is called a 
quasistate for y if the following conditions hold: 
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(qm1) (2-saturation) For all x € T and O27) E suby, 


Cop E t(x) if IyeT (a<y A petly)). 


(qm1’) (smallness) For all 2,21,22 € T such that z < z1, £ < £2 and zı Æ z2, the 
structures ((T”!, <1) ,t"1) and ((T”?, <72) , t72} are not isomorphic, 


where (T™,<7®+} is the subtree of (T, <) generated by x;, and t” is the restriction of t 
to T**, i = 1,2. Clearly, 
md() 


by) = X nlo) (8) 


is an upper bound for the number of different quasistates for ọ (cf. (7)). The number of 
points in any quasistate for y is bounded by 


md(¢) 


k 
no(~) + X [Inmas < oy)". 


k=1 j=l 


In what follows, we assume that nonisomorphic quasistates are disjoint and that isomor- 
phic quasistates actually coincide. 

A basic structure of depth m for y is a pair (¥,q) such that ¥ = (W, R) is a frame for 
L and q a function associating with each w € W a quasistate q(w) = ((Tw, <w) , tw) for 
y such that the depth of each (Tw, <w) is m. 

Let (8, q) be a basic structure for y of depth m and let k < m. A k-run through (¥, q) 
is a function r giving for each w € W a point r(w) € Ty of depth k. (That is, a run 
‘goes along’ the frame ¥ and chooses a (location of a) type of the same depth from each 
type-tree (T,<w).) Given a set of runs, we denote by Rẹ the set of all k-runs from 
KR. Clearly, if Ro is not empty, then it is a singleton set, with its only member rp being 
the run through the roots of the quasistates. 

A run r is called coherent if 


Yw €E WYO, € suby (2e EW (wRv A Y € ty(r(v))) > Ove tw(r(w))), 


and saturated if 


Vw E€ W YOy E suby (ow Ety(r(w)) > weW(wRv A ve ty(r(v)))). 


Finally, we say that a quadruple Q = (g, q, R, <} is an L x K-quasimodel for p (based 
on $) if § is a frame for L, (¥,q) is a basic structure for y of depth m < md(y) such 
that 


(qm2) Awe €W ọ €E ty,(xo), where zo is the root of (Two, <wo); 


R is a set of coherent and saturated runs through (%,q), and < is a binary relation on R 
satisfying the following conditions: 


(qm3) for all r,r’ € 9R, if rr’ then r(w) <u r'(w) for all w € W; 


(qm4) Ro #0, and for all k < m, r € Ry, w E€ W and z € Ty, if r(w) <w x then 
there is r’ € Ry4i such that r’(w) = x and r <r’. 
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Now, having the notion of a quasimodel been defined, what we need is the ‘quasimodel 
truth-lemma:’ 


LEMMA 30. Given a Kripke complete modal logic L, an ML 2-formula ọ is satisfiable 
in a product frame § x © for L x K iff there is an L x K-quasimodel for p based on §. 


Proof. (<=) Suppose (%, q,%,<) is an L x K-quasimodel for y. Take the product frame 
F x (RK, <) and define a valuation V in it as follows: 


B(p) = {(w,r) | p € tw(r(w))} 


for every propositional variable p. Let M = (F x (R, <}, Y). One can show by an easy 
induction on the construction of y € suby that for every (w,r) in Mt we have 


(M, (w,r)) =Y if pe tw(r(w)). 
In view of (qm2) and Ro Æ Ø (which we have by (qm4)), it follows that ọ is satisfied 
in WM. 

(=) Suppose that ¢ is satisfied in a model M based on the product § x 6 of frames § = 
(W, R) and 6 = (A, <). By Proposition 9 (i), we may assume that 6 is an intransitive 
tree of depth m < md(y) and (M, (wo, £o)) H= vy for some wo € W, with xo being the 
root of 6. With every pair (w, x} € W x A we associate the type 


t(w, x) = {4 E€ subg | (M, (w,x)) E y}. 


Now we have to construct a quasistate ((Tw,<w),tw) for each w € W. The obvious 
choice of Tu = A, <w=< and t,,(x) = t(w, x) does not work, because A can be infinite. 
So let us make it finite in such a way that the resulting structure still satisfies (qm1) and 
also complies with the smallness condition (qm1’). Fix a w € W and define a binary 
relation ~w on A as follows. If x,y € A are of co-depth 0 (i.e., they are leaves of 6) then 


Lr~wy iff t(w,x) = t(w,y). 
For x,y € A of co-depth k (0 < k < md()), let 


E~yy iff t(w,z)=t(w,y) and VzE A (a<z > 3 CA ly <2 Az~w2)) 
and Yz € A (y <z > Iz ECA (a <2 Azry2)). 


Clearly ~w is an equivalence relation on A. Denote by [2], the ~,-equivalence class of 


x and put 
Aw = {rlu |£ E€ A}, 


[tle Rly if Ay’ € [ylw x< y’, 
lu([x]u) = t(w, x). 


The structure ((Awv, Rw) ,lw) is almost a quasistate, just (Aw, Rw) is not necessarily a 
tree. The tree (Tw, <w) we need can be obtained by unraveling (Aw, Rw): 


Tw = {([Lolws---5[elw) |k < m, [ColwRu[CilwRw ---Rw[Celw}; 


U<wu if w= ([xolw,---,[telw), V= ([Lolw,---; Bew [Ve+i1]w) 
and [Ek]wRwltk+ilw- 
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Finally, let tu (([Zolw,---5[telw)) = lw([£k]lw) = t(w, £x). It is not hard to see that, 
for any w € W, ((Tw,<w),tw) is a quasistate for y. Moreover, by taking q(w) = 
((Tw, <w) , tw) for each w € W, we obtain a basic structure (%, q) for ọ satisfying (qm2). 

It remains to define appropriate runs through (¥,q). To this end, for each k < m and 
each sequence (zo, ..., £k) of points in A such that zo <--- < £k, take the map 


r:w ([tolw,---5[Lelw); 


and let R be the set of all such maps. For r,r’ € KR, let r <r iff r(w) <w r’(w) for all 
w E€ W. It is straightforward to check that (§,q,%,<) is an L x K-quasimodel for y. Q 


Note that L x S5-quasimodels are considerably simpler than L x K-quasimodels: in- 
stead of trees of types it is enough to consider sets of types only as quasistates. Similarly 
to the filtration case, this results in better upper bounds on the size of the constructed 
structures. On the other hand, L x Kn- and L x $5,,-quasimodels (for n > 2) are similar 
to the above complex ones, and one even has to take into account the several different 
accessibility relations when defining quasistates. 

Although quasistates in quasimodels are always finite, quasimodels themselves are 
usually infinite (since the frame ¥ can be infinite). Depending on the component logics 
in question, there can be several ways of using them to prove decidability of products: 


e In the simplest cases one can manage to find a finite quasimodel for y and then to 
construct a finite product model out of it, thereby showing that the logic has the 
product fmp. This can be done in the case of K x K. Moreover, for S5 x S5 and 
K x S5 the resulting product model is of exponential size (see Chapter 3 of this 
handbook), so these logics are decidable in CONEXPTIME. 


e In some cases, it can be shown that there is a quasimodel for vy iff there exists 
a finite set S of finite ‘partial’ quasimodels (called blocks or mosaics) satisfying 
some effectively checkable conditions and that the cardinality of S as well as the 
size of each block in it do not exceed a number effectively computable from y. The 
‘effectively checkable conditions’ are supposed to guarantee that blocks can be used 
as ‘small mosaic pieces’ to construct the quasimodel we need. 


e In some cases, the statement that a quasimodel exists can be translated into 
monadic second-order logic or reduced to other known decidable problems. 


Here we illustrate the second and the third techniques by showing—in two different 
ways—that K4.3 x K is decidable. Note that the formula (4) shows that this logic lacks 
the product fmp, and it is not known whether it has the fmp. 


Quasimodels and mosaics. 


Throughout, we fix an M£2-formula y. A block for p is a quadruple 
Buy = (FUP gy RY? gr) 
such that 
e 5’ = ({u,v}, <) is a 2-element strict linear order with u < v, 


e (5%, q"”) is a basic structure for y of depth m, for some m < md(v), 
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e KR” is a set of runs through (§"”, q”) such that, for all r € R”? and O w E suby, 


if y € t,(r(v)) or Ory E t,(r(v)) then O14 E ta(r(u)), 


e <” is a binary relation on R*” satisfying (qm3) and (qm4). 
We remind the reader that quasistates occurring in such a block are denoted by 
q’’(u) = (Zu; <u) tu) and q(v)"* = (Tv, <v) , tu) - 


Observe that a block is almost a K4.3 x K-quasimodel. The only thing missing is 
that its runs are (though coherent) not necessarily saturated. That is why we need an 
appropriate collection of blocks: By sticking them properly together, we can ‘fix the 
defects’ and converge to a real quasimodel. 

To this end, we call a set S of blocks for y satisfying if the following properties hold: 


(ssb1) all blocks in S are of the same depth m, for some m < md(v); 
(ssb2) S contains a block satisfying (qm2); 


(ssb3) for every 8“ in S, if Oy E t,(r(v)) for some run r € R”” then there exist a 
block B”” in S and a sequence (2, € Tu | s E R“’) of points in Ty such that 


e q™(v) = q™" (v), 


e for every s E RK”, the function p defined by p(v) = s(v), p(w) = zs is a 
run in RY, 


e for all s,s’ € RY”, if s <” s' then £s <w Zs’, 


e Y E tu): 


(ssb4) for every block B*” in S, if O1% € tu(r(u)), Y € te(r(v)) and O14 € ty (r(v)) 
for some run r € R”? then there are blocks 8“” and 8”” in S and a sequence 
(£s € Tw | s E RK”) of points in Tu such that 


e q™ (u) = g (u), q” (w) = q™” (w), q” (v) = q (v), 


is a run in R”, 
e for all s,s’ € RY”, if s 4” s' then Ts <w Zs’, 
e Y E tultr). 


On the one hand, it is straightforward to see that one can effectively check whether 
there exists a satisfying set of blocks for y. On the other hand, it is well-known that 
every rooted frame for K4.3 is a p-morphic image of a sufficiently large strict linear 
order, so by Propositions 9 and 12, K4.3 x K is determined by product frames whose 
first component is a strict linear order. As satisfiability in a single element strict linear 
order is trivially decidable, to establish the decidability of K4.3 x K, it is enough to 
prove the following ‘block lemma:’ 
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LEMMA 31. There is a K4.3 x K-quasimodel for p based on a strict linear order with 
> 2 elements iff there is a satisfying set of blocks for ọ. 


Proof. The construction of a satisfying set from a quasimodel is easy. Suppose that 
NQ = (%,q,R,<) is a quasimodel for y, with ¥ = (W, R) being a strict linear order with 
> 2 elements. For all u,v € W such that uv, define the restriction ÑQ”? of Q to the 
2-element strict linear order on {u,v} in the natural way. It is straightforward to check 
that these N“? are blocks and that the collection S of them is a satisfying set. 

Now we show how a quasimodel for y can be constructed from a satisfying set S of 
blocks for y. Starting from a block satisfying (qm2), we will build a series of larger and 
larger quasimodel-like structures having not necessarily saturated runs. The ‘defects’ 
of these runs are ‘corrected’ one by one in such a way that the sequence of structures 
‘converges’ to a quasimodel. 

To begin with, we call a quadruple Q = (§,q,%R, <) a weak quasimodel for ọ if the 
following conditions hold: 


(wql) ¥= (W,R) isa finite strict linear order, W = {wo, w1, . . . , Wm } for some m > 0, 
woRwiR...Rwm, and (¥,q) is a basic structure for y satisfying (qm2); 


(wq2) ‘ is a set of runs through (¥,q) such that for all i < j < m, r € R and 
Oi E suby, 


if Y € ty,(r(w;)) or Oi E ty, (r(w,)) then Or € ty, (r(ws)), 


(wq2’) <is a binary relation on % satisfying (qm4) and such that, for all r,s € 9, 


rds iff r(wj) <w, s(w;) for alli < m, 


(wq3) for every i < m, the restriction of Ñ to the two-element strict linear order on 
{w;, wi+1} is a block in S. 

(Note that property (wq2’) is a bit stronger than (qm3).) Now take a triple (i, r, 1”) 

such that i < m, r € R and O,w E suby. Such a triple is called a defect in Q if OW € 

tw, (r(w;)) and for all j such that i < j < m, Y € tw, (r(w;)) and O14 É tu, (r(w;)). If 

i = m then such a defect is called an end-defect, otherwise it is a middle-defect. 

We construct a sequence (Qn |n <w) of weak quasimodels which ‘converges’ to a 
real quasimodel for y. Take a block Q9 = (0,99, Ro, <0) in S satisfying (qm2). 
Clearly, it is a weak quasimodel for y as well. Suppose now that we have already 
constructed Qn = (Fn, Qn; Rn, <n) such that Fn = (Wn, Rn), Wn = {w0, W1,..., Wm} 
and woRnwiRn...RnWm. If the set Dn of all defects in Q, is empty then we are done: 
Qn is obviously a quasimodel for y. Otherwise, we take some d = (i, r, Ow) from Dy. 

Case 1: dis a middle-defect, that is, i < m. By (wq8), the restriction QY:Yi+1 of Qn 
to the two-element strict linear order on {w;, wj41} is a block in S. Choose two blocks 
BY" and BY“*+1 according to (ssb4) (with u = w; and v = wi41). We may assume 
that w ¢ Wn. Define a basic structure (3$, q2) by taking 


R? = R, U {(w;,w) | j < i, wy € Wn} U {(w, wj) | i<j <m, wj € Wn}, 
ypg n a if v=w, 
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For all runs s,p E Mn, s” E RM, s” € RYYi+1, such that s(w;) = s’(w;), (w) = s” (w), 
s"(wi41) = p(wi41), define the function s U s’ U s” Up on W£ by taking, for all v € W4, 


(sUs’ Us" Up)(v) = ¢ 8'( 


Let Rİ be the set of all such functions. Elements in R2 of the form s Us’ U s” Us, for 
some s € Rn, are called extensions of s. We call an extension s U s’ U s” Us good, if 
s'(w) = s” (w) = zs; cf. (ssb4). Observe that every s E€ R, has a unique good extension 
in RI, 

For all s,s’ € #4, define 


sci s! iff s(v) <, s'(v) for all v € W2. 


In other words, we ‘glue together’ the blocks B8”*” and 8”+! at w, and then ‘insert’ 
the resulting piece into Ñ, between w; and w;41. It can be readily checked that Q? = 
(32, q2, RI, <2) is a weak quasimodel. Moreover, the defect d in Q¢ is ‘cured’ in the 
sense that (by (ssb4)) the good extension r*+ of r is such that w € tu(r+(w)). 

Case 2: dis an end-defect. This case is analogous to Case 1, but we have to use (ssb3) 
instead of (ssb4) for ‘gluing together’ Ñ, and a block BY’™” at wm. 

Next we turn the remaining defects in Q, to a subset DÉ of the set of defects in Q4 
as follows. Suppose (j,s,© x) is a defect in D, different from d. Let st be the good 
extension of s and let k = j if j <i and k = j + 1 otherwise. If (k,s*,©1x) is a defect 
in Q¢ then we put it into D2. Clearly, |D¢| < |D,|—1. If D4 4 0 then we take a defect 
d' € DŻ, construct Q, and so on. When all the finitely many defects in Dn are cured, 
we obtain a weak quasimodel Q,,,;. Note that every run rn € An has a unique extension 
Tn+1 E€ Ryy1 obtained by taking at every step the good extension of the previous run. 
We call this r,41 the good extension of Tn in Qn41. 

The limit quasimodel is defined by taking § = (W, R), where W = Uncu Wn, R = 
Unew Rn and q = Une. an: Then clearly § is a strict linear order and (§,q) is a basic 
structure for ¢. 

For every i < w and every sequence of runs (r, E€ Rp |n > i) such that rn+1 is the 
good extension of r, in Q,4, for all n > i, take r = U{r, | n > i}. Let R be the set of 
such runs. For r =| J{rn | n > i} and r’ = U{ri, |n > j} in ®, define 


rar iff Tn In rh, forall n > max(i, j). 


We show that ® and < satisfy (qm3) and (qm4). Indeed, suppose that r and r’ are of 
the above form and r ar’. Take a w € W. There is an n > max(i, j) such that w € Wn. 
Then r(w) = rn(w), r'(w) = r} (w) and rn <n ri, which implies r(w) <w r'(w) by (wq2’). 
For (qm4), suppose that r = U{rn | n > i} and r(w) <w x for some x € Tw. Then 
there is an n > i such that w € Wn, and so r(w) = rn(w). Since Òn satisfies (qm4), 
there is an sn E€ Rp, such that s,(w) = xz and ry dp Sn. Let s = U{sm | m > n}, where 
Sm+1 is the good extension of sm in Qm+1 for all m > n. Then s(w) = s,(w) = z, and 
it is not hard to see that, by (ssb3), (ssb4) and (wq2’), rm <m Sm hold for all m > n, 
from which r <s. 

Finally, we show that all the runs in are coherent and saturated. Indeed, suppose 
that r = {rn | n > i} and Oi € ty(r(w)) for some w € W. Then there is an n > i such 
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that w E€ Wn, and so r(w) = rn(w). If (w, rn, O1W) is not a defect in Qn then there is a 
v E Wn such that wR, r,(v) = r(v) and 4% € t,(rz(v)). And if (w, rn, Ory) is a defect 
in Q, then it is cured in its good extension 7,41 in Q,41: there is v € W,41 such that 
wRv, mn4i(v) = r(v) and Y € ty(7n+41(v)). Conversely, assume that Y € ty(r(w)) and 
let vRw. Then there is an n > i such that v,w € Wn. Thus r(w) = rn(w), r(v) = rn(v) 
and vR,w, and so 1% E t,(r(v)) follows by (wq2). 

Therefore, Q = (g, q, RK, <) is a K4.3 x K-quasimodel for y, as required. Q 


Observe that the decision procedure given above is again non-elementary. In fact, 
no elementary decision procedure is known for K4.3 x K. However, as quasistates in 
K4.3 x S5-quasimodels are of double-exponential size, one can obtain a 2EXPTIME 
decision algorithm for K4.3 x S5 as follows. Take the set of all blocks for y (a straightfor- 
ward computation shows that the cardinality of this set is also at most double-exponential 
in the size of p). Eliminate iteratively those blocks for which there are no ‘noneliminated’ 
blocks satisfying (ssb3) and (ssb4). This elimination procedure stops after at most 
double-exponentially many steps. Now it is not hard to show that ¢ is satisfiable iff the 
set S of remaining blocks contains a block satisfying (qm2). 


Quasimodels and reductions to monadic second-order theories. 


Here we give a second proof for the decidability of K4.3 x K by showing that one can 
translate the statement “there exists a K4.3 x K-quasimodel for y based on some strict 
linear order §” into monadic second-order logic. 

Fix some MLə-formula y. For every m < md(y), below we will define a monadic 
second order formula qm’ (in the language having a binary predicate constant <) in 
such a way that the following holds: 

LEMMA 32. For any strict linear order §, § = qmZ for some m < md(y) iff there 


exists a K4.3 x K-quasimodel for p based on §. 


Though the monadic second-order theory of all strict linear orders is undecidable, we 
can still use this lemma to deduce decidability of K4.3 x K as follows. It is not hard 
to see, using Theorem 16, that it is enough to consider quasimodels that are based on 
countable strict linear orders. Now for every monadic second-order formula 7 and a 
monadic predicate variable P not occurring in a, define the relativisation Y? of w to 
P inductively by taking Y? = w for atomic Y, (AW)? = AW”, (Y1 Aya)? = YE Ave, 
(Vry)? = Va(P(x) — WP), and (VQv)P = VQu?. Obviously, for any sentence w and 
any strict linear order 3, we have § K IP(SxP(x) Aw”) iff F H y for some (nonempty) 
suborder 3’ of §—the intended interpretation of P is the domain of 3’. As is well-known, 
any countable strict linear order is a suborder of (Q, <}. Let A be the first-order sentence 
defining the class of all strict linear orders. Then qm (assumed not to involve P) is 
satisfiable in some countable strict linear order ¥ iff the monadic second-order formula 


daP(x) A (AN qm’)? ) 


~ 


JP 


—— 


holds in (Q, <}. As the monadic second-order theory of (Q, <} is known to be decidable 
(see [67]), this proves the decidability of K4.3 x K. 


In order to define the necessary monadic second order formulas qm? for each m < 
md(y), we require a number of auxiliary formulas. Denote by ,,, the set of all quasistates 
for y of depth m. Given a quasistate q = ((T4, <q) , tq) from Em and a point a in Tg, 


we denote the depth of a by dg(a). 
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Introduce a unary predicate variable Pg for each q € Xm and a unary predicate variable 
Rk for each w € suby and each k < m. Given a type t for y and k < m, let 


saying that the type t at point x of depth k is defined with the help of 
R¥(x) = (RY (£) | Y € suby). 


For each k < m, let 


runo(P, R¥) = Va \ (Pq(z) > 


qeXm 
VV xe,(a)(R*(x))) A Va A [RS ye) > yle < yA RE (y))]. 
a€Ty OıpEsub p 

dg(a)=k 


This is intended to say that R* defines a coherent and saturated k-run through a sequence 
of quasistates defined with the help of P = (Pg | q € Um). 

However, we have to refine this definition in order to ensure that condition (qm4) 
holds. To this end, we define, by ‘backwards’ induction on k, another formula run(P, R*) 
as follows. If k = m (that is, we are at the ‘leaf-level’) then take run(P,R™) = 
rung(P, R”). 

Suppose, inductively, that for k < m we have already defined run(P, Re). Then let 
run(P, Rk-!) be the following formula: 


runo(P, RE-!) A 


va N VAN [Pal £) A Xt,(a)( (RF-1 >A) = Ri (run(P, RE) A Xt, (b p) (RE(x)) A 


qcLm ac, DET, PEsuby 
dask] a<q b 
wA A BONeoETO > V xeca(B*e))))]. 
SEEm c€T, dETs 
ds(c)=k—1 c<sd 


Finally, we define a monadic second-order sentence qm? by taking 


qeXm qEEm qd'EEm 
a#q 
y RLA I R9, (run(P, R?) A xt, )(R%(x))))] 
sem, aeTs wEesubyp 
d;(a)=0 
pets (a) 


Evaluated in a strict linear order § = (W, <), the first line of qm7 says that the sets 


Py CW (q E€ Em) form a partition of W. By defining the map q : W —> Em as 


qw)=q iff weP, 
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and a relation < on the runs by taking rr’ iff r is defined by R’-! and r’ is defined by R¥ 
for some k < m, we obtain a quasimodel Q = (§, q, R, <) for p: the second line of qm? 
states condition (qm2); conditions (qm3) and (qm4) are satisfied by the definitions of 
< and the formulas run(P, R¥), respectively. 


Lower complexity bounds. 


The following general result was obtained by Marx [59]. It is proved by reducing the 
NEXPTIME-complete “n x n bounded tiling problem” to the satisfiability problem of 
the logics in question, see Chapter 3 of this handbook: 


THEOREM 33. Let L be a Kripke complete bimodal logic between K x K and S5 x S5. 
Then L is CONEXPTIME-Aard. 


For products of ‘linear’ logics with S5 (such as Log{(N, <)} x S5, Log{(Q, <)} x S5, 
K4.3 x S5) one can obtain an EXPSPACE lower bound by reducing the “2” corridor 
tiling problem” to their satisfiability problem, see [23, Theorem 6.64]. 


Products of ‘transitive’ modal logics are usually undecidable 


None of the techniques for proving decidability discussed above work if we consider two- 
dimensional products where both component logics are determined by transitive frames 
of unbounded ‘cluster-depth’ (such as K4 x K4). As we shall see below, these product 
logics are in fact undecidable, and often lack the ‘abstract’ fmp. 

Given a transitive frame § = (W, R}, a point x € W is said to be of cluster-depth 
n < w in § if there is a path xz = zoRgzı R... Rx, of points from distinct clusters in ¥ 
(that is, xi+1 Rz; does not hold for any 7 < n) and there is no such path of greater length. 
If for every n < w there is a path of n points from distinct clusters starting from x, then 
we say that x is of infinite cluster-depth, or x is of cluster-depth oo. The cluster-depth of 
& is defined to be the supremum of the cluster-depths of its points (with n < co for all 
n <w). For instance, § is of infinite cluster-depth if it contains points of arbitrary finite 
cluster-depth. By the cluster-depth of a bimodal frame (W, Ri, R2) with transitive Rj, 
Rə we understand the minimal cluster-depth of (W, R1) and (W, R2). 

We remind the reader that a frame (W, R} is called Noetherian if there is no infinite 
strictly ascending chain zoRzıRzrəR... of points from W (i.e., no R-chain such that 
zi # i41, for alli < w). 

THEOREM 34. (i) [28] Let Lı and Lə be Kripke complete unimodal logics containing 
K4 and such that both Lı and Lo have among their frames a rooted Noetherian linear 
order with an infinite descending chain of distinct points. Then all bimodal logics L in 
the interval 

[L1, Lo] € L C Li x Lo 


lack the fmp. 
(ii) [26] If L is any Kripke complete bimodal logic containing K4 x K4 and having 
product frames of arbitrarily large finite or infinite cluster-depth, then L is undecidable. 


Note that as (by Theorem 21) K4 x K4 = [K4, K4], it is a simple and natural example 
for a finitely axiomatisable but undecidable modal logic. 


Below we discuss the main points of the proof of Theorem 34. For more details, consult 
[26]. 
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Lack of finite model property. 


We will define a bimodal formula ‘forcing’ infinite [K4, K4]-frames. We want to ‘get 
rid of’ the clusters first: take two fresh propositional variables h and v, and define new 
modal operators by setting, for every bimodal formula 4, 


oy = [h > Si (h A (WV O1y))] A [Rh Ci (hA (WV Ory))], 
Oop = [v> O2(avA (WV Oov))] A [pu > Oa (vA (WV S24))], 
Oy = Oi 7H, and Oe = =Ò h. 


(Similar operators were used by Spaan [77] and by Reynolds and Zakharyaschev [70].) 
Now define Yæ to be the conjunction of the following formulas: 


102((h V Ogh > Ozh) A (ARV O:7h > Oy7Ah)), (9) 
1Da((vV O10 > Dye) A (WV O1-w > D1), (10) 
355; (By L Ay 1), (11) 
I, Op (O2 L A 0,1 = d), (12) 
35 (ad. AE d), (13) 
“I, Sa (d A Oe 7d), (14) 
Jı Op (d > D; Od), (15) 
5, Oy (nd > Bly Sy =). (16) 


On the one hand, it is easy to see that y is satisfiable in a product of two rooted 
Noetherian linear orders each of which contains an infinite descending chain of distinct 
points, see Fig. 4. Note that such a frame is infinite. 

On the other hand, we show that Yə cannot be satisfied in a finite frame for [K4, K4]. 
The idea behind the proof is that, though the points ‘generated by’ Yə do not neces- 
sarily form a nice ‘backward looking w x w-grid’ like on Fig. 4, yet each of them can be 
‘characterised’ by a unique pair (n,m) of natural numbers. 

To this end, suppose that Yə is satisfied at the root r of a model M based on a (not 
necessarily product) frame § = (W, Ri, R2) for [K4,K4]. Then both Rı and Rə are 
transitive, they commute and satisfy the Church—Rosser property. 

We define new (M-dependent) binary relations Rı and Ry on W by taking, for all 
x,y EW, 


cRyy iff dzew [eRiz and ((M, r) Fh => (M, z) H =h) 
and (either z = y or zRıy) ; 
x) 


)] 

xRy iff dz € W [Roz and ((M, x) H v => (M, z) H ~w) 
and (either z = y or y )]. 

In other words, xRy iff eR ,y and either x, y are of different ‘horizontal colours’ in the 

sense that h is true in precisely one of them, or x, y are of the same h-colour (i.e., x H h 

iff y H h), but there is a point z of different h-colour such that xRızRıy. Clearly, we 

always have R; C R; (i = 1,2). It is not hard to see that, by (9)-(10), (W, Ri, R2) is a 
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Figure 4. Satisfying Yoo in an infinite product frame. 


(not necessarily rooted) frame for [K4, K4], that is, 


both Rı and Rə are transitive, 
Rı and Rə commute, and 
Rı and Rə are Church-Rosser. 


Moreover, for all x € W, 


(Mc) Oid iff 


y EW (Ry and (M, y) Fv 
y EW (Rəy and (M, y) Fv). 


We define inductively four infinite sequences 


To, T1, T2;...}3 Yo, Y1; Y2;.- -3 U0, U1, U2,--- and Vo, U1, V23... 


of points from W such that, for every i < w, 


(gen1) (DM, Ti) H dA =) ad, 
(gen2) (DM, yi) HdA D: d, 


(gen3) rRou,, uj Ry 2; and uiRıyi, 
(gen4) ifi >00 then rR, viRoz; and viRəyi—1, 


see Fig. 5. (We do not claim at this point that, say, all the z; are distinct.) 


To begin with, by (11), there are uo, £o such that rRouoRi xo and 


(M, zo) = LA 2L. 
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By (12), (M, zo) = d. By (13), there is yo such that uoRiyo and (M, yo) 


= ad AO, d. 


So (gen1)—(gen3) hold for i = 0. 


Now suppose that, for some n < w, xi and y; with (gen1)—(gen4) have already 
been defined for all i < n. By (gen3) for i = n and by (com), there is vn+ı such 
that rRivn41Reyn. So by (14), there is z,41 such that (M, zn+41) = dA O2~d and 


Un41R2%n41- Now again by (com), there is un, such that rRotng1Rien41- So, by 
(13), there is yn+ı such that un+1ıRıYn+ı and (M, yn+1) = ~d A O; d, as required (see 


Fig. 5). 


r Vi+1 


Figure 5. Generating the points £i, Yi, u; and vi. 


The following lemma is our basic tool in showing that all the £n are different: 


LEMMA 35. For alli,n <w, 
(i) (M, zi) [= oF Te oF T, 


(ii) (M, yi) = PTIT > ORT. 


Proof. First, it is a straightforward consequence of (12), (16) and (com) that 


1 Ty (>d > Sı T) 


holds in Mt. Further, it is not hard to show by induction on n that for all n 


ı Oy (d > OF O3 d), 


2 
1 a (~d =x noe ad). 


<w, 


are also true in M. Now to prove (i), suppose first that we have (M, x;) = Or T. Then 


there is a point z such that x;R}z. By (gen1), (M, xi) H d. So, (M, z) 


H= O8d, by 


(19). Using (com), we find a point v such that x;R}3v and vRĮu, so (M, x;) = OLT 


follows. Conversely, suppose (M, x;) H| OFT, that is, there are points 21,.. 


.,2n Such 
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that x;R2z1 Rə... Rəzn. By (gen1), (M, x;) H Js ad, and so (M, z1) = ~d. Therefore, 
by (20) and (18), we have (IM, zn) = ©} T, and then obtain (M, x;) E ©? T using (com). 

To show (ii), assume first that we have (Mt, y;) | ©} T. Then there is a point z 
such that y;R}z. By (gen2), (M, y:i) H ~d. So, by (20), (W, z) H OP-d, and by 
(18), (M, z) EK PTIT. Now (M, yi) H PT! T follows by (com). Conversely, suppose 


(M, yi) | OPT T, that is, there are points 21,- .. , Zn, Zn+1 such that 


yiRızıRı oe . RiznRızn41. 


By (gen2), (M, yi) K G1 d, and so (M, z1) Kd. Therefore, by (19), (Mt, zn+1) = OFT. 


Finally, using (com) we obtain (M, y;) = OFT. m) 


Now we can show that all the x, are distinct as follows. For every formula ọ% and 
© € {O1, O2 }, we introduce 


OM = OMPATM I, 


meaning ‘see Y in n steps but not in n+1 steps.’ Define the horizontal and vertical ranks 
hr(x) and ur(x) of a point x (in model M) by taking 


hr(x) = n, ifn<w and (M, x) | Spr T 
E co, otherwise, 

wr(z) = n, ifn<wand (M,x2) K Os"T, 
7 co, otherwise. 


The reader can readily check, using (com) and (chro), that if xR,y then vr(x) = vr(y), 
and if «Roy then Ar(x) = hr(y). 
We claim that, for all n < w, 


ur(Un) = n, (21) 
hr(un) = n, (22) 
hr(£zn) = vr(an) =n. (23) 


First we prove (21) by induction on n. For n = 0, it follows from the definition of xo (see 
(17)) and (gen3). Suppose that (21) holds for some n < w. Then 


en3 
wr(uny1) FZ? vr (en 4) 


(gen3) (1H) 
— or( = n 


r(Yn) +1 Un) +1 +1. 


Now (22) and (23) follow from (21) and 
hr (vn) ole hr(an) pa ur (Ln) eee?) ur (Un). 


Undecidability. 


We discuss first how the ‘diagonal points’ x, (with finite rank hr(£n) = ur(an) = n) 
can be used not only to show the lack of fmp, but also to encode arbitrarily large finite 
parts of the ‘w x w-grid’ in frames for [K4,K4]. The enumeration of the points of w x w 
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floor 
(0,0) (1,0) (2,0) (3,0) (4,0) 


Figure 6. The enumeration pair. 


we use below has been introduced in several papers dealing with undecidable multimodal 
logics; see, e.g., [36, 60, 70]. (Note that in all these cases either the language had next-time 
operators or all the frames were linear, neither is the case now.) 

Let pair: w — w x w be the function defined recursively by taking: 


e pair(0) = (0,0), 
e if pair(n) = (0,7) then pair(n + 1) = (j +1,0), 
e otherwise, if pair(n) = (i + 1, j) then pair(n + 1) = (i,j + 1); 


see Fig. 6. It is easy to see that pair is one-one and onto. Let {: w x w — w denote the 
inverse of the function pair. If pair(n) is not on the wall (that is, the first coordinate of 
pair(n) is different from 0) then define left, to be the Ẹ of the left neighbour of pair(n). 
The reader can readily check the following important properties of these functions, for 
all n > 0: 


(t1) If neither pair(n) nor pair(n — 1) are on the wall then left, = left, , +1. 


(t2) Ifnm> 1 and pair(n) is not on the wall, but pair(n — 1) is on the wall, then n > 2, 
pair(n — 2) is not on the wall, and left, = left,» + 1. 


(t3) pair(n) is on the wall iff pair(left, ,) is on the wall. 
(t4) Either pair(n) or pair(n — 1) is not on the wall. 
We will require the following propositional variables: 
e grid (marking the points of the grid), 
e left (a pointer from n to left, when pair(n) is not on the wall), 


e wall (marking the wall, i.e., the pairs of the form (0,n)). 
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Let Ygria be the conjunction of (9), (10) and the following formulas: 


2 (Gi L > (grid + O21), 


1 L A grid — wall), 


N 


( 
J; Os (wall > grid), 


ae 
J> (© T > (grid > 3! OF 1 grid)), 
Ty (grid A OT = (wall = 2 (07? left A ©; wall))), 


wall > O; (grid > wall), 


5, |left > (G (Sgt TAG. 1L)V (So (Sz? left A 5 wall) A 552 57? left) 
V (So (SF left A +5; wall) A S51 S74 left) )| 
The following lemma, showing that Ygriq ‘forces’ the w x w-grid onto ‘diagonal points of 


finite rank’, is proved in [26]: 


LEMMA 36. Suppose that M is a model based on a rooted frame § = (W, Ri, Re) for 
[K4, K4]. If (Mtr) | ora then the following hold, for all n,m < w and alla E€ W such 
that hr(x) =n and vr(x) =m: 


i) (Mx) H| grid iff n=m 
ii) (Mx) K OF" left iff n> 0, pair(n— 1) is not on the wall and m = left, 4, 


iii) (M, x) = wall iff n=m and pair(n) is on the wall, 


( 
( 
( 
( 


iv) (M, x) H left iff pair(n) is not on the wall and m = left,,. 

Various undecidable problems can be ‘represented’ on the w x w-grid, say, versions of 
the halting problems for Turing machines, register machines, etc., Post’s correspondence 
problem, as well as infinite tiling problems. 

Here we show as an example for reducing an undecidable tiling problem to the sat- 
isfiability problem for logics that (i) contain [K4, K4] and (ii) have among their frames 
a product of two rooted Noetherian linear orders each of which contains an infinite de- 
scending chain of distinct points. (For other similar logics slight modifications of the 
proof might be necessary, see [26] for a general argument.) 

A tile type is a 4-tuple of colours 


= (left(t), right(t), up(t), down(t)) . 


For a finite set T of tile types and a subset X C w x w, we say that T tiles X if there 
exists a function (called a tiling) T from X to T such that, for all (i, j) € X, 


e if (i,j +1) € X then up(T(i, j)) = down(r (i, j + 1)) and 
e if @+1,7) E€ X then right(r (i, 7)) = left(r(i + 1,7)). 


The following ‘w x w-tiling problem’ is undecidable (see [81, 9]): given a finite set T of 
tile types, decide whether T can tile w x w. 
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Given a finite set T of tile types, we introduce a propositional variable t, for every 
t ET. Let yr be the conjunction of the following formulas: 


1 als (grid a VV t), 
teT 
nO, A otat), 
t#t' ET 
Fi ry \ (t = Jy (Oz? left — 30, t')), 
tt'ET 
up(t’)Adown(t) 
Tı Oy \ (t> D (left > 40,1’). 
t,t'ET 


right(t’)Aleft(t) 


For every n < w, let 
plane, = {(i, j) | H@,5) < n}. 
If formulas (9) and (10) are satisfied in a model M based on a frame for [K4, K4], 
then for all numbers a,b < w and « € W with Ar(x) = a and vr(x) = b, there exists what 


we call a perfect a x b-rectangle starting at x, that is, there are points x; ; (for i < a, 
j < b) such that 


e T= Tab, 
e hr(xi z) = i and ur(zi j) = Ja 
e xij Rep; for i > k, and xi j Rofik for j> k. 


(Indeed, given x, take an a-long Rı-path and a b-long Ro-path starting from x, and then 
‘close them’ under the Church-Rosser property.) 
Now a straightforward induction on n shows the following: 


LEMMA 37. Let M be a model that is based on a frame for [K4,K4] with root r and 
suppose that (Mr) H| Pgria Apr. Then, for every n < w, every x E€ W such that 
hr(x) = ur(x) = n, and every perfect n x n-rectangle xij (i < n, j < n) starting at x, 
the function T : plane, —> T defined by 


Tij =t aif (M maga) Kt 


is a tiling of plane,,. 

Now, using Lemma 37, it is straightforward to show that if Poo AYgriaA YT is satisfiable 
in a frame for [K4, K4] then T tiles plane, for all n < w. A standard compactness 
argument (or K6nig’s lemma) shows that if a given finite set T of tile types tiles plane, 
for every n < w, then it actually tiles the whole w x w-grid. On the other hand, it is easy 
to see that if T tiles w x w then Yoo A Ygria ^ Yr is satisfiable in a product of two rooted 
Noetherian linear orders each of which contains an infinite descending chain of distinct 
points. 

With the help of some additional ‘machinery’, one can even reduce ‘stronger’ undecid- 
able statements (like recurrent Turing machine and tiling problems) to the satisfiability 
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problem for certain products of ‘transitive’ logics. For instance, the following is shown 
in [26]: 


THEOREM 38. Let Lı be any logic from the list 


K4, K4.1, K4.2, K4.3, S4, $4.1, $4.2, $4.3, 
GL, GL.3, Grz, Grz.3, Log{(w,<)}, Log{(w, <)}, 


and Ly be any of 
Log{(w,<)}, Log{(w,<)}, GL.3, Grz.3. 


Then any Kripke complete bimodal logic L in the interval 
[Lı, L] C L C La Dg 


is II}-hard. 

We also obtain the following interesting corollary. As the commutator of two recur- 
sively axiomatisable logics is recursively axiomatisable by definition, Theorem 38 yields a 
number of Kripke incomplete commutators of Kripke complete and finitely axiomatisable 
logics: 

COROLLARY 39. Let Lı and Lə be like in Theorem 88. Then the commutator [L1, Le] 
is Kripke incomplete. 


Higher dimensional decidable and undecidable products 


Products of more than two modal logics are often undecidable and lack the fmp. Let us 
first discuss some exceptions. 

It is not hard to see that any product Lı x--- x Ln of Alt and K logics has the finite 
depth property, that is, it is determined by some class of frames of finite depth. Indeed, 
suppose y ¢ Lı x --- x Ln for some MCL,,-formula y. Then there are rooted frames §;, 
i = 1,...,n, such that ¥; = Li and y is refuted at the root of 1 x--- x Fn. By a 
standard unravelling argument, for each i = 1,...,n, there is an intransitive tree {; and 
a p-morphism h; from {; onto i. So we always have ẸṢ; | L;i. Note that if L; = Alt 
then the unravelling T; of F; is just a chain of irreflexive points. It is straightforward to 
check that the function h defined by 


h(£1,..., £n) = (hi (z1), .--, An (£n)) 


is a p-morphism from F1 x- - -X Zn onto $1 X- -X Fn (cf. Proposition 9). Now we prune all 
the trees T; down to the modal depth md(y) of y. Clearly, the resulting product frame 
TI X+- xX T, is of depth n-md(y) and it is a frame for Lı x--- x Ln. A straightforward 
induction on the stucture of y shows that it refutes y at its root. 

As one can prove by a standard filtration argument that if an n-modal logic L has 
the finite depth property, then it has the fmp as well, we obtain the following theorem 
of Gabbay and Shehtman [24]: 


THEOREM 40. Any product of Alt and K logics has the fmp. In particular, K” and 
Alt” have the fmp, for any natural number n > 2. 


As a consequence of this theorem and Theorem 26 we have: 
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THEOREM 41. Alt” is decidable, for any natural number n > 2. 


In fact, it can be shown that Alt” has the polynomial product fmp and it is CONP- 
complete. 

On the other hand, the logic K” is not so simple. Though it has the fmp, one cannot 
use it for a decision algorithm, as K” is not only not finitely axiomatisable, but it is 
undecidable whether a finite n-frame is a frame for it (cf. Theorem 25). In fact, the 
following general result is shown in [42]: 


THEOREM 42. Letn > 3 and let L be any n-modal logic such that K” C L C S5”. 
Then L is undecidable and lacks the product fmp. 


The proof of this theorem (and that of Theorem 25) uses a reduction of a deep result of 
Hirsch and Hodkinson [40] saying that representability is undecidable for finite relation 
algebras. 

Note that, unlike K”, logics like K4” and S5” do not even have the fmp (for K4” 
this follows from Theorem 34, and for S5” this was shown in [53]). The undecidability of 
S5” was first shown by Maddux [58] in the algebraic framework of diagonal-free cylindric 
algebras. He used a reduction of the word problem of semigroups to prove the following 
general result: 


THEOREM 43. Any n-modal logic L in the interval 
[S5,S5,..., S55] C L C S5” 


is undecidable whenever n > 3. 


Another proof via the connection with first-order logic (see Section 3.2) that uses a 
reduction of the w x w tiling problem can be found in [23] (see also [47] for possible 
generalisations). 


4 BETWEEN FUSIONS AND PRODUCTS 


A natural idea for reducing the strong interaction between modal operators of product 
logics is to consider logics determined by (not necessarily generated) subframes of product 
frames. Worlds are still tuples, the relations still act coordinate-wise, but not all tuples 
of the Cartesian product are present, and so the commutativity and Church-Rosser 
properties do not necessarily hold. This kind of restriction on the ‘domains’ of modal 
operators is similar to ‘relativisations’ of the quantifiers in first-order logic and algebraic 
logic, where it indeed results in improving the bad algorithmic behaviour, cf. [63, 61]. 

This idea gives rise to the following combinations of logics. First, we choose a class 
of ‘desirable’ subframes of product frames. This can be any class: the class of all such 
subframes, the so-called ‘locally cubic’ frames, frames that ‘expand’ along one of the 
coordinates (see below for precise definitions), a class of frames satisfying some (modal 
or first-order) formulas, etc. Having chosen such a class K, we then take the logic 
determined by those subframes of the appropriate product frames that belong to K. 
Thus, each choice of K defines a new combination operator on logics: 


DEFINITION 44. Let n > 1 be a natural number and K a class of subframes of n-ary 
product frames. Given Kripke complete (uni)modal logics L1, ..., Ln formulated in the 
language having O; (i = 1,...,n), the K-relativised product (L1 x---x Ln) of Ly,...,Ln 
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is defined by taking 


(Ly x +--+ x Ln) = Log{6 EK | 6 CF, x- x Fn for some g; € FrL;, i=1,...,n}. 


Observe that if we choose K to be the class of all product frames 1 x +- X n such 
that §; € FrL;, then the K-relativised product of the L; is just their usual product. 

We discuss here in detail two kinds of ‘relativised product’ operators: arbitrary and 
expanding relativisations. 


Arbitrary relativisations. 


We begin by considering the combination operator determined by the class SF, of all 
subframes of n-ary product frames. SF,,-relativised products of logics will be called arbi- 
trarily relativised products. Since SF, contains frames that do not satisfy commutativity 
and/or Church—Rosser properties, 


(Ly xo X Ln)” C Lix- x Ln. 


On the other hand, unlike product logics, arbitrarily relativised products do not neces- 
sarily contain the fusion of their components. For example, consider the minimal deontic 
logic D, which is known to be determined by the class of serial frames. The formula Og T 
clearly belongs to K & D, but is refuted in any finite subframe of, say, (w, <} x (w, <), 
and so OT ¢ (K x D)SF?. 

However, for a large class of natural logics, arbitrarily relativised products do contain 
the fusions. A Kripke complete modal logic L is called a subframe logic if the class 
of Kripke frames for L is closed under taking (not necessarily generated) subframes (see 
Chapter 7 of this handbook). Typical examples of subframe logics are modal logics whose 
classes of Kripke frames are definable by universal first-order formulas, such as K, Alt, 
T, K4, S4, S5, K5, K45, S4.3, and K4.3. Note, however, that subframe logics like 
GL, GL.3, Grz are not first-order definable. It is not hard to see the following: 


PROPOSITION 45. If Li,..., Ln are subframe logics, then 


LQ- QLn C (Li x- x Ly). 


As the following result of [54] shows, for many standard subframe logics the converse 
inclusion holds as well. Thus in several cases ‘arbitrary relativisation’ can be regarded 
as a ‘many-dimensional’ semantical characterisation of fusions of these logics. 


THEOREM 46. Let Li € {K, T, K4, $4, S5, $4.3}, fori =1,...,n. Then 


(Ly X +++ X Ly)" = £1 @ +++ @ Ln. 


The proof is based on the following lemma that can be proved by constructing the 
necessary p-morphism in a step-by-step manner, see [54]: 
LEMMA 47. Suppose that L; € {K, T, K4, S4, S5, $4.3}, i = 1,...,n, and let 6 = 
(W,S1,...,Sn) be a countable rooted n-frame such that (W, Si) = Li for alli =1,...,n. 
Then © is a p-morphic image of a subframe of some product frame for Ly x +++ xX In. 


It is not clear how far Theorem 46 can be generalised. It definitely does not hold 
for all subframe logics, not even for those of them that are characterised by universally 
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definable classes of frames. Take, for instance, the logic K5 that is characterised by the 
class of Euclidean frames, i.e., frames (W, R} satisfying the universal (Horn) sentence 


VavyVu (R(u, £) A R(u,y) > R(x, y)). 
In particular, frames for K5 have the property 
VaVu (R(u, x) > R(x, 2)). 


Now consider the formula 


p = O1(pA O2(q¢A7p)) A 0102(q4 > 719). 
It is clearly satisfiable in the following frame for K5 © K: 


Ri 
Ry Re 
Pp q 


On the other hand, it is not hard to see that y is not satisfiable in any subframe of a 
product frame for K5 x K. Therefore, 


K589 K Ç (K5xK)* Ç K5xK. 


Other kinds of logics for which Theorem 46 does not hold are those having frames with 
a finite bound on their branching like Alt. The formula 


Y = prif ap A Coq) A a(7p A Qir) A D102(q > =r) 


is clearly satisfiable in the Alt & Alt-frame 


Rı r q 
Re R2 
p Rı 


On the other hand, it should be clear that ~ is not satisfiable in any subframe of a frame 
for Alt x Alt. Thus, 


Alt @ Alt Ç (Alt x Alt)? Ç Alt x Alt. 


= 


Expanding relativisations. 


First-order modal and intuitionistic logics motivate our next combination operator. 
(To keep the notation simple, we concentrate on the n = 2 case only.) 


DEFINITION 48. A 2-frame 6 = (W, S1, S2) is called an expanding relativised product 
frame if there exist frames §ı = (Ui, Ri) and F2 = (U2, R2) such that 


e © is a subframe of $1 x Fo, and 


e for all (wi, wo) E€ W and u €E Ui, if w Riu then (u, we) € W. 
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Define EX to be the class of all expanding relativised product frames. Given Kripke com- 
plete unimodal logics Lı and Lz, the logic (Lı x L2)™ is called the expanding relativised 
product of Lı and Lo. 


Similarly to Proposition 45, if both Lı and Lə are subframe logics then (L, x L2)* 
is a (conservative) extension of both Lı and Lz. Moreover, it is easy to see that every 
expanding relativised product frame satisfies the left commutativity and Church—Rosser 
properties (but not necessarily right commutativity). Now define the e-commutator 


(Li, Le)™* 


of Ly and Lə as the smallest bimodal logic containing Lı, L and the axioms com, 


and chrj 2. Then clearly we have 
(ie tol C (Lı x is 


Similarly to Theorem 21, it can be shown that for some cases the e-commutator and the 
expanding relativised product coincide: 


THEOREM 49. Suppose Lı and Ly are Kripke complete unimodal logics such that Lı is 
one of K, T, K4, S4, S5 and Lz is Horn aziomatisable. Then 


(Lı x Ly = [L1, La)". 


No other general axiomatisation result for expanding relativised products is known. 

As concerns decision problems, it is not hard to see that expanding relativised products 
are reducible to products. Indeed, let y be an M Lə2-formula and e a propositional variable 
which does not occur in y. Define by induction on the construction of y an M Lə-formula 
p° as follows: 


e 


p p (pa propositional variable), 
(AXE = YPX, (y) = 5, 
(iy)? = Oy’, (024)? = Ole p*). 


By a structural induction on y, one can easily prove the following: 


PROPOSITION 50. For all Kripke complete unimodal logics Ly and Lz and all ML2- 
formulas ¢, 


ype (Li x tigi iff (en Smale) smd) (6 — 1e)) — p? E€ Ly x Lz. 


As a consequence of this and the results in Section 3.4, we obtain that expanding 
relativised products are usually decidable if one of their components is an S5- or K-like 
logic. 

On the other hand, as we saw in Section 3.4, products of ‘transitive’ logics with frames 
of arbitrarily large finite or infinite cluster-depth are undecidable. The following result of 
[27] shows that expanding relativised product logics with components having transitive 
frames of arbitrarily large finite cluster-depths can be decidable: 


THEOREM 51. If Lı, Lə € {GL, Grz, GL.3, Grz.3} then (Lı x L2)™ is decidable. 
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Here we discuss the main points of the proof for the case of (GL x GL) only. For 
the other cases, as well as for more general results, consult [27]. 

We remind the reader that Fr GL consists of all the irreflexive, transitive and Noethe- 
rian frames. Recall that the depth d? (x) of a point x in an irreflexive tree § = (W, R) 
is defined to be the R-distance of x from the root. More precisely, the depth of the root 
is 0, and the depth of immediate R-successors of a point of depth n is n+ 1. If for no 
n < w the point x is of depth n, then we say that x is of infinite depth. 

The first important step in the proof is to show that (GL x GL)™ has the ‘expanding’ 
version of the product fmp: 


LEMMA 52. Given some ML2-formula y, if p is satisfiable in a frame for (GL x GL)EX 
then ọ is satisfiable in an expanding relativised product frame 9 that is a subframe of a 
product of two finite trees 6, and 62. Moreover, 6; = (U1, S1) can be chosen such that, 
for every x € Uj, 


© l{y | (e.u) in 5} < (lsubp] +1)! +1, and 


e x has at most |sub¢| - (|suby| + 1)! a°1(2)+1 immediate S1-successors. 


Proof. By a standard unravelling argument one can show that every rooted frame 
for GL is a p-morphic image of a Noetherian tree-like frame. Moreover, similarly to 
Proposition 9, one can show that (GL x GL) is determined by expanding relativised 
product frames that are subframes of products of two Noetherian tree-like frames. So we 
may assume that our formula ¢ is satisfied at the root (r1,r2) of some model M = (H, V) 
that is based on an expanding relativised subframe ¥ = (W, R}, R4) of the product of 
two (possibly infinite) Noetherian tree-like frames §ı = (W1, R1) and §2 = (W2, Re). 

For i = 1,2, call a point xz in W; R;-mazimal in a set X C W;, if x € X and there 
is no 2’ € X with «R,x'. Now we take the closure U of the set {(r1,r2)} under the the 
following three rules: 


e ©,-rule: if (x,y) E U, (M, (x, y)) = Oi, for some O1W E suby, and there is no 
(x,y) € U such that «R,2’ and (M, (2’,y)) H| Y, then choose a point x’ € W, that 
is Ry-maximal in the set {z | £Rız, (z,y) © W and (M, (z,y)) = Y} (such a point 
exists because 1 is Noetherian), and set U := UU {(a',y)}. 


e © -rule: if (x,y) E U, (M, (x, y)) = Cad, for some Ooy E€ suby, and there is no 
(x,y’) € U such that yRoy’ and (M, (x, y’)) = Y, then choose a point y’ € W2 that 
is Ro-maximal in the set {z | yRoz, (x, z) E€ W and (M, (x, z)) H| Y} (such a point 
exists because §2 is Noetherian), and set U := U U {(a,y’)}. 


e Square-rule: if (x,y) € U, eR 2’ and (2’,y) € U, then set U := U U {(2’, y)}. 


Now let Si = RiN(U x U) (i = 1,2) and § = (U, S1, S3). Take also 6; = (U1, S1) and 
6 = (U2, S2), where U = {x Ew, | (£, 12) E Uy, U = {y E€ Wo | Jx € Ui (x,y) € Uy, 
and S; = Ri N (U; x U;) (i = 1,2). Then clearly, § is an expanding relativised subframe 
of the product of Noetherian tree-like frames 6; and 69. 

We show that 6; and 62 are in fact finite trees with the required bounds. First, we 


claim that 


if x is of finite depth in 61, then |{y | (x,y) € U}| < (|suby| + Dees: (24) 
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Indeed, we can proceed by induction on n. If n = 0, then by applying the ©2-rule 
to the root (r1,r2) of §, we can obtain < |suby| immediate 5%-successors of the form 
(r1,y). In view of maximality, at each of these points the number of formulas of the form 
O% E suby to which the ©2-rule still applies is < |suby|— 1. We proceed with the 
same kind of argument and finally get 


l{y | (a,y) EUY < 14 ]suby|+|suby|-(|suby|—1)+---+|suby|! < (|suby|+1)!. 


The induction step for y of depth n +1 is considered analogously. The only difference is 
that instead of one ‘starting’ point we should start applying the ©2-rule to all points of 
the form (x,y) such that (z,y) € U for the unique point z with d(z) = n and zSjy, that 
is to |{y | (z,y) € U} < (|suby| +1)!"*1 many points. 

Next, we claim that every point x of finite depth in 6; has < |suby|-(|suby|+1)! +1 
immediate S)-successors. Indeed, it follows from (24) and the fact that the ©,-rule can 
be applied at most |suby| times to a point (x, y}. 

Finally, we claim that every point in 6, is of finite depth, that is, 6; is a tree. Indeed, 
since 6, is Noetherian, we cannot have infinite ascending chains of distinct points in it. 
Suppose 6, still contains a point x of infinite depth. This means that there is an infinite 
descending chain ...S)225,2%1S,a. Let z be an $,-maximal point of finite depth such 
that zS1x. By (24), {y | (z,y) € U}| is finite. Therefore, we may apply the © -rule 
to points of the form (z,y) finitely many times only, and so there exists an immediate 
Si-successor z’ of z located properly between z and x. But then d(z’) = d(z) +1, and so 
the depth of z’ is finite, which is a contradiction. 

Therefore, 6; is a Noetherian tree with finite branching. Therefore, by Konig’s lemma, 
it must be finite. So 6 is finite as well. This completes the proof of Lemma 52. m) 


We are now in a position to prove that (GL x GL)EX is decidable. It is to be noted 
that the ‘expanding product fmp’ does not give decidability automatically because (i) 
Lemma 52 does not provide us with an effective upper bound for the size of a model 
refuting a given formula, nor (ii) do we know that (GL x GL)EX is finitely axiomatisable. 

Instead, we will use a version of Kruskal’s tree theorem [50]. Given a finite set X, a 
labelled X-tree is a pair T = ((T, <) ,1), where (T, <) is a (transitive, irreflexive) tree and 
lis a function from T to ©. Given two finite labelled S-trees T; = ((T;, <i) ,li), i= 1,2, 
we say that Tı is embeddable into Fə if there exists an injective map u: Tı — Tə such 
that, for all u,v € T), 


e u <i v iff (u) <2 ev), 


e Ig(u(u)) = l (u). 


Now Kruskal’s tree theorem says that for every infinite sequence {1,%2,... of finite 
labelled X-trees, there exist i < j < w such that T; is embeddable into $j. 

In order to use this theorem, we again turn our models to quasimodels. The quasimod- 
els used here are similar to the L x K-quasimodels of Section 3.4, but they do differ from 
them in two important aspects: (i) quasistates are now not intransitive, but transitive 
and irreflexive trees; (ii) runs are not total, but only partial functions over the underlying 
frame. 

To be precise, given an M L2-formula y, a quasistate for ọ is a finite labelled (transi- 
tive, irreflexive) tree ((T,<) ,t) where the label t(x) of each x € T is a type for y, and 
((T, <) ,t) satisfies the ©9-saturation condition (qm1) of Section 3.4. 
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A basic structure for y is a pair (¥,q) such that § = (W, R} is a finite (transitive, 
irreflexive) tree and q a function associating with each w € W a quasistate q(w) = 
((Tw,<w),tw) for y. We call such a basic structure small if, for all x,y € W, 


(sm1) |T,| < (|suby| +1)! Ë ©, 
(sm2) x has at most |suby| - (|suby| + 1)! d°(x)+1 immediate R-successors in ¥, and 
(sm3) if xRy and « Æ y then q(x) is not embeddable into q(y). 


For every n < w, let Qn be the set of all small basic structures (¥,q) such that F is a 
finite (transitive, irreflexive) tree of depth n. 


LEMMA 53. There is ann < w such that Qn = 9, and so the set of small basic structures 
for vp is finite and can be constructed effectively from ọ. 


Proof. Suppose otherwise. Define a relation E on the set Q of all small basic structures 
as follows. For Q = (¥,q), Q’ = (%’,q’) in Q, set QE’ iff F is an ‘initial subtree’ of 
y’ and q coincides with q’ on the points of ¥. Clearly, for every Q’ € Qn41, there is 
some Q € Qn such that QED’. Therefore, by K6nig’s infinity lemma, there is an infinite 
E-chain Q9FQ E... EQnE... in Q such that Qn E Qn for n < w. Since Qy41 is always 
an extension of Q,, their union Q = „<w Qn is also a basic structure. Let Q = (§, q) 
and ¥ = (W, R). Then § is an infinite tree with finite branching. By König’s lemma, 
it must have an infinite branch zoRzıR.... Then, by Kruskal’s theorem, there exist 
i < j < w such that q(x;) is embeddable into q(x;). But x; and z; already belonged to 
the underlying tree of Q;, contrary to Q; being in Q;. Q 


A run through a basic structure (%,q) is a partial function r from W giving for each 
w E€ domr a point r(w) € Tw such that, for all x € W, if x € domr and «Ry then 
y € domr. Coherent and saturated runs are defined as in Section 3.4. Finally, we call a 
triple (§,q, R) a (GL x GL)©*-quasimodel (for p) if (§,q) is a basic structure and ® is 
a set of coherent and saturated runs through it, satisfying the following conditions (cf. 
(qm2)—(qm4) of Section 3.4): 


(eqm2) vy € ty,(xo), where wo and zo are the roots of ¥ and (Two, <w), respectively; 

(eqm3) forall r,r’ € R and for all x,y € domrNdomr’, wrx) <2 Wrr(x) iff Wry) <y 
Wri(y)s 

(eqm4) forall z€ W and w € Ty there is r E€ R such that r(x) = w. 

We call a quasimodel small if the underlying basic structure is small. 


LEMMA 54. y is satisfiable in a frame for (GLx GL)EX iff there is a small (GL x GL)EX- 
quasimodel for p. 


Proof. Turning a quasimodel to a ‘real’ model is easy, so let us concentrate on the 
opposite direction. We may assume that y is satisfied in a model M = (H, Y) based on 
an expanding relativised subframe § of a product 6; x 62 satisfying the conditions of 
Lemma 52. We can turn M to a (GL x GL) *-quasimodel (61, q, R) as follows. Suppose 
that 6; = (U;,S;), for i = 1,2. For every x € Uj, let q(x) = ((Ty, <x) , te), where 


Ts = {ye U2 | (x,y) in 9}, Se = So Pe X Tr), 
tz(y) = {y € subo | (M, (x, y)) RE p}. 
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Finally, for every y € Uz define a run ry through (61, q) by taking 
domr, = {x € U; | (x,y) in 5} 


and then r,(x) = y, for every x € domr,. Put R = {ry | y € U2}. It is straightforward 
to check that (61, q, R) is indeed a (GL x GL)®*-quasimodel for y. Moreover, by the 
assumption on M, the basic structure (61, q) is finite. To show that we can turn it to 
a basic structure satisfying (sm3), suppose that there are x,y E€ U; such that «Sy and 
q(x) is embeddable into q(y) by an embedding v. Then we replace in 61 the subtree 
generated by x with the subtree generated by y, thus obtaining some tree 6’ = (U’, S’). 
Let q’ be the restriction of q to U’. We define new runs through (6’, q’) by taking, for all 
r,r’ E€ R such that z € domr, y € domr’, u(r(x)) = r’(y), and for all z € U’, z € domr, 


, = r(z), if zS\a, 
CGO a OO o S 


Let R’ be the collection of these new runs together with those runs from R that ‘start at’ 
a point z with yS1z. It is straightforward to check that (6’,q’,R’) is a (GL x GL)E*- 
quasimodel for y. Since 6; is finite, after finitely many repetitions of this procedure the 
underlying basic structure will satisfy (sm3). To comply with the cardinality conditions 
(sm1) and (sm2), we can use the construction from the proof of Lemma 52. Then, 
again we can get rid of the embeddable pairs as above, and so on. As at each step the 
underlying tree can get only smaller, we end up with a small (GL x GL)&*-quasimodel 
for y. QO 


Now we can describe the decision algorithm for (GL x GL) as follows. Given a 
formula y, by Lemma 53, we can effectively construct the set of all small basic structures 
for y. Then for each such small basic structure, we check whether it is a (GL x GL)®*- 
quasimodel for y. By Lemma 54, this way we find a quasimodel for ọ iff y is satisfiable 
in a frame for (GL x GL). 

Observe that this decision procedure does not give an even primitive recursive com- 
plexity bound. In fact, using a reduction of the reachability problem for lossy channel 
systems (known to be non-primitive recursive by Schnoebelen [73]), it is shown in [27] 
that there is no primitive recursive decision algorithm for (GL x GL)EX. 

Other expanding relativised products can even be more complex. The results in [46] 
suggest that logics like (Log{ (N, <)} x Log{(N, <)})EX or (Log{(N, <)} x S4)—* are unde- 
cidable. However, nothing is known about the decision problem of products ‘expanding 
along’ branching transitive frames with infinite ascending chains, such as (K4 x K4)—* 
or (S4 x S4.3)EX. Note that these logics do not have the ‘expanding product fmp’. 

Another open direction of research is to study the decision problem for the finitely 
axiomatisable logics obtained by adding either only one of the commutativity axioms or 
the Church—Rosser axioms to decidable fusions. 


5 OTHER COMBINATIONS 


Of course, even within the constraints of the combination principles (C1)—(C3) for- 
mulated in the introduction, there are infinitely many ways of combining modal logics. 
Though much research have been done on multimodal logics, very little of it can be 
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regarded as systematic investigation into properties of some combination method. More- 
over, the ‘global analysis’—as explained in Chapter 7 of this handbook for the unimodal 
case—of multimodal logics is still in its infancy. (In fact, most of the investigations into 
fusions and products can be considered as the first detailed case studies.) The translation 
of [49] of multimodal logics into unimodal ones is not helpful either in the combination 
context, as it makes the information about the ‘components’ virtually disappear. 

Releasing (parts of) the criteria (C2) and (C3) allows us to treat more ‘multi-aspect’ 
approaches to modal logic as combinations. The possibilities are again endless, below 
we discuss a rather ad hoc list of examples. Many more ideas that are relevant to 
combining modal logics can be found in the ‘combining systems’ literature, see e.g. the 
series ‘Frontiers of Combining Systems (FroCoS)’ [8, 14, 45, 2]. 


Interaction operators. Interaction between the components can be handled not only 
by adding interaction axioms, but also by enriching the language with ‘dimension- 
connecting’ connectives. 

Perhaps the simplest and most natural operations of this sort are the diagonal con- 
stants dij. Given two natural numbers 2 and j with 1 < i,j < n, the truth-relation for 
the constant d;; in models over (subframes of) n-ary product frames is defined as follows: 


(M, (u1,---,Un)) H dij iff Ui = Uj. 


The set of n-tuples satisfying d;; is usually called the (i, j)-diagonal element. The main 
reason for introducing such constants has been to give a ‘modal treatment’ of equality 
of classical first-order logic, see Section 3.2 above. Modal algebras for the product logic 
S5” extended with diagonal elements are called representable cylindric algebras and are 
extensively studied in the algebraic logic literature; see e.g. [39, 41] and the references 
therein. 

Another natural way of connecting dimensions is via so-called ‘jump’ modalities. Given 
a function m : {1,...,n} — {1,...,n} (such a map can be called a jump), define the 
truth-relation for the unary modal operator S in models over (subframes of) product 
frames as follows: 


(DM, (ur, Un)) Æ Sry iff (DM, (ura) -- -Unm )) E P- 


These modal operators are often called (generalised) substitutions, since by taking 
Pei tok trm) SSP Ei bn) (P an atomic formula) 


one can extend the translation ° of Section 3.2 above from formulas with a fixed order of 
the variables to arbitrary first-order formulas. Note that in cubic universal product S5”- 
frames certain substitutions are expressible with the help of the boxes and the diagonal 
constants [39]. Various versions of modal algebras corresponding to products of S5 logics 
with substitutions and with or without diagonal constants (e.g., polyadic and substitution 
algebras) are introduced by Halmos [33, 34] and Pinter [64, 65] and have been studied in 
the algebraic logic literature ever since. 


Valuation restrictions. One may try to loosen the strong interaction between the 
components of product logics by imposing restrictions on possible valuations in models 
over (subframes of) product frames. In general, the resulting formalisms will not be 
closed under the rule of Substitution, and so do not satisfy (C2). 
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DEFINITION 55. Let Mı = (%1,Ui) and Mə = (32, V2) be Kripke models that are 
based on respective frames §ı = (W,,R1) and F2 = (W2, R2), and let ®(z1, £2) be a 
formula in the first-order language £ having two unary predicate symbols V,, V2 and two 
binary predicate symbols. Then a model 


M? = (F x F2, B®) 


is said to be a ®-flat product of Mı and Mh if, for all propositional variables p and all 
Ure Wi, uz E Wo, 
(u1,U2) €B°(p) iff Ip  Ofur, u2], 


where J, is the first-order £-structure I, = (W1 U W2, Y1 (p), V2 (p), Ri, R2). The valua- 
tions in flat-product models are called flat valuations. 

If ® is a Boolean combination of Vi (x1) and V2(a2) then we say that M? is a Boolean- 
flat model. 


Boolean-flat models are introduced and studied in [21, 37]. Various special cases of flat 
valuations are discussed for many-dimensional temporal logics in [21, 22] and for temporal 
arrow logics in [61]. Satisfiability in Boolean-flat models can be reduced to satisfiability in 
the component models, as the following ‘flat product decomposition theorem’ of Gabbay 
and Shehtman [25, 23] shows: 


THEOREM 56. Let M? be a Boolean-flat product of models MN, and My. Then for 
every ML2-formula y, there are a finite set I, and unimodal formulas p} (with D1) and 
p? (with O2), i € Ip, such that, for all worlds (ui, u2) in M®, 


(MM, (uu) EG iff Ae Ip((Mh,w) Ky} and (Me, u2) = ¢?). 


Modalising one logic with another. Another possibility is to take some combination 
method satisfying (C1)—(C3) and then consider a fragment of the full modal language 
only. The general methodology of ‘temporalising’ a logic, introduced by Finger and 
Gabbay [17], results in such a combination when applied to two modal logics: 
DEFINITION 57. The set of modalised formulas is the smallest set [ of M£2-formulas 
such that: 


e if y is an M£,-formula then y ET, 


e T is closed under Boolean combinations, 


e ify ET then Oey ET and O29 ET. 


We will evaluate modalised formulas in modalised models. These are structures of the 
form M = (F, f), where § = (W, R) is a frame and f is a function mapping each w € W to 
a pair f(w) = (Mu, £w) with Mu being a Kripke model and x, a world in it. The truth- 
relation ‘t, w = y’ for modalised formulas y and worlds w in § is defined inductively 
as follows: 


e M, w =y if (Mu, £w) = Y, whenever w is an ML£,-formula, 


e M, wH y if M, wy, 


eoMwevAx iff M,w =y and M, w E x, 
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e M, w H| Cow iff there is v € W such that wRv and WM, v = Y. 


We say that y is true in M if M, w = yọ for all w € W. 

Now let Lı and Lo be two Kripke complete unimodal logics formulated in the language 
MEL, in such a way that they have different modal operators (say, ©1,01 and O2, O2, 
respectively). The modalisation of Lı with Lə is the set L2[L1] of modalised formulas 
that are true in all modalised models M = (F, f) where 


e § is a frame for Lo, and 


e for all w in ¥, the underlying frame of Wu is a frame for Lı. 


It is not hard to see that Lə|Lı] is a decidable subset of all M£2-formulas, whenever 
Lı and Lə are both decidable. In fact, this is a consequence of Theorem 5, as L2[L1] is 
a fragment of the fusion of Lı and Lz in the sense that L2[L4] is the set of all modalised 
formulas in Lı ® Lə (cf. the proof of Theorem 3). 


€-connections. This combination method is introduced by Kutz et al. [56, 55] in the 
more general setting of ‘abstract description systems.’ When applied to modal logics, 
this method takes disjoint Kripke models for each component and connects their domains 
via ‘link relations.’ These ‘connections’ then also appear explicitly in the language. 


DEFINITION 58. Suppose that we have n ‘copies’ of the unimodal language MCL, in 
such a way that their sets of propositional variables are disjoint (say, pĝ, pi ,... for the 
ith copy) and their modal operators are disjoint as well (say, 0; and ©; for the ith 
copy). Let J be a non-empty set and take an n — l-ary new connective *(E;}, for each 
j€J,t1=1,...,n. Then the n-ary €-connection language EL? is defined as follows. 
ELI- formulas are partitioned into n sets, each one containing the so-called i-formulas for 
some i=1,...,n. For alli =1,...,n, the sets of i-formulas are defined by simultaneous 
induction: 


e the propositional variables pj, pi,... are i-formulas, 


e the set of i-formulas is closed under the Boolean connectives and the modal oper- 
ators O; and ©,, 


e if yw, is a k-formula, for each k=1,...,i-—1,i+1,...,n, then 


(E;) (yı, oe ey Pi—1; Pi415,---5 Yn) 
is an 7-formula, for every j € J. 


EL? -formulas are evaluated in €£7-models. These are structures of the form 


E M 
M = (Mi, Mn, E; Der 
where the M; = ((W;, Ri) , Yi) are (unimodal) Kripke models and Em CWix--- x Wa, 
for each j € J. The truth-relation ‘M, w = y’ for i-formulas y and worlds w in W; is 
defined inductively as follows, simultaneously for i = 1,...,n: 


e M, wH pi, iff wE Yi), 


e M, w = aw if M, w Kd, 
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eoMwevAx if M, w Hy and M,w Ex, 


e M, w H Ow iff there is v € W; such that wR;v and M, v E Y, 


e M, w H *(E;) (Yi, -3 Winn, Vitis- Wn) iff for all k = 1,... i — l,i + 1,... n 
there are vg € Wp such that D, vek = Yr and (v1,...,Vi-1, W, Viti,- Un) € EM. 


We say that an i-formula ọ is true in IN if M, w = yọ for all w € W;. 
Now let L1,..., Ln be unimodal logics formulated in n ‘almost disjoint’ copies of ML, 
as described above, and let J be a non-empty set. The basic E-connection 


LC" (hay inba) 


of L1,...,Ln is the set of all €£L7-formulas that are true in all €£L7-models M = 
(Mis... , Mtn, EP jes where P; is a model for Li, for i = 1,...,n. 


The following theorem on the transfer of decidability is proved in [55] in the more 
general setting of ‘abstract desription systems:’ 


THEOREM 59. If Lı,..., Ln are all decidable unimodal modal logics, then the basic 
E-connection ECT (L1, ..., Ln) is decidable. 


Intuively, the decision procedure for, say, Ect (Lı, L2) works as follows. As usual, 
we can consider satisfiability instead of validity. To check whether there exists a model 
M = (Mı, M2, Eo) and a world w in Mt; such that M, w = ọ for a given i-formula y, 
the algorithm non-deterministically ‘guesses’ 


e the 1-types that are realised in M, and the 2-types that are realised in tz (where 
a k-type is a set of k-formulas that are true at a world of M+), and 


e a binary relation e between the guessed sets of 1-types and 2-types. 


Then it checks whether the guessed sets satisfy a collection of ‘integrity conditions.’ 
This check involves satisfiability tests of certain sets of k-formulas constructed from y, 
for k = 1,2—here we exploit that Lı and Lə are decidable. If the integrity conditions 
are satisfied, then it is possible to construct a model satisfying y using models of the 
constructed sets of k-formulas. If the integrity conditions are not satisfied then y is not 
satisfiable. This algorithm also provides an upper bound for the satisfiability problem 
for €C’(L,..., Ln): the time complexity is non-deterministic and one exponent higher 
than the maximal time complexity of the component procedures. 
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1 INTRODUCTION 


Formal modal logic is mostly mathematical in its methods, regardless of area of appli- 
cation. This Handbook presents a wide variety of mathematical techniques developed 
over decades of studying the intricate details of modal logic. Also included among rela- 
tively recent general purpose sources on the mathematics of modal logic are monographs 
(57, 75, 99, 114, 153] and a survey paper [115]. For that matter, the applications of 
mathematics in modal logic are overwhelming, while those in the dual category, the uses 
of modal logic in mathematics, are less numerous. 

Mathematics normally finds a proper language and level of abstraction for the study 
of its objects. Propositional modal logic offers a new paradigm of applying logical 
methods: instead of using the traditional languages with quantification (first-order or 
higher-order) to describe a structure, look for an appropriate quantifier-free language 
with additional logic operators (modalities) that represent the phenomenon at hand. In 
a number of prominent cases, we end up with a logic-based language which is much richer 
than Boolean logic, and yet, unlike universal languages with quantification, does not fall 
under the scope of classical undecidability limitations. Modal logic often offers better 
decidability and complexity results than the rival first-order logic. 

We adopt a strict approach as to what constitutes an application of modal logic in 
mathematics, i.e., we limit our attention to mathematical objects which existed indepen- 
dently of modal logic, rather than those developed for the needs of modal logic itself. 
This requirement is not by any means sufficient; after all, any class of binary relations 
in mathematics specifies some propositional modal logic which, however, does not auto- 
matically make these connections worthy of study. We consider only the cases in which a 
mathematical modality-like notion was developed and studied by mathematicians to the 
extent that the modal logical language and methods became pertinent. Neither is this 
requirement necessary; for example, elaborate algebraic models originally developed for 
the needs of logic (e.g., modal logic) are now deeply embedded into the corresponding 
field of mathematics and may well be regarded as a contribution of modal logic to math- 
ematics. Fortunately, algebraic models for modal logic have been covered in Chapter 6 of 
this Handbook. Moreover, the present author has not been quite pedantic in carrying out 
even this imperfect approach; such important issues as topos models and the connection 
between modal logic and Grothendieck topology on categories were barely mentioned in 
this survey. Some of these topics were considered in Chapter 9 of this Handbook. 

There are two major ideas that dominate the landscape of modal logic application in 
mathematics: Gédel’s provability semantics and Tarski’s topological semantics. 

Gödel’s use of modal logic to describe provability in the 1930s gave the first exact 
semantics of modality. This approach led to a comprehensive provability semantics for 
a broad class of modal logics, including the major ones: K, T, K4, $4, S5, GL, Grz, and 
others. It also proved vital for such applications as the Brouwer-Heyting-Kolmogorov 
(intended) provability semantics for intuitionistic logic, for introducing justification into 
formal epistemology and tackling its logical omniscience problem, for introducing self- 
reference into combinatory logic and lambda-calculi, etc. 

Another major use of modal logic in mathematics is the topological semantics sug- 
gested by Tarski and developed by Tarski and McKinsey in the 1940s. Here modal logic 
provides a natural high-level language for describing topology in a point-free manner. In 
addition to its natural mathematical appeal, this approach has evolved into an active 
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research area with applications in dynamic systems, control systems, spatio-temporal 
reasoning, etc. 

There has also been significant research activity in applying modal logic to set theory, 
which can be traced back to Solovay’s work of the 1970s. We devote Section 7 to this 
issue. 

The reader might perceive a certain bias towards provability logic in this survey. A 
possible explanation is that Godel’s provability semantics of modal logic is the oldest and 
arguably the most well-established tradition of applying modal logic to mathematics. It 
is perhaps more essential for proof theory and foundations than other applications of 
modal logic for the corresponding object areas of mathematics. This observation is not 
intended to discount other interpretations of modal logic considered here; we hope that 
this survey gives a fair assessment of their beauty and vast potential. 

Among other recent surveys in this area, we recommend the article ‘Provability logic’ 
by Verbrugge in the Stanford Encyclopedia of Philosophy 

http://plato.stanford.edu/entries/logic-provability/, 
the handbook chapter ‘Provability Logic’ [25], and the forthcoming collection ‘The Logic 
of Space’ edited by Aiello, van Benthem, and Pratt-Hartmann. 


2 SOME HISTORY 


In his 1933 paper [109], Gédel chose the language of propositional modal logic to describe 
the basic logical laws of provability. According to his approach, OF should be interpreted 
informally as 


F is provable, 


and the classical modal logic S4 provides a system of plausible postulates for provability. 
Gédel’s goal was to provide an exact interpretation of intuitionistic propositional logic 
within a classical modal logic of provability, hence giving classical meaning to the basic 
intuitionistic logical system. 

This line of research attracted a great deal of attention in mathematics and eventually 
led to two distinct models of provability based on modal logics: 


1. the Provability Logic GL, which was shown by Solovay to be the logic of Gédel’s 
formal provability predicate; 


2. Gédel’s original logic $4, which was shown by Artemov to be a forgetful projection 
of the Logic of Proofs LP. 


These two models complement each other and cover a wide range of applications, from 
traditional proof theory to formal verification and epistemology. 

The use of modal logic in topology was initially motivated by Kuratowski’s axioms for 
topological spaces, which were recast in the manner of modal logic by Tarski in the late 
1930s. Under this interpretation, the Boolean components were treated in the usual set 
theoretical way as subsets of a given topological set, whereas O was interpreted as 


the interior operator. 
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In their seminal paper of 1944 [187], McKinsey and Tarski proved that $4 was the logic 
of any separable dense-in-itself metric space, in particular the real topological space R”, 
for each n = 1,2,3,.... Among other known topological operators on sets, 


the derived set operator, 


regarded as the modality ©, has been given a complete axiomatization in works by 
Esakia and Shehtman. The modal logic of topology developed into an area of research 
that included modal studies of other operators in topological spaces, modal logic of met- 
ric spaces, dynamic topological logic, spatio-temporal reasoning, etc., with applications 
outside the original mathematical core. 

It was perhaps Solovay who initiated research in the application of modal logic to set 
theory in 1976 when he gave a complete axiomatization of such modalities as 


true in all transitive models of ZF 


and 
true in all universes. 


Hamkins and Lowe recently found a complete axiom system of the modality 
true in all forcing extensions. 


Studies of connections between infinitary modal logic and set theory initiated by Barwise 
and Moss in 1996 culminated in Baltag’s Structural Theory of Sets STS, which considered 


the canonical model of infinitary modal logic as the set theoretical universe. 


3 TWO MODELS OF PROVABILITY 


According to Brouwer, truth in intuitionistic mathematics means the existence of a proof. 
An axiom system for intuitionistic logic was suggested by Heyting in 1930; its full de- 
scription may be found in the fundamental monographs [132, 149, 246]. By IPC, we infer 
Heyting’s intuitionistic propositional calculus. In 1931-34, Heyting and Kolmogorov 
gave an informal description of the intended proof-based semantics for intuitionistic logic 
(130, 131, 132, 150], which is now referred to as the Brouwer-Heyting-Kolmogorov (BHK) 
semantics. According to the BHK-conditions, a formula is ‘true’ if it has a proof. Fur- 
thermore, a proof of a compound statement is connected to proofs of its parts in the 
following way: 


e a proof of AAB consists of a proof of proposition A and a proof of proposition B, 
e a proof of AV B is given by presenting either a proof of A or a proof of B, 
e a proof of A> B is a construction transforming proofs of A into proofs of B, 


e falsehood L is a proposition which has no proof; ~A is shorthand for A— L. 


From a foundational point of view, it did not make much sense to understand the above 
‘proofs’ as proofs in an intuitionistic system which those conditions were supposed to 
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specify. So in 1933 ([109]), Gödel took the first step towards developing an exact se- 
mantics for intuitionism based on classical provability. Godel considered the classical 
modal logic S4 to be a calculus describing properties of provability in classical mathe- 
matics: 


1. Axioms and rules of classical propositional logic, 


2. O( FG) (OF-oOG), 


3. OFF 


i 


4. ODF—>00F 


el 


FF 
5. Rul itation: —— . 
ule of necessitation OF 


Based on Brouwer’s understanding of logical truth as provability, Gödel defined a 
translation tr(F) of the propositional formula F in the intuitionistic language into the 
language of classical modal logic, i.e., tr(F) was obtained by prefixing every subformula 
of F with the provability modality O. Informally speaking, when the usual procedure of 
determining classical truth of a formula is applied to tr(F), it will test the provability 
(not the truth) of each of F’s subformulas in agreement with Brouwer’s ideas. 


Gédel’s treatment of provability as modality in [109] has an interesting pre- 
history. In his letter to Gédel [263] of January 12, 1931, von Neumann actu- 
ally used formal provability as a modal-like operator B and gave a shorter, 
modal-style derivation of the second Gédel’s incompleteness theorem. Von 
Neumann freely used such modal logic features as the transitivity axiom 
B(a) — B(B(a)), equivalent substitution, and the fact that the modality 
commutes with the conjunction ‘A.’ Even earlier, in 1928, Orlov published 
the paper [205] in Russian, in which he considered an informal modal-like 
operator of provability, introduced modal postulates (ii)—(v), and described 
the translation tr(F) from propositional formulas to modal formulas. On the 
other hand, Orlov chose to base his modal system on a type of relevance logic; 
his system fell short of S4. 


From Gédel’s results in [109], and the McKinsey-Tarski work on topological semantics 
for modal logic [188], it follows that the translation tr(F’) provides a proper embedding of 
the intuitionistic logic IPC into S4, i.e., an embedding of IPC into classical logic extended 
by the provability operator. 


THEOREM 1 (Gödel, McKinsey, Tarski). IPC proves F <= S4 proves tr(F). 


Still, Gédel’s original goal of defining IPC in terms of classical provability was not 
reached, since the connection of $4 to the usual mathematical notion of provability was 
not established. Moreover, Gödel noticed that the straightforward idea of interpreting 
modality OF as F is provable in a given formal system T contradicted Gédel’s second 
incompleteness theorem (cf. [62, 65, 90, 126, 240] for basic information concerning proof 
and provability predicates, as well as Gédel’s incompleteness theorems). 
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Indeed, O(OF — F) can be derived in S4 by the rule of necessitation from 
the axiom OF — F. On the other hand, interpreting modality O as the pred- 
icate Provabler(-) of formal provability in theory T and F as contradiction, 
i.e., 0 = 1, converts this formula into a false statement that the consistency 
of T is internally provable in T: 


Provable ([Consis(T)]) . 


To see this, it suffices to notice that the following formulas are provably 
equivalent in T: 


Provabler([0=1])—(0=1) , —Provabler([0=1]), Consis(T) . 


Here [y] stands for the Gödel number of y. Below we will omit Gödel number 
notation whenever it is safe, e.g., we will write Provable(y) and Proof(n, p) 
instead of Provable([y]) and Proof(n, [y]). 


The situation after Gédel’s paper [109] can be described by the following figure where 
‘— denotes a proper embedding: 


IPC — S4 — ? =~ CLASSICAL PROOFS . 


In a public lecture in Vienna in 1938 [110], Gödel suggested using the format of explicit 
proofs t is a proof of F for interpreting his provability calculus S4, though he did not give 
a complete set of principles of the resulting logic of proofs. Unfortunately, Gödel’s work 
[110] remained unpublished until 1995, when the Gédelian logic of proofs had already 
been axiomatized and supplied with completeness theorems connecting it to both S4 and 
classical proofs. 

The provability semantics of S4 was discussed in [62, 65, 70, 111, 158, 169, 176, 191, 
197, 199, 200, 221, 222]. These works constitute a remarkable contribution to this area 
(cf. Section 4), however, they neither found the Gödelian logic of proofs nor provided S4 
with a provability interpretation capable of modeling the BHK semantics for intuitionistic 
logic. Comprehensive surveys of work on provability semantics for S4 may be found 
in [16, 21, 25]. 

The Logic of Proofs LP was first reported in 1994 at a seminar in Amsterdam and 
at a conference in Münster. Complete proofs of the main theorems of the realizability 
of S4 in LP, and about the completeness of LP with respect to the standard provability 
semantics were published in the technical report [14] in 1995. The foundational picture 
now is 


IPC S4 — LP — CLASSICAL PROOFS . 


The correspondence between intuitionistic and modal logics induced by Gédel’s trans- 
lation tr(F’) has been studied by Blok, Dummett, Esakia, Flagg, H. Friedman, Grzegor- 
czyk, Kuznetsov, Lemmon, Maksimova, McKinsey, Muravitsky, Rybakov, Shavrukov, 
Tarski, and many others. A detailed survey of modal companions of intermediate (or 
superintuitionistic) logics is given in [74]; a brief one is in [75], Sections 9.6 and 9.8. 

Gédel’s 1933 paper [109] on a modal logic of provability left two natural open problems: 

(A) Find a precise provability semantics for the modal logic S4, which appeared to be 
‘a provability calculus without a provability semantics.’ 
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(B) Find a modal logic of Gédel’s predicate of formal provability Provable(x), which 
appeared to be ‘a provability semantics without a calculus.’ 

The solution to problem (A) was obtained by Artemov through the Logic of Proofs 
LP (see above and Section 5). 

Problem (B) was solved in 1976 by Solovay, who showed that the modal logic GL (a.k.a. 
G, L, K4.W, PRL) axiomatized all propositional properties of the provability predicate 
Provable(F) ([62, 65, 147, 241, 242]). 

The provability logic GL is given by the following list of postulates: 


1. Axioms and rules of classical propositional logic, 


2. O( FG) (OF-0G), 


3. O(OF >F) OF, 
4. OF 500F, 
HF 
5. Rul itation: —. 
ule of necessitation ZIF 


Models (A) and (B) have quite different expressive capabilities. The logic GL formalizes 
Gédel’s second incompleteness theorem ~0(=0L), Löb’s theorem O0(OF—>F)—OF, and 
a number of other meaningful provability principles. However, proofs as objects are not 
present in this model. LP naturally contains typed A-calculus, modal logic, and modal A- 
calculus ([18, 19]). On the other hand, model (A) cannot express Gédel’s incompleteness 
theorem. 

Provability models (A) and (B) complement each other by addressing different areas 
of application. The provability logic GL finds applications in traditional proof theory (cf. 
Subsection 4.11). The Logic of Proofs LP targets areas of typed theories and programming 
languages, foundations of verification, formal epistemology, etc. (cf. Subsection 5.7) 


4 PROVABILITY LOGIC 


A significant step towards finding a modal logic of formal provability was made by Löb 
who formulated in [180], on the basis of previous work by Hilbert and Bernays from 1939 
(see [133]), a number of natural modal-style properties of the formal provability predicate 
and observed that these properties were sufficient to prove Gödel’s second incompleteness 
theorem. These properties, known as the Hilbert-Bernays-Löb derivability conditions, 
essentially coincide with postulates (2), (4), and (5) of the above formulation of GL, i.e., 
with the modal logic K4. Moreover, Löb found an important strengthening of the Gödel 
theorem. He established the validity of the following Löb Rule about formal provability: 


F OF—>F 
HF 


It was later noticed in (cf. [182]) that this rule can be formalized in arithmetic, which 
gave a valid law of formal provability known as Löb’s principle: 
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This principle provided the last axiom of the provability logic GL, named after Gödel 
and Lob. Neither Gédel nor Lob formulated the logic explicitly, though they established 
the validity of the underlying arithmetical principles. Presumably, it was Smiley, whose 
work [238] on the foundations of ethics was the first to consider GL a modal logic. 

Significant progress in the general understanding of the formalization of metamathe- 
matics, particularly in [90], inspired Kripke, Boolos, de Jongh, and others to look into 
the problem of modal axiomatization of the logic of provability. More specifically, the 
effort was concentrated on establishing GL’s completeness with respect to the formal 
provability interpretation. Independently, a similar problem in an algebraic context was 
considered by Magari and his school in Italy (see [184]). A comprehensive account of 
these early developments in provability logic can be found in [66]. 

H. Friedman formulated the question of decidability of the letterless fragment of prov- 
ability logic as his Problem 35 in [97]. This question, which happened to be much easier 
than the general case, was immediately answered by a number of people including Boolos 
[60], van Benthem, Bernardi, and Montagna. This result was apparently known to von 
Neumann as early as 1931 [263]. 


4.1  Solovay’s completeness theorem 


The modal logic of Gédel’s predicate of formal provability Provable(x) was found in 1976 
by Solovay. 

Let x be a mapping from the set of propositional letters to the set of arithmetical 
sentences. We call such a mapping an (arithmetical) interpretation. Given a standard 
provability predicate Provable(x) in Peano arithmetic PA, we can extend the interpreta- 
tion * to all modal formulas as follows: 


el*=1;7T*=T; 


e x commutes with all Boolean connectives; 


e (OG)* = Provable(G*) . 


The Hilbert-Bernays-Lob derivability conditions, together with the validity of Lob’s 
principle, essentially mean that GL is sound with respect to the arithmetical interpreta- 
tion. 


PROPOSITION 2. If GLF X, then for all interpretations x, PAF X*. 


Solovay in [242] established that GL is also complete with respect to the arithmetical 
interpretation. Solovay also showed that the set of modal formulas expressing universally 
true principles of provability was axiomatized by a decidable extension of GL, which is 
usually denoted by S. The system S has the axioms 


e all theorems of GL (a decidable set), 


e OX—X, 


and modus ponens as the sole rule of inference. 


THEOREM 3 (Solovay [242]). 
(1) GL} X iff for all interpretations x, PAF X*; 
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(2) SE X iff for all interpretations x, X* is true. 


For the proof of this theorem in [242], Solovay invented an elegant technique of em- 
bedding Kripke models into arithmetic. Variants and generalizations of this construction 
have been applied to obtain arithmetical completeness results for various logics with prov- 
ability and interpretability semantics. An inspection of Solovay’s construction shows that 
it works for all natural formal theories containing a rather weak elementary arithmetic 
EA (cf [25], section 3.1). Such robustness allows us to claim that GL is indeed a universal 
propositional logic of formal provability. 

Whether or not Solovay’s theorem can be extended to bounded arithmetic theories 
such as S$ or S remains an intriguing open question. Interesting partial results here 
were obtained by Berarducci and Verbrugge in [53]. 

Solovay’s results and methods opened a new page in the development of provability 
logic. Several groups of researchers in the USA (Solovay, Boolos, Smoryniski), the Nether- 
lands (D. de Jongh, Visser), Italy (Magari, Montagna, Sambin, Valentini), and USSR 
(Artemov and his students), have started to work intensively in this area. An early 
textbook by Boolos [62], followed by Smoryriski’s [241], played an important educational 
role. 

The following uniform version of Solovay’s Theorem 3.1 was established independently 
by Artemov, Avron, Boolos, Montagna, and Visser [7, 8, 37, 63, 194, 253]: 


there is an arithmetical interpretation x such that for each modal formula X, PA F X* 
iff GLE X. 


The main thrust of the research efforts in the wake of Solovay’s Theorem was in the 
direction of generalizing Solovay’s results to more expressive languages. Some of the 
problems that have received prominent attention are covered below. 


4.2 Fixed point theorem 


As an important early result on the application of modal logic to the study of the concept 
of provability in formal systems, a theorem stands out that was found independently 
by de Jongh and Sambin, who established that GL has the fixed point property (see 
(62, 65, 240, 241]). The de Jongh-Sambin fixed point theorem is a striking reproduction 
of Godel’s fixed point lemma in a propositional language free of coding, self-substitution 
functions, etc. 

A modal formula F(p) is said to be modalized in p if every occurrence of the sentence 
letter p in F(p) is within the scope of 


THEOREM 4 (de Jongh, Sambin). For every modal formula F(p) modalized in the sen- 
tence letter p, there is a modal formula H containing only sentence letters from F, not 
containing p, and such that GL proves 


H ə F(A). 


Moreover, any two solutions to this fixed-point equation with respect to F are provably 
equivalent in GL. 


The uniqueness segment was also established by Bernardi in [54]. 
The proof actually provided an efficient algorithm that, given F', calculates its fixed 
point H. Here are some examples of F’s and their fixed points H. 
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Modal formula F(p) Its fixed point H 
J — 
ap l 

=A 0) al 

=Op ag 

q/\ Up q ^ Ug 


Perhaps the most famous fixed point of the above sort is given by the second Gödel incom- 
pleteness theorem. Indeed, consider ~Op as F(p). By the above table, the corresponding 
fixed point H is ~OL. Hence GL proves 


(1) <a L= (= L). 


Since the arithmetical interpretation of =O for a given theory T is the consistency 
formula Consis(T), this yields that (1) represents the formalized second Gödel incom- 
pleteness theorem: 


if T is consistent, then T does not prove its consistency 


and that this theorem is provable in T. 

The fixed point theorem for GL allowed van Benthem [248] and then Visser [262] to 
interpret the modal p-calculus in GL. Together with van Benthem’s observation that GL 
is faithfully interpretable in p-calculus [248], this relates two originally disjoint research 
areas. 


4.3 First-order provability logics 


The natural problem of axiomatizing first-order provability logic was first introduced by 
Boolos in [62, 64] as the major open question in this area. A straightforward conjecture 
that the first-order version of GL axiomatizes first-order provability logic was shown to 
be false by Montagna [196]. A final negative solution was given in papers by Artemov 
[9] and Vardanyan [252]. 


THEOREM 5 (Artemov, Vardanyan). First-order provability logic is not recursively ax- 
iomatizable. 


In particular, Artemov showed that the set of the first-order modal formulas that are 
true under any arithmetical interpretation is not arithmetical. This proof used Ten- 
nenbaum’s well-known theorem about the uniqueness of the recursive model of Peano 
arithmetic. Vardanyan showed that the set of first-order modal formulas that are prov- 
able in PA under any interpretation is II8-complete, thus not effectively axiomatizable. 
Independently but somewhat later, similar results were obtained by McGee in his Ph.D. 
thesis; they were never published. 

Even more dramatically, [11] showed that first-order provability logics are sensitive to 
a particular formalization of the provability predicate and thus are not robustly defined. 

The material on first-order provability logic is extensively covered in a textbook [65] 
and in a survey [147]. 


4.4 Intuitionistic provability logic 


The question of generalizing Solovay’s results from classical theories to intuitionistic ones, 
such as Heyting arithmetic HA, proved to be remarkably difficult. Visser in [253] found 
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a number of nontrivial principles of the provability logic of HA. Similar observations 
were independently made by Gargov and Gavrilenko. In [255], a characterization and a 
decision algorithm for the letterless fragment of the provability logic of HA were obtained, 
thus solving an intuitionistic analog of Friedman’s 35th problem. 


THEOREM 6 (Visser [255]). The letterless fragment of the provability logic of HA is 
decidable. 


Some significant further results were obtained in [79, 135, 136, 137, 255, 258, 260, 261], 
but the general problem of axiomatizing the provability logic of HA remains a major open 
question. 


4.5 Classification of provability logics 


Solovay’s theorems naturally led to the notion of provability logic for a given theory T 
relative to a metatheory U, which was suggested by Artemov in [7, 8] and Visser in 
[253]. This logic, denoted PLr(U), is defined as the set of all propositional principles of 
provability in T that can be established by means of U. In particular, GL is the provability 
logic PL7(U) with U = T = PA, and Solovay’s provability logic S from Theorem 3.2 
corresponds to T = PA and U’s being the set of all true sentences of arithmetic. The 
problem of describing all provability logics for a given theory T relative to a metatheory 
U, where T and U range over extensions of Peano arithmetic, has become known as 
the classification problem for provability logics. Each of these logics extends GL, hence 
can be represented in the form GLX which is GL with additional axioms X and modus 
ponens as the sole rule of inference. Within this notational convention, S=GL{Op-— p}. 
Consider sentences F, = O"*!1 +0" L, for n € w. In [8, 10, 254], the following three 
families of provability logics were found: 


GLa = GL{F, | n € a}, where a Cw ; 


GL, = GL{ VV ~F, }, where £ is a confinite subset of w ; 
ngb 


Sg = SN GL, where £ is a confinite subset of w . 


The families GLa, GL, and Sg are ordered by inclusion of their indices, and GLg C Sg C 
GL, , for cofinite 8. 

In [10], the classification problem was reduced to finding all provability logics in the 
interval between GL,, and S. In [143], Japaridze found a new provability logic Dzh in this 
interval, 


Dzh = GL{A0.L, O(Op V Og) > (Op V Og)} . 


He showed that Dzh is the provability logic of PA relative to PA+ formalized w-consistency 
of PA. This discovery produced one more provability logic series, 


Dzhg = Dzh N GL,, where is a confinite subset of w , 


with GLg C Dzhg C Sg C GLa, for cofinite 8. 
The classification was completed by Beklemishev who showed in [42] that no more 
provability logics exist. 
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THEOREM 7 (Beklemishev [42]). All provability logics occur in GLa, GLg, Sg, and 
Dzhg, for a,8 Cw, and p cofinite. 


The proof of Theorem 7 produced yet another provability interpretation of Dzh which 
was shown to be the provability logic of any %j-sound but not sound theory relative to 
the set of all true sentences of arithmetic. For more details, see [25, 42, 50]. 


4.6 Provability logics with additional operators 


Solovay’s theorems have been generalized to various extensions of the propositional lan- 
guage by additional operators having arithmetical interpretations. 

The most straightforward generalization is obtained by simultaneously considering 
several provability operators corresponding to different theories. Already in the simplest 
case of bimodal provability logic, the axiomatization of such logics turns out to be very 
difficult. The bimodal logics for many natural pairs of theories have been characterized in 
[43, 44, 73, 143, 241]. However, the general classification problem for bimodal provability 
logics for pairs of recursively enumerable extensions of PA remains a major open question. 

Bimodal logic has been used to study relationships between provability and interest- 
ing related concepts such as the Mostowski operator, and Rosser, Feferman, and Parikh 
provabilities (see [179, 225, 226, 241, 256]). In a number of cases, Solovay-style arith- 
metical completeness theorems have been obtained. These results have their origin in an 
important paper by Guaspari and Solovay [123] (see also [241]). They consider an exten- 
sion of the propositional modal language by a witness comparison operator allowing the 
formalization of Rosser-style arguments from his well-known proof of the incompleteness 
theorem [218]. Similar logics have since been used in [71, 72, 78], e.g., in the study of 
the speed-up of proofs. 


4.7 Generalized provability predicates 


A natural generalization of the provability predicate is given by the notion of n- 
provability which is, by definition, a provability predicate in the set of all true arithmetical 
II,-sentences. For n = 0, this concept coincides with the usual notion of provability. As 
was observed in [241], the logic of each individual n-provability predicate coincides with 
GL. A joint logic of n-provability predicates for n = 0,1,2,... contains the modalities [0], 
[1], [2], etc. The arithmetical interpretation of a formula in this language is defined as 
usual, except that now we require, for each n € w, that [n] be interpreted as n-provability. 

The system GLP introduced by Japaridze [143, 144] is given by the following axioms 
and rules of inference. 


1. Axioms of GL for each operator [n], 


2. [m|¢—[n]¢, form <n, 


ow 


. (m) —> [n] (m)ġ, form <n, 
4. Rule modus ponens, 


5. Rule dF [n]¢. 
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THEOREM 8 (Japaridze). GLP is sound and complete with respect to the n-provability 
interpretation. 


Originally, Japaridze established in [143, 144] the completeness of GLP for an inter- 
pretation of modalities [n] as the provability in arithmetic using not more than n nested 
applications of the w-rule. Later, Ignatiev in [141] observed that Japaridze’s theorem 
holds for the n-provability interpretation. Ignatiev also found normal forms for letterless 
formulas in GLP which play a significant role in Section 4.11 (where only the soundness 
of GLP is essential). 


4.8 Interpretability and conservativity logics 


Interpretability is one of the central concepts of mathematics and logic. A theory X is 
interpretable in Y iff the language of X can be translated into the language of Y in 
such a way that Y proves the translation of every theorem of X. For example, Peano 
arithmetic PA is interpretable in Zermelo-Fraenkel set theory ZF. The importance of 
this concept lies in its ability to compare theories of different mathematical character 
in different languages, e.g., set theory and arithmetic. The notion of interpretability 
was given a mathematical shape by Tarski in 1953 in [245]. There is not much known 
about interpretability in general. The modal logic approach provides insights into the 
structure of interpretability in special situations when X and Y are finite propositional- 
style extensions of a base theory containing a certain sufficient amount of arithmetic. 

Visser, following Svejdar [243], introduced a binary modality A> B to stand for the 
arithmetization of the statement 


the theory T + A interprets T + B. 


Interpretations here are understood in the standard sense of Tarski, and are limited to 
theories T containing a sufficient amount of arithmetic, and to propositional A’s and B’s. 
This new modality emulates provability OF by ~F >œ L, and thus is more expressive than 
the ordinary O. The resulting interpretability logic substantially depends on the basis 
theory T. 

The following logic IL is the collection of some basic interpretability principles valid in 
all reasonable theories: axioms and rules of GL plus 


e O(A—B)—-ADB, 

e (AD BAB>C)>A>C, 

e (A>ÒCABD>C)>(AVB)>C, 
e A> B>(QA— OB), 


e OAD A. 


(We assume here that the interpretability modality ‘>’ binds stronger than the Boolean 
connectives.) 

For two important classes of theories T, the interpretability logic has been character- 
ized axiomatically. 


940 Sergei Artemov 


Let ILP be IL augmented by the principle 


A> B — O(A> B). 


THEOREM 9 (Visser [257]). The interpretability logic of a finitely axiomatizable theory 
satisfying some natural conditions is ILP. 


In particular, the class of theories covered by this theorem includes the arithmetical 
theories IX, for all n = 1,2,3,..., the second-order arithmetic ACAg, and the von Neu- 
mann-Godel-Bernays theory GB of sets and classes. 

Let ILM be IL augmented by Montagna’s principle 


Aœ B = (AAQC)> (BAC). 


The following theorem was established independently in [224] and [52]. 


THEOREM 10 (Shavrkurov, Berarducci). The interpretability logic of essentially reflex- 
ive theories satisfying some natural conditions is ILM. 


In particular, this theorem states that ILM is the interpretability logic for Peano arith- 
metic PA and Zermelo-Fraenkel set theory ZF. 

An axiomatization of the minimal interpretability logic, i.e., of the set of interpretabil- 
ity principles that hold over all reasonable arithmetical theories, is not known. Important 
progress in this area has been made by Goris and Joosten, who have found new universal 
interpretability principles (cf. [120, 148]). Yet more new interpretability principles have 
been found recently by Goris; they were discovered using the Kripke semantics and later 
shown sound for arithmetic. 

The œ modality has a related conservativity interpretation, which leads to the con- 
servativity logics studied in [124, 125, 140]. Logics of interpolability and of tolerance, 
introduced by Ignatiev and Japaridze [80, 81, 142], have a related arithmetical interpre- 
tation, but a format which is different from that of interpretability logics; see [147] for 
an overview. 

An excellent survey of interpretability logic is given in [259]; see also [147]. 


4.9 Magari algebras and propositional second-order provability logic 


An algebraic approach to provability logic was initiated by Magari and his students [183, 
184, 194, 195]. The provability algebra of a theory T, also called the Magari algebra 
of T, is defined as the set of T-sentences factorized modulo provable equivalence in T 
and equipped with the usual Boolean operations together with the provability operator 
mapping a sentence F to Provabler(F). 

Using the notion of provability algebra, one can impart a provability semantics to a 
representative subclass of propositional second-order modal formulas, i.e., modal formulas 
with quantifiers over arithmetical sentences. These are just first-order formulas over the 
provability algebra. For several years, the questions of decidability of the propositional 
second-order provability logic and of the first-order theory of the provability algebra of 
PA remained open (cf. [24]). Shavrukov in [227] provided a negative solution to both of 
these questions. 
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THEOREM 11 (Shavrukov [227]). The first-order theory of the provability algebra of PA 
is mutually interpretable with the set of all true arithmetical formulas. 


This result was proved by one of the most ingenious extensions of Solovay’s techniques. 


4.10 ‘True and Provable’ modality 


A gap between the provability logic GL and S4 can be bridged to some extent by using 
the strong provability modality OF which is interpreted as 


(OF’)* = F* A Provable(F™) . 


The reflexivity principle 


FoF 


is then vacuously provable, hence the strong provability modality is S4-compliant. 

This approach has been explored in [61, 111, 170], where it was shown independently 
that the arithmetically complete modal logic of strong provability coincides with Grze- 
gorczyk’s logic Grz, which is the extension of S4 by the axiom 


The modality of strong provability has been further studied in [202, 203]; it played a 
significant role in introducing justification into formal epistemology (cf. [30, 31, 32]), as 
well as in the topological semantics for modal logic (cf. surveys [86, 100]). 

Strong provability plays a certain foundational role: it provides an exact provability- 
based model for intuitionistic logic IPC. Indeed, by Grzegorczyk’s result from [122], 
Gédel’s translation tr specifies an exact embedding of IPC into Grz (cf. Theorem 1): 


IPC proves F & Grz proves tr(F) . 


However, the foundational significance of this reduction for intuitionistic logic is some- 
what limited by a nonconstructive meaning of strong provability as ‘classically true and 
formally provable,’ which seems incompatible with the intended intuitionistic semantics. 
The aforementioned embedding does not bring us closer to the BHK semantics for IPC 
either. For more discussion on these matters, see [12, 16, 171]. 


4.11 Applications 


The methods of modal provability logic are applicable to the study of fragments of Peano 
arithmetic. 

Using provability logic methods, Beklemishev in [45] answered a well-known question: 
what kind of computable functions could be proved to be total in the fragment of PA 
where induction is restricted to IIz-formulas without parameters? He showed that these 
functions coincide with those that are primitive recursive. In general, provability logic 
analysis substantially clarified the behavior of parameter-free induction schemata. 

Later results [46, 48] revealed a deeper connection between provability logic and tra- 
ditional proof-theoretic questions, such as consistency proofs, ordinal analysis, and in- 
dependent combinatorial principles. In [48], Beklemishev gave an alternative proof of 
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Gentzen’s famous theorem on the proof of the consistency of PA by transfinite induction 
up to the ordinal €o. 

In [47] (cf. also surveys [25, 49]), Beklemishev suggested a simple PA-independent 
combinatorial principle called the Worm Principle, which is derived from Japaridze’s 
polymodal extension GLP of provability logic (cf. Section 4.7). Finite words in the 
alphabet of natural numbers will be called worms. The Worm Principle asserts the 
termination of any sequence Wo, w1, W2, ... of worms inductively constructed according 
to the following two rules. Suppose wm = £o . . . £n, then 


1. if a, = 0, then Wm+1 := £o - - -En—1ı (the head of the worm is cut away); 


2. if £n > 0, set k := max{i <n: a; < £n} and let 
Wm41 = To--- LklLk+1 ---En—1(8n — 1))™* (the head of the worm decreases by 
one, and the part after position k is appended to the worm m times). 


Clearly, the emerging sequence of worms is fully determined by the initial worm wo. For 
example, consider a worm wo = 2031. Then the sequence looks as follows: 

Wo = 2031 

w, = 203030 

wa = 20303 

w3 = 20302222 

wa = 203022212221222122212221 

ws = 2030(22212221222122212220)* 


THEOREM 12 (Beklemishev [47]). 

(1) For any initial worm wo, there is an m such that Wm is empty. 

(2) The previous statement is unprovable in Peano arithmetic PA. In fact, Statement 
1 is equivalent to the 1-consistency of PA. 


For other PA-independent principles, cf. [244]. 

Japaridze used a technique from the area of Provability Logic to investigate funda- 
mental connections between provability, computability, and truth in his work on Com- 
putability Logic [145, 146]. 

The Logic of Proofs (Section 5) with its applications also emerged from studies in 
Provability Logic. 


5 LOGIC OF PROOFS 


The source of difficulties in provability interpretation of modality lies in the implicit 
nature of the existential quantifier 4. Consider, for instance, the reflection principle 
in PA, i.e., all formulas of type Provable(F) — F. By Gédel’s second incompleteness 
theorem, this principle is not provable in PA, since the consistency formula Con(PA) 
coincides with a special case of the reflection principle, namely Provable( L) — L. The 
formula Provable(F’) is 3xProof (x, F) where Proof(x, y) is Godel’s proof predicate 


x is (a code of) a proof of a formula (having code) y . 


Assuming Provable(F’) does not yield pointing to any specific proof of F, since this x 
may be a nonstandard natural number which is not a code of any actual derivation in 
PA. 
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For proofs represented by explicit terms, the picture is very different. The principle 
of explicit reflection Proof(p, F) — F is provable in PA for each specific derivation p. 
Indeed, if Proof(p, F) holds, then F is evidently provable in PA, and so is the formula 
Proof(p, F)— F. Otherwise, if Proof(p, F) does not hold, then —Proof(p, F’) is true and 
provable, therefore Proof(p, F’) > F is also provable. 

This observation suggests a remedy: representing proofs by terms t in the proof for- 
mula Proof(t, F) instead of implicit representation of proofs by existential quantifiers in 
the provability formula JxProof (x, F). As we have already mentioned, Gödel suggested 
using the format of explicit proof terms for the interpretation of S4 as early as 1938, but 
that paper remained unpublished until 1995 ([110]). Independently, the study of explicit 
modal logics was initiated in [14, 33, 34, 35, 247]. The Logic of Proofs may be regarded 
an instance of Gabbay’s Labelled Deductive Systems (cf. [98]). 

Proof polynomials are terms built from proof variables x,y,z,... and proof constants 
a, b,c,... by means of three operations: application ‘’ (binary), union ‘+’ (binary), and 
proof checker ‘!’ (unary). The language of Logic of Proofs LP is the language of classical 
propositional logic supplemented by a new rule for building formulas, namely for each 
proof polynomial p and formula F’, there is a new formula p:F denoting ‘p is a proof of 
F? It is also possible to read this language type-theoretically: formulas become types, 
and p:F denotes ‘term p has type F.’ We assume also that ‘t: and ‘~’ bind stronger than 
‘A, V? which, in turn, bind stronger than >.’ 

Axioms and inference rules of LP: 


1. Axioms of classical propositional logic 


2. t(F>G) > (s:F—(t-s):G) (application) 
3. tF—>F (reflection) 
4. tF >'t: (tF) (proof checker) 
5. sf (s+t):F, tF—(s+t):F (sum) 


6. Rule modus ponens 


7. LGA, where A is from 1-5, and c is a proof constant (constant specification) 


As one can see from the principles of LP, constants denote proofs of axioms. The 
application operation corresponds to the internalized modus ponens rule: for each s and 
t, a proof s -t is a proof of all formulas G such that s is a proof of F—G and t is a proof 
of F for some F. The sum ‘s + t’ of proofs s and t is a proof which proves everything 
that either s or t does. Finally, ‘l is interpreted as a universal program for checking the 
correctness of proofs, which given a proof t, produces a proof that t proves F ([14, 16]). 
In [17], it was noted that proof polynomials represent the whole set of possible operations 
on proofs for a propositional language. It was shown that any operation on proofs which 
is invariant with respect to a choice of a normal proof system and which can be specified 
in a propositional language can be realized by a proof polynomial. 

In what follows, ‘Ft’ denotes derivability in LP unless stated otherwise. By a constant 
specification CS, we mean a set of formulas {c1:A1, c2:A2,...} where each A; is an axiom 
from 1-5 of LP, and each c; is a proof constant. By default, with each derivation in LP, 


944 Sergei Artemov 


we associate a constant specification CS introduced in this derivation by the use of the 
rule of constant specification. 

One of the basic properties of LP is its capability of internalizing its own derivations. 
The weak form of this property yields the following admissible rule for LP ([14, 16]): 


if + F, then | p:F for some proof polynomial p . 
This rule is a translation of the well-known necessitation rule of modal logic 


FF 


FOF 


into the language of explicit proofs. The following more general internalization rule holds 
for LP: if 
Ai, AÁnF B, 


then it is possible to construct a proof polynomial t(a1,...,2%n) such that 
z1:A1,..., EniÁn F t(£1,..., En) B 


One might notice that the Curry-Howard isomorphism covers only a simple instance of 
the proof internalization property where all of A1,..., An, B are purely propositional 
formulas containing no proof terms. For the Curry-Howard isomorphism basics, see, e.g., 
[108]. 

The decidability of LP was established by Mkrtychev in [193]. Kuznets in [168] ob- 
tained an upper bound © on the satisfiability problem for LP-formulas in Mkrtychev 
models (cf. Section 5.3). This bound was lower than the known upper bound PSPACE 
on the satisfiability problem in S4 (under the assumption that X5 # PSPACE). A pos- 
sible explanation of why LP wins in complexity over S4 is that the satisfiability test for 
LP is somewhat similar to type checking, i.e., checking the correctness of assigning types 
(formulas) to terms (proofs), which is known to be relatively easy in classical cases. 
Milnikel in [190] established II5-completeness of LP for some natural classes of constant 
specifications, including so-called injective ones, when each constant denotes a proof of 
not more than one axiom. II}-hardness for the whole LP remains on open problem. 

N. Krupski in [159] established the disjunctive property for LP: 


if LP F sFVtG, then LP F s:F or LPF tG. 


5.1 Arithmetical completeness 


The Logic of Proofs LP is sound and complete with respect to the natural provability 
semantics. By a proof system we mean a provably in PA decidable predicate Proof (x, y) 
that enumerates all theorems of PA, i.e., 


PAF y iff Proof(n,p) holds for some n , 


together with computable functions m(x, y), a(x, y) and c(x) which satisfy identities for 
“2 ‘+, and ‘l respectively, i.e., for all arithmetical formulas y, y and all natural numbers 
k,n the following holds: 


Proof (k, pw) A Proof (n, y) > Prf(m(k, n), Y) 
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Proof(k, py) Proof(a(k,n),y), Proof(n, py) > Proof(a(k, n), y) 
Proof(k, p) — Proof(c(k), Proof(k, ~)). 


The class of proof systems includes the Gédelian proof predicate in PA 
x is a Godel number of a derivation in PA containing a formula with a Godel number y 


with obvious choice of operations m(x, y), a(x, y) and c(x). In particular, a(n, m) is the 
concatenation of proofs n and m, and c is a computable function that given a Gödel 
number of a proof n, returns the Gédel number c(n) of a proof, containing formulas 
Proof(n, p) for all y’s such that Proof(n, vy) holds. 

An arithmetical interpretation *« is determined by a choice of proof system as well as 
an interpretation of proof variables and constants by numerals (denoting proofs), and 
propositional variables by arithmetical sentences. Boolean connectives are understood in 
the same way in LP and PA, and a formula p:F is interpreted as an arithmetical formula 
Proof(p*, F*). 


This kind of provability semantics is referred to as call-by-value semantics; it 
was introduced in [15] and used in [16, 18, 29, 119, 270]. A more sophisticated 
call-by-name semantics of the language of LP was introduced in [14] and used 
in [160, 161, 235, 269]. Under the call-by-name semantics, proof polynomials 
are interpreted as Gödel numbers of definable provably recursive arithmetical 
terms. Call-by-value interpretations may be regarded as a special case of 
call-by-name interpretations since numerals are definable provably recursive 
arithmetical terms. 


For a given constant specification CS, an interpretation * is called a CS-interpretation if 
all formulas from CS are true under a given *. The following arithmetical completeness 
theorem has been established in [14] for the call-by-name semantics and in [15] for the 
call-by-value semantics (see also articles [16, 18]): 


THEOREM 13 (Artemov [14, 15]). A formula F is derivable in LP with a given constant 
specification CS iff PAF F*, for any CS-interpretation x. 


This theorem stands if one replaces ‘PA F F* by ‘F* holds in the standard model of 
arithmetic.’ 

In his recent paper [119], Goris showed that LP is sound and complete with respect 
to the call-by-value semantics of proofs in Buss’s weak arithmetic S4, thus showing that 
proof polynomials can be realized by PTIME-computable operations on proofs. Note that 
the corresponding question for the Provability Logic GL remains a major open problem. 

The logic of single-conclusion proofs was described by V. Krupski in [160, 161]. This 
system does not correspond to any normal modal logic. 


5.2 Realization Theorem 


Another major feature of the Logic of Proofs is its ability to realize all S4-derivable 
formulas by restoring corresponding proof polynomials inside all occurrences of modality. 
This fact may be expressed by the following realization theorem ([14, 16]). By a forgetful 
projection of an LP-formula F, we understand a modal formula obtained by replacing all 
assertions t:(-) in F by O(-). 
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THEOREM 14 (Artemov [14]). S4 is the forgetful projection of LP. 


That the forgetful projection of LP is $4-compliant is a straightforward observation. 
The converse has been established in [14, 16] by presenting an algorithm which substitutes 
proof polynomials for all occurrences of modalities in a given cut-free Gentzen-style S4- 
derivation of a formula F, thereby producing a formula F” derivable in LP. The original 
realization algorithms from [14, 16] were exponential. Brezhnev and Kuznets in [69] 
offered a realization algorithm of S4 into LP which is polynomial in the size of a cut-free 
derivation in $4. The lengths of realizing proof polynomials can be kept quadratic in the 
length of the original cut-free $4-derivation. 

Here is an example of an S4-derivation realized as an LP-derivation in the style of 
Theorem 14. There are two columns in the table below. The first is a Hilbert-style 
S4-derivation of a modal formula DAVOB—O(OAVB). The second column displays 
corresponding steps of an LP-derivation resulted in an LP-proof of a formula 


x:AVy:B = (a!a+b-y):(v:AV B) 
with constant specification 


{ a(x:A—>x:A V B), b(B—>zx:AV B)}. 


Derivation in $4 Derivation in LP 
1. A-OAVB x:A—>xAV B 
2. (0A>OAV B) ai(a:A— zx:A V B) 
3. A—0O(OAVB) lx:x:A— (a-!x):(x:AV B) 
4. A—OOA vAlaa:A 
5. A O(OAVB) x:A—> (a!x):(x:AV B) 
y. (a!x):(x:AV B)—> (a-!x+b-y):(x:AV B) 
g x:A—> (a!x+b-y):(x:AV B) 
6. B-OAVB BowAVB 
7. (B—>OAV B) b:(B—zx:A V B) 
8. B-O(OAVB) y:B— (b-y):(a:A V B) 
8’. (b-y):(x:A V B) = (a-!a+b-y):(a:AV B) 
8”. y:B = (a!x+b-y):(x:AV B) 
9. AVOB—O(ODAVB) x:AVy:B —>(a!x+b-y):(x:AV B) 


Extra steps 5’, 5”, 8’, and 8” are needed in the LP case to reconcile different internalized 
proofs of the same formula: (a-!a):(a#:AVB) and (b-y):(x:A V B). The resulting realization 
respects Skolem’ idea that negative occurrences of existential quantifiers (here over proofs 
hidden in the modality of provability) are realized by free variables whereas positive 
occurrences are realized by functions of those variables. 

Switching from the provability format to the language of specific witnesses reveals 
hidden self-referentiality of modal logic, i.e., the necessity of using proof assertions of the 
form t:F(t), where t occurs in the very formula F(t) of which it is a proof. A recent 
result by Kuznets in [69] shows that self-referentiality is an intrinsic feature of the modal 
logic approach to provability in general. 


THEOREM 15 (Kuznets [69]). Self-referential constant specifications of the sort c:A(c) 
are necessary for realization of the modal logic S4 in the Logic of Proofs LP. 
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In particular, the $4-theorem 


40-(5 0S) 


cannot be realized in LP without self-referential constant specifications of the sort cA(c). 

Systems of proof polynomials for other classical modal logics K, K4, D, D4, T were 
described in [67, 68]. The case of S5 = S4 + (=O F—0O-OF) was special because of the 
presence of negative information about proofs and its connections to formal epistemology. 
The paper by Artemov, Kazakov, and Shapiro [29] introduced a system of proof terms 
for S5, and established realizability of the logic S5 by these terms, decidability, and 
completeness of the resulting logic of proofs. 


5.8 Fitting Models 


The main idea of epistemic semantics for LP can be traced back to Mkrtychev and 
Fitting. It consists of augmenting Boolean or Kripke models with an evidence function, 
which assigns ‘admissible evidence’ terms to a statement before deciding its truth value. 

Fitting models are defined as follows. A frame is a structure (W, R), where W is 
a non-empty set of possible worlds and R is a binary reflexive and transitive evidence 
accessibility relation on W. Given a frame (W, R), a possible evidence function E is a 
mapping from worlds and proof polynomials to sets of formulas. We can read F € E(u,t) 
as 


‘F is one of the formulas for which t serves as possible evidence in world u.’ 


An evidence function is a possible evidence function which respects the intended meanings 
of the operations on proof polynomials, i.e., for all proof polynomials s and t, for all 
formulas F and G, and for all u,v € W, each of the following hold: 


1. Monotonicity: uRv implies E(u, t) C E(v, t); 

2. Closure: 
e Application: FG € E(u, s) and F € E(u,t) implies G € E(u, s-t); 
e Inspection: F € E(u,t) implies t:F € E(u, !t); 
e Sum: E(u, s) UE(u,t) C E(u,s +t). 


A model is a structure M = (W,R,€,|F) where (W, R) is a frame, € is an evidence 
function on (W, R), and IF is an arbitrary mapping from sentence variables to subsets of 
W. Given a model M = (W, R,€,|F), the forcing relation IF is extended from sentence 
variables to all formulas by the following rules. For each u € W: 


1. I- respects connectives (u lk F AG iff ul- F and ult G, ulk =F iff u |¥ F, etc.); 
2. ul- t:F iff F € E(u,t) and v lt F for every v € W with uRv. 


We consider the modality O, associated with the evidence accessibility relation R. In 
this terms, the last item of the above definition can be recast as 


2’. ul- tF iff ul- OF and tis an admissible evidence for F at u. 
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Mkrtychev models are Fitting models with singleton W’s. LP was shown to be sound and 
complete with respect to both Mkrtychev models ([193]) and Fitting models ([91, 93]). 
Fitting models were adapted for multi-agent epistemic setting in [20, 30, 32, 92] and 
became the standard semantics for justification logics. 


5.4 Joint logics of proofs and provability 


The problem of finding a joint logic of proofs and provability has been a natural next 
step, since there are principles that can only be formulated in a mixed language of formal 
provability and explicit proofs. For example, the modal principle of negative introspection 
=OF — OOF is not valid in the provability semantics; neither is a purely explicit version 
of negative introspection 7=(#: F) > t(x):=(x:F). However, a mixed explicit-implicit 
principle =(t:F') > O-(t:F’) is valid in the standard provability semantics. 

The complete joint system of provability and explicit proofs without operations on 
proof terms, system B, was found in [13]. This system describes those principles that 
have a pure logical character and do not depend on any specific operations of proofs. 

The postulates of B consist of those of GL together with the following new principles: 


e Al. tF>F, 


e A2. tF SOF, 
e A3. nt FOF 


u 


H 
RR. Rul tion: 
° ule of reflection EF 
THEOREM 16 (Artemov [13]). B is sound and complete with respect to the semantics 
of proofs and provabtility in Peano arithmetic. 


The problem of joining two models of provability, GL and LP, into one model can be 
specified as that of finding an arithmetically complete logic containing postulates of both 
GL and LP and closed under internalization. 

The first solution to this problem was offered by Yavorskaya (Sidon) who found an 
arithmetically complete system of provability and explicit proofs, LPP, containing both 
GL and LP (cf. [235, 269]). Along with natural extensions of principles and operations 
from GL and LP, LPP contains additional operations ‘ff and ‘4p’ which were used to secure 
the internalization property of LPP. The operation ‘{}’ given a proof t of F, returns a 
proof ftt of Provable(F’). The operation ‘|!’ takes a proof t of Provable( F) and returns a 
proof |t of F. The set of postulates of LPP consists of those of GL and LP together with 
A2, A3, and RR from B, plus two new principles: 


e A4. tF— (ft) OF, 


e A5. tOF = (I t):F. 


Finally, Nogina in [30, 201] noticed that operations ‘7’ and ‘|!’ along with A4 and A5 
are in certain sense redundant and offered a simpler system, GLA, which is an arithmeti- 
cally complete logic in a joint language of GL and LP, containing postulates of both GL 
and LP, and closed under internalization. The system GLA is presented in [30, 201] by 
the set of postulates of GL and LP augmented by the principles: 
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et:F—-OF 


pi 


e ~nt:F— Ont: F 


? 


e tOF—>F. 


and Rule of reflection RR. 


THEOREM 17. 

(1) (Yavorskaya (Sidon) [235, 269]). LPP is sound and complete with respect to the 
semantics of proofs and provability in Peano arithmetic. 

(2) (Nogina [30, 201]). GLA is sound and complete with respect to the semantics of 
proofs and provability in Peano arithmetic. 


It was the system GLA, which served in [30, 32] as a prototype of justification logics (cf. 
Subsection 5.7). 


5.5 Quantified logics of proofs 


The arithmetical provability semantics for the logic of proofs may be naturally generalized 
to first-order language and to the language of LP with quantifiers over proofs. Both 
possibilities of enhancing the expressive power of LP were investigated and in both cases, 
axiomatizability questions have been answered negatively. 


THEOREM 18. 

(1) (Artemov, Yavorskaya (Sidon) [36]). The first-order logic of proofs is not recur- 
sively enumerable. 

(2) (Yavorsky [271]). The logic of proofs with quantifiers over proofs is not recursively 
enumerable. 


An interesting decidable fragment of the first-order logic of the standard proof predi- 
cate was found in [270]. 


5.6 Intuitionistic logic of proofs 


The problem of building the intuitionistic logic of proofs has two distinct parts. Firstly, 
one has to answer the question about the propositional logical principles that axiomatize 
HA-tautologies in the propositional language enriched by atoms u is a proof of F without 
operations on proof terms, i.e. when u is a variable. The resulting basic logic of proofs 
reflects purely logical principles of the chosen format. Secondly, one has to pick systems 
of operations on proofs and study the corresponding intuitionistic logics of proofs. The 
first of the above problems was solved by Artemov and Iemhoff in [27] where the Basic 
Intuitionistic Logic of Proofs, iBLP, was introduced and found to be arithmetically com- 
plete with respect to the semantics of proofs in HA. The paper essentially uses technique 
and results by de Jongh [77], Smoryński [239], de Jongh and Visser’s work on a basis 
for admissible rules in IPC (circa 1991, cf. [137]), Artemov & Strassen [33] and Artemov 
[13], Ghilardi [106, 107], Iemhoff [136, 138, 139]. 

The completeness proof presented in [27] is also interesting because it is the first result 
in this area for constructive theories; the corresponding problem for the provability logic 
of Heyting arithmetic HA is still open (Section 4.4). 
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5.7 Applications 


Here we will list some conceptual applications of the Logic of Proofs. 

1. Existential semantics for modal logic. Proof polynomials and LP represent an 
exact existential semantics for mainstream modal logic. Initially, Gödel regarded the 
modality OF as the provability assertion, i.e., 


there exists a proof for F. 


Thus, according to Gödel, modality is an informal /-sentence, i.e., the one which consists 
of an existential quantifier (here over proofs) followed by a decidable condition. Such an 
understanding of modality is typical of ‘naive’ semantics for a wide range of epistemic 
and provability logics. Nonetheless, before LP was discovered, major modal logics lacked 
a mathematical semantics of an existential character. The exception to the rule is the 
arithmetical provability interpretation for the Provability Logic GL, which still cannot be 
extended to the major modal logics S4 and S5. 

Almost 30 years after the first work by Gédel on the subject, a semantics of a universal 
character was discovered for modal logic, namely Kripke semantics. Modality in that 
semantics is read informally as the sentence: 


in each possible situation, F holds. 


Such a reading of modality naturally appears in dynamic and temporal logics aimed 
at describing computational processes, states of which usually form a (possibly branch- 
ing) Kripke structure. Universal semantics has been playing a prominent role in modal 
logic. However, it is not the only possible semantical tool in the study and application of 
modality. The existential semantics of realizability by proof polynomials can also be use- 
ful for foundations and application of modal logic. For more discussion on the existential 
semantics for modal logic, see [22]. 

2. Justification Logic. A major area of application of the Logic of Proofs is epistemol- 
ogy. The books [89, 189] serve as an excellent introduction to the mathematical logic of 
knowledge. 

Plato’s celebrated tripartite definition of knowledge as justified true belief is generally 
regarded in mainstream epistemology as a set of necessary conditions for the possession 
of knowledge. Due to Hintikka, the ‘true belief? components have been fairly formalized 
by means of modal logic and its possible worlds semantics. The remaining ‘justification’ 
condition has received much attention in epistemology (cf., for example, [59, 105, 116, 
129, 174, 177, 178, 204]), but lacked formal representation. The issue of finding a formal 
epistemic logic with justification has also been discussed in [247]. Such a logic contains 
assertions of the form OF (F is known), along with those of the form t:F (t is a 
justification for F). Justification was introduced into formal epistemology in [20, 30, 31, 
32] by combining Hintikka-style epistemic modal logic with justification calculi arising 
from the Logic of Proofs LP. The generic name for this kind of systems is Justification 
Logic. 

3. Logical omniscience problem. The traditional Hintikka-style modal logic approach 
to knowledge has the well-known defect of logical omniscience, which is an unrealistic 
feature that an agent knows all logical consequences of his/her assumptions ([87, 88, 134, 
198, 206, 207]). Justification Logic addresses the issue of logical omniscience in a natural 
way. The paper [28] suggests looking at the logical omniscience as a complexity issue 
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and offers the following Logical Omniscience Test (LOT): an epistemic system F is not 
logically omniscient if for any valid in Æ knowledge assertion A of type ‘F is known’ 
there is a proof of F in E, the complexity of which is bounded by some polynomial in 
the length of A. The usual epistemic modal logics are logically omniscient (modulo some 
common complexity assumptions). On the other hand, Justification Logic is logically 
omniscient w.r.t. the usual (implicit) knowledge and are not logically omniscient w.r.t. 
the evidence-based knowledge. 

4. Justified Knowledge. Justification Logic was used in [20, 23] to offer a new approach 
to common knowledge. A modal operator Jy for justified knowledge introduced in [20, 23] 
is defined as a forgetful projection of justification assertions t:y. Hence the intended 
meaning of Jy is 


there is an access to an explicit evidence for ọ . 


In particular, justified knowledge J was shown in [5, 20, 23] to provide a lighter, construc- 
tive version of common knowledge and can be used as such in solving specific problems. 


6 MODAL LOGIC OF SPACE 


The application of modal logic to topology has a rather long history. The idea of a 
simple ‘algebraic calculus’ suitable for proving some topological theorems dates back 
to Kuratowski [163]. A somewhat similar idea was proposed earlier by Riesz in [216]. 
A. Robinson in [217] put the problem of developing a topological model theory in the 
same manner as the classical first-order model theory. Classical first-order logic is in- 
sufficient for topology because here one usually deals both with points and sets, hence 
some fragments of second-order logic should be involved. Topological model theory in 
this style was developed in [95, 96]. 

The modal logic approach to topology lies within the same mathematical tradition. 
Modal calculi can also be interpreted in certain weak fragments of second-order logic. 
However, modal logics of interest are usually decidable and have a good mathematical 
structure with respect to both model theory and proof theory. All these features bring 
into topology some specific logical tools and results. 

The use of modal logic in topology was initially motivated by Kuratowski’s axioms. Let 
T = (X,1) be a topological space, where X is a set of points and I the interior operation. 
In terms of the interior (I) and Boolean operations, modal topological principles look as 
follows: 

A1. I(Y A Z) = IY AIZ; 


A2. IY = IY; 
A3. IY CY; 
A4. IX=X 


Here Y, Z are subsets of X. These axioms can be viewed as identities in the language of 
Boolean algebras with an extra functional symbol I. They define the variety of so-called 
topo-Boolean algebras (a.k.a. interior algebras or closure algebras, the latter used by 
McKinsey and Tarski), and in an obvious way every topological space 7 corresponds to 
a topo-Boolean algebra, which is the powerset of T with the interior (or closure) operation 
acting on the subsets of 7. The above axioms can also be written as propositional modal 
formulas: Boolean operations should be replaced by the corresponding propositional 
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connectives, and I with the modal connective O. Thus we obtain the following modal 
axiom schemes: 


Al. O(AA B) =OAAOCB, 
A2. OA-O0A, 

A3. OA A, 

A4. O1 


which are the well-known postulates of S4. This property, noticed in the late 1930s by 
Tarski, and independently by Stone and Tang, is rather surprising because Lewis’ original 
motivation of S4 was purely logical, and Gédel’s provability interpretation of S4 was also 
of a logical character. 

The topological interpretation can be modified to fit other modal logics, namely, one 
can consider neighborhood frames. By definition, such a frame F = (X,I) is a set X 
together with an operation I on its subsets. Then U is called a neighborhood of x if 
x € IU. Given a valuation y which sends proposition letters to subsets of X, we can 
extend it to all modal formulas as follows: 

(4) = X\ 9A), 

(A^ B) = 9(A)N (B), 

(AV B) = (A) U (B), 

(0A) = Ip(A). 

The same definition can be given in terms of a forcing relation (or the truth at a point): 
a formula A is called true at w under interpretation y if w € y(A); this is also denoted 
by w |F A. Now the above conditions for extending y can be written as follows: 

w lk aA iff w IF A, 

wl- AA B iff (w IF A and w IF B), 

wl- AV B iff (w lk A or w IF B), 

wl- OA iff {y | y lk A} is a neighborhood of w. 

So OA can be read as A is locally true [220]. A formula A is called valid in F (notation: 
FI- A) if p(A) = X for any valuation y. 

The set L(F) := {A | F IF A} is called the modal logic of F. Logics of this form 
are called neighborhood (N-) complete. All well-known modal logics are N-complete. 
Moreover, they can be presented as logics of familiar topological spaces. 

The following theorem is a classical result in this area: 


THEOREM 19 (McKinsey, Tarski [187]). Let M be a separable dense-in-itself metric 
space. Then L(M) = S4. 


In particular, L(R”) = S4, for each n = 1,2,3,.... 

A simplified proof of topological completeness of S4 with respect to the Cantor space 
was obtained in [192]. Simplified proofs of completeness of S4 with respect to the real 
line R were given in [56, 237]. 

However, there exist N-incomplete modal logics, even among the extensions of S4. Such 
examples can be found in [103, 104, 228, 233]. This fact is perhaps counter to the naive 
intuition: it turns out that there exist systems of topo-Boolean identities that do not 
correspond to any particular topo-Boolean algebra of a topological space — every such 
algebra satisfies some other identities that are non-derivable from the original system. 
This is indeed an incompleteness phenomenon at the level of propositional modal logic 
akin to those in arithmetical theories. 


— 
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Kripke semantics can be regarded as a particular case of neighborhood semantics. In 
fact, given a Kripke frame (W, R), one can build the neighborhood frame N(W, R) = 
(W,1) where IU := {x | R(x) C U}, so that validities in these two frames are the same. 
Hence, Kripke-completeness implies N-completeness. The converse is not true; there 
exist topological spaces with Kripke-incomplete modal logics [103, 104, 228, 233]. 

For topological semantics of first-order modal logic, see Chapter 9 this Handbook. 
Modal logics of product topologies were studied in [181, 219, 251]. Gabelaia’s master’s 
thesis [100] is a very informative source on modal logic and topology. 


6.1 Other operators in topological spaces 


The modality O can be interpreted in topological spaces not only as the interior, but in 
some other natural ways. There are other known topological operators on sets that are 
not expressible in terms of Boolean operation and interior, e.g., taking the derived set 
d(X) which is the set of all limit points of X [164]. It turns out that the corresponding 
‘derivational modal logics’ of natural classes of topological spaces are not among the 
most popular modal logics, with one noticeable exception: the derivational modal logic 
of Cantor’s scattered topological spaces turned out to be the Provability Logic GL. 


DEFINITION 20. Let C be a class of topological spaces. We understand by Ld(C) the 
derivational modal logic of C, i.e., the set of propositional formulas with the modality © 
interpreted as the derived set operator d that hold in all T’s from C. By wK4 (‘weak 
K4’) we understand the modal logic K + (p A Up) > OOp, and by D4 the logic K4 + 


AOL. 
By the modality Ot F, we mean FA OF. 


THEOREM 21. 

(1) (Esakia [83, 85, 86]). wK4 is the derivational logic of the class of all topological 
spaces. 
(2) (Shehtman [230]). Forn > 1, Ld(R") = D4 + Of(pAQp)V(=pAD-=p)| > OpvO-p . 
(3) (Shehtman [232]). Ld(R) = D4 + O(O+F, V O+ P; V OTF) > (O5F, V O~F; V 
iF 3), where 


Fi = pi ^ \ “Pj - 
At 

Note that the derivational modal logics of R and R” for n > 1 are different. Shehtman 
in [230] also found that derivational modal logics of Q, Cantor’s discontinuum C, as well 
as any 0-dimensional separable dense-in-itself metric space are all equal to D4. Further 
results on axiomatization and definability of derivational logics can be found in [55]. 

A topological space is called scattered if it has no dense-in-itself non-empty subsets. 
Let a be an ordinal. We view a as a topological space with its interval topology. Then 
it is known that every ordinal a is a scattered space ({186]). 


THEOREM 22. 
(1) (Esakia [84, 86]). GL is the derivational logic of the class of all scattered spaces. 
(2) (Abashidze [1], Blass [58]). GL is the derivational logic of a, for any specific ordinal 
a>w”. 


These theorems demonstrate that Gédel’s consistency operator Con(F), stating that 


F is consistent with Peano arithmetic , 


954 Sergei Artemov 


and Cantor’s topological derived set operator d on scattered spaces have the same set of 
propositional identities. 
6.2 Adding the universal modality 


Topological spaces may be considered Boolean algebras with several extra operations, 
and this leads to different polymodal logics. The basic modal language can be expanded 
by other modal connectives. For example, one can add the universal modality [V], with 
the following interpretation: 


wl- [VJA if alk A holds for anyxe X. 


The new language is more expressive: in fact, the formula 


(AC) := [V\(GpV O-p) > [V] v M-p 


is valid exactly in connected spaces, but connectedness cannot be expressed in the basic 

language. Moreover, the following analogs of the classical McKinsey—Tarski Theorem 19 

hold. Let 
S4U = S4(for O) + $5(for [v]) + [V]p > Op, 
S4UC = S4U + (AC). 

Let also LU(C) denote the logic of a class C in the expanded language with O and [Y]. 

THEOREM 23. 


(1) (Goranko, Passy [117]). S4U= LU (all topological spaces). 
(2) (Shehtman [231]). If X is a separable dense-in-itself metric space, then 


LU(¥) =S4UC . 


Some refinement of Shehtman’s result (2) can be found in [250] and Chapter 9 of this 
Handbook. It was shown in [117, 231] that S4U and S4UC have the finite model property, 
and so they are decidable. As for complexity, S4U is known to be PSPACE-complete [6]. 

An interesting feature is that many mereotopological relations between spatial regions 
(such as ‘X is disconnected from Y’ or ‘X is a (non)tangential proper part of Y’) arising 
in geographical information systems and qualitative spatial representation and reasoning 
can be expressed within S4U. For example, spatial regions of the region connection calcu- 
lus RCC-8 [51, 82, 211, 212] are interpreted as regular closed subsets of a topological space, 
and hence can be represented by $4U-formulas of the form OOX. The binary relations 
of RCC-8 can be captured using the universal modality, for instance, [V](OOX > OOY) 
says that region X is a part of region Y. RCC-8 is NP-complete whereas the satisfiability 
problem for BRCC-8 (RCC-8 with Boolean operations on regions) in the Euclidean spaces 
is PSPACE-complete, that is, of the same complexity as S4U itself ([101, 266}). 


6.3 Modal logic of metric spaces 


The first paper on modal logic for metric spaces was, perhaps, the McKinsey and Tarski 
paper [187], though there were no special modalities for distances there. First-order 
modal logics for metric spaces were considered in [121]. Modal logics containing specific 
metric modalities 


Modal Logic in Mathematics 955 


<a 


e J<% (or 4S) for ‘somewhere in the sphere of radius a excluding (or including) the 


boundary,’ where a is a positive rational number; 


° ase for ‘somewhere at distance d with b < d < a,’ where b < a are positive rational 
numbers, 


were introduced and studied in [166, 267, 268]. In particular, Wolter and Zakharyaschev 
in [268] introduced the modal logic of metric and topology, MT, in the language containing 
and [V], along with the metric modalities 3<* and 4S*. 


THEOREM 24 (Wolter, Zakharyaschev [268]). 
(1) MT is decidable and EXPTIME-complete over arbitrary metric spaces. 
(2) MT is decidable over the one-dimensional Euclidean space R. 
(3) MT over R? with the Euclidean metric is undecidable. 


For a survey of other results and further research directions cf. [165]. 


6.4 Modal logic of dynamic topology 


One more class of natural mathematical objects, the topological dynamic systems, became 
a subject of modal logic studies. Two independently working groups can be credited for 
its origin in 1997: one at Stanford (Kremer, Mints, and Rybakov), and one at Cornell 
(Artemov, Davoren, and Nerode). We will start by observing the results of the latter, 
since their approach was more general. 

The basic model under consideration is a topological dynamic system (7, f} consisting 
of a topological space T = (X, I) and a total function f mapping X to X. The correspond- 
ing bimodal logic consists of good old $4 with its standard topological interpretation in 
(X,I), together with a unary modality © similar to the one called the next or tomorrow 
in temporal logic. A temporal logic was first introduced in [208, 209, 210, 264, 265]. 

The interpretation of the Boolean connectives is set theoretical in X, O is interpreted 
as the interior operation I on 7, and OY is interpreted as f—'Y, i.e., the inverse image 
of Y with respect to f. Hence, the interpretation of © reflects the idea of the ‘next’ 
temporal operator: OY is the set of points of X which will land in Y ‘tomorrow,’ after 
f acts on them once. 


DEFINITION 25. The basic system S4F of the dynamic topological logic is S4 together 
with two temporal principles: 


O(A> B)> (OA O8), 
O(A) = =OA, i 
and the Rule of necessitation for O: mar 


The expressive power of S4F suffices to capture the Hoare implication A— OB, stating 
that with a precondition A after action f, the condition B will hold. One of the main 
motivations for the authors of [26] to introduce and study dynamic topological logic 
was to devise a logic tool for analysis of classical and hybrid control systems, where the 
control function is not necessarily continuous. This line of work has been pursued by 
Davoren in her dissertation [76], and in subsequent works. 

Dynamic systems with continuous function f have been given special treatment. The 
bimodal language of dynamic topological logic naturally expresses continuity via the 
principle 
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Cont: OTDA > AOA, 


reflecting the definition of a continuous mapping as one where an inverse image of an 
open set is open. Consider the logic 


S4C = S4F + Cont . 


THEOREM 26 (Artemov, Davoren, Nerode [26]). 
(1) S4F is sound and complete with respect to the class of all dynamic systems (T, f}, 
(2) S4C is sound and complete with respect to the class of all dynamic systems (T, f) 
where f is continuous on T. 


In addition, S4F and S4C enjoy cut-elimination and the finite model property w.r.t. 
the corresponding class of Kripke models. 

It follows from the proof that S4C is also sound and complete w.r.t. continuous 
dynamic systems with Alexandrov spaces (the topological equivalents of Kripke frames). 
Slavnov in [236] and independently Kremer and van Benthem (cf. [156, 237]) showed 
that the analog of the McKinsey-Tarski completeness theorem does not hold here: S4C 
is not complete with respect to the real topology over R. In [237], the following weaker 
form of the McKinsey-Tarski theorem for S4C was established by Slavnov: 


if F is not provable in S4C, then F has a countermodel in R” for an appropriate n . 


There is no complete axiomatization known for continuous dynamic systems over R” for 
any specific n. 

Dynamic systems (7, f} with continuous f became a starting point for [154, 155, 157]. 
Consider the logic 


S4Q = S4C + D0QA> ODA. 


THEOREM 27 (Kremer, Mints, Rybakov [156, 157]). S4O is sound and complete w.r.t. 
the following classes of dynamic systems (T, f}: 

(a) f is a homeomorphism; 

(b) T is an Alexandrov space, f is a homeomorphism; 

(c) T is a real topology R”, f is a homeomorphism; 

(d) T is a unit ball B”, f is a measure preserving homeomorphism. 


As was shown in [156], S4O has the finite model property, hence it is decidable. 

The systems S4F, S4C, and S4Ọ (along with so-called temporal-over-topological frag- 
ment of the dynamic topological logic from [156]), basically exhaust the list of known 
axiomatizability results in dynamic topology. The papers [76, 155, 157] in addition to 
and ©, consider the $4-type modality henceforth, x, to be borrowed from temporal 
logic, with an apparent goal of capturing some asymptotic behavior of the function f in 
a dynamic system (7, f}. The formal topological interpretation y of xB is 


(+B) = () FHB), 


n>0 
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which specifies the set of points X C (B) that never leave y(B) under f, f?, f%, ete. 
The dual of x is the modality #, such that {1B is interpreted as 


e(tB) = LU f-"9(B) , 


n>0 


which gives the set of points X that are either in y(B), or reach y(B) under at least 
one of the iterations f, f?, f3, etc. This third modality x» considerably extends the 
expressive power of the dynamic topological logic, making it closer to applications in 
dynamic systems and control theory. However, this expressive power seems to ruin good 
algorithmic behavior of dynamic topological logic, as is shown in the following theorem. 


THEOREM 28 (Konev, Kontchakov, Wolter, Zakharyaschev [151]). Let M be one of the 
following classes of dynamic systems (T, f): 

(a) f is a homeomorphism; 

(b) T is the class of all Alexandrov spaces, f is a homeomorphism; 

(c) T is a real topology R”, f is a homeomorphism; 

(d) T is a unit ball B”, f is a measure preserving homeomorphism. 
Then the set of valid formulas in the language with {O,O, *} that are valid in M is not 
recursively enumerable. All these logics are different. 


The proof is by reduction of the Post correspondence problem. 

In addition, [151] considers logics for dynamic systems (7, f}, where T is a metric 
space and f an isometric function. The modal operator for topological interior O is 
replaced by distance operators of the form JS ‘somewhere in the ball of radius a,’ for 
a positive rational a. In contrast to the topological case, the resulting logic turns out to 
be decidable, but not bounded in time by any elementary function. 

A follow-up paper [102] showed (using more general results on products of modal logics 
with expanding domains) that the dynamic topological logic interpreted in topological 
spaces with continuous functions was decidable if the number of function iterations was 
assumed to be finite, however, not in primitive recursive time. The decidability proof 
was based on Kruskal’s tree theorem, and the proof of non-primitive recursiveness was 
established by reduction of the reachability problem for lossy channel systems. Note that 
the dynamic topological logics interpreted in topological spaces with finite iterations of 
homeomorphisms are not recursively enumerable. 

Quite recently, by encoding the w-reachability problem for lossy channel systems it 
was shown in [152] that the dynamic topological logic over some natural spaces with 
continuous functions is undecidable. 


THEOREM 29 (Konev, Kontchakov, Wolter, Zakharyaschev [152]). The set of formulas 
in the language with {O,C©,*} that are valid in any of the following classes: 

(a) all continuous dynamic systems (T, f), 

(b) continuous dynamic systems (T, f} where T is the class of all Alexandrov spaces, 

(c) continuous dynamic systems (T, f) where T is a real topology R”, is wndecidable. 
All these logics are different. 


This gives a solution to one of the major open problems in the area. 

The remaining challenging open questions here are: 

1. the decidability and axiomatizability of the dynamic topological logic in the lan- 
guage with {ġ0, O} for the class of continuous dynamic systems over real topological 
spaces Rẹ for fixed n = 1,2,3,...; 
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2. the axiomatizability of the dynamic topological logic in the language with {0, O, *} 
for the class of all continuous dynamic systems. 


6.5 Other geometric notions 


A number of other fundamental geometrical notions have been connected to correspond- 
ing extensions of modal logic in [2, 3, 4]. The paper [3] considered different topological 
and geometric structures such as connectedness, affine structure, convexity, etc., and 
proposed a number of languages extending the usual modal language in order to describe 
these structures. Some authors studied modal logics of such geometric notions as in- 
cidence, parallelism, orthogonality, and such structures as projective and affine planes. 
Precise references and details can be found, e.g., in [38]. 

The logic of comparative similarity, CSL, with the sole metric operator € for ‘closer’ 
was introduced and investigated in [234]: X © Y is the set of all points of a given 
metric space that are closer to set X than to set Y. Despite its apparent simplicity, this 
langauge is quite impressive. In particular, the topological interior and closure operators 
as well as the universal modality can be expressed in terms of ©. 

In all, the above papers contributed to making spatial and spatio-temporal reasoning a 
lively and actively developing area. Once again, we will refer the reader to the forthcom- 
ing collection ‘The Logic of Space,’ edited by Aiello, van Benthem, and Pratt-Hartmann. 


6.6 Modal logic of spacetime 


The Minkowski spacetime, together with the causal (<) and chronological (<) accessibil- 
ity relations, constitute Kripke-style frames which naturally have corresponding modal 
logics. Knowing such modal logics provide additional understanding of Minkowski’s 
spacetime that forms the basis of Einstein’s special theory of relativity. The mathe- 
matical problem of finding modal logics for chronological future modality was solved 
by Goldblatt [112] and Shehtman [229]; the modal logic of the chronological relation < 
turned out to be $4.2=S4+O0F—O0OF. A similar problem for causal future modality 
was solved by Shapirovsky and Shehtman in [223]. 


6.7 Topor 


Yet another incarnation of the topological semantics is given by interpreting intuitionistic 
modality in Grothendieck topology on a category and sheaf theory. Such an interpre- 
tation was suggested by Lawvere [173]; a relevant axiomatic system was suggested by 
Goldblatt in [113]. See the survey [115] and Chapter 9 of this Handbook for exact formu- 
lations and discussion. For a different connection between modalities and topos theory 
relying on geometric morphisms, also see Chapter 9 of this Handbook. An interest- 
ing topos-theoretic approach to modality can be found in the works of Reyes and his 
collaborators [172, 185, 213, 214, 215]. 


6.8 Universal algebra 


A new research thrust in which using modal logic on classical mathematical structures 
makes a good sense was suggested by Goranko and Vakarelov in [118]. They have devel- 
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oped a uniform approach to axiomatizing various classes of traditional algebraic struc- 
tures in modal logic, using the fact that difference modality is naturally definable there. 


7 MODALITIES IN SET THEORY 


We start with two theorems by Solovay, both published in [65], Chapter 13. These 
theorems gave a modal characterization of the notions of truth in all transitive models 
of ZF and truth in all models V,,, where « is inaccessible. 

Let y be a function that assigns to each propositional letter a sentence of the language 
of set theory. For each modal formula A, we define its interpretation, y(A) as follows: 
p commutes with Boolean connectives, and (OA) is the sentence of ZF that translates 
‘(A) holds in all transitive models of ZF.’ 

Let | be the system of modal logic that results when the principle 


(OA—OB) Vv O(OB>(AAQOA)) 


is added to GL as a new axiom schema. 

A universe is a set Vp, where « is inaccessible. All such V,’s are models of ZF (cf. 
[162]). Let w be defined as y before, except that we now define y(OA) as the sentence 
of ZF that translates ‘y(A) holds in all universes.’ Let J be GL plus the principle 


(OA—> B)VO((BAOB)—A). 


THEOREM 30 (Solovay, cf. [65]). 
(A)IE A iff ZF (A), for all p that translate OA as ‘A holds in all transitive 
models of ZF.’ 
(2)JEA if ZF W(A), for ally that translate OA as ‘A holds in all universes.’ 


A strong connection between modal logic and non-well-founded sets has been pro- 
vided by Barwise and Moss in [41] and Baltag in [39, 40]. Suppose one takes ordinary 
modal logic over some fixed set of atomic sentences and then considers the full infinitary 
propositional language generated by this. The resulting language has conjunctions and 
disjunctions of all sets of sentences, and this itself is a proper class of sentences. In ad- 
dition to this, one can also consider the language with Boolean combinations of at most 
k sentences, where « is a cardinal number. A pointed model is a Kripke model with a 
distinguished point. Bisimulations between pointed models are ordinary bisimulations 
which relate the distinguished points. Barwise and Moss proved that for every pointed 
graph (X, x), there is a single sentence x,» which characterizes (X, x) in the sense that 
for all (Y,y), (Y,y) E oxo iff (Y,y) is bisimilar to (X,x). The countable case of the 
Barwise-Moss result had been proved earlier in [249]. It also has roots in infinitary model 
theory: the Scott sentences there are essentially the same as the characterizing sentences 
for modal logic. The reason why these results are of interest in non-well-founded set 
theory is that one way to think about non-well-founded sets is as equivalence classes of 
pointed models, where the equivalence relation is just the maximum bisimulation. Inci- 
dentally, the presence of atomic sentences in the various modal logics then corresponds 
to the presence of urelements in the various set theories. 

Viewing the canonical model as a structure for set theory will not give anything like 
a model of standard ZF because it would have a universal set. However, one can use the 
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model to obtain a new set theory. This is what Baltag did in [39, 40]. His system STS 
(Structural Theory of Sets) contains a strengthening of Aczel’s AFA axiom, expressed in 
terms of modal descriptions. Baltag’s axiom SAFA, Super-Antifoundation, implies that 
every maximally consistent class in the infinitary modal logic characterizes some set. STS 
also has applications to paradoxes and to the ‘large/small’ distinction in set theory. 

Fitting and Smullyan’s book [94] is a development of forcing used in independence 
results, presented in the language of modal logic. The authors use modal terms to 
explicate many of the combinatorial issues in forcing. Forcing is not usually presented in 
this way, although it seems quite natural to do so, and they explore a number of affinities 
between modal logic and forcing. 

The paper [58] by Blass presents a set theoretical interpretation of possibility and 
necessity, based on infinite combinatorics. This is set theoretically meaty, and the focus 
is on consistency results for infinite combinatorics. 

Hamkins’ paper [127] introduces the forcing interpretation of modal logic. The focus 
of the paper, however, is on the Maximality Principle, and it does not use much modal 
logic beyond observing that the Maximality Principle is equivalent to S5 under the forcing 
interpretation. The Ph.D. dissertation of Hamkins’ student Leibman [175] explores the 
forcing interpretation of modal logic a bit further. In a recent paper [128] by Hamkins 
and Léwe, it was proved that the ZFC-provable modal validities for this interpretation 
are exactly $4.2. There are a large number of open questions in this area. 
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1 INTRODUCTION 


This chapter describes an automata-theoretic approach to temporal reasoning. The basic 
idea underlying this approach is that for any temporal formula we can construct a finite- 
state automaton that accepts the computations that satisfy the formula. For linear 
temporal logics the automaton runs on infinite words while for branching temporal logics 
the automaton runs on infinite trees. The simple combinatorial structures that emerge 
from the automata-theoretic approach decouple the logical and algorithmic components 
of temporal reasoning and yield clear and asymptotically optimal algorithms. 

Temporal logics, which are modal logics geared towards the description of the temporal 
ordering of events, have been adopted as a powerful tool for specifying behavior concur- 
rent programs and for verifying that such programs meet their specifications [47, 57]. 
One of the most significant developments in this area is the discovery of algorithmic 
methods for verifying temporal logic properties of finite-state programs [15, 44, 60, 81]. 
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(A state of a program is a complete description of its status, including the assignment 
of values to variables, the value of the program counter, which points to the instruction 
currently being executed, and the like. Finite-state programs have finitely many pos- 
sible states, which means that the variables range over finite domains and recursion, if 
allowed, is bounded in depth.) This derives its significance from the fact that many syn- 
chronization, coordination and communication protocols can be modeled as finite-state 
programs [46, 63]. Finite-state programs can be modeled by transition systems where 
each state has a bounded description, and hence can be characterized by a fixed number 
of Boolean atomic propositions. This means that a finite-state program can be viewed 
as a finite propositional Kripke structure and that its properties can be specified using 
propositional temporal logic. Thus, to verify the correctness of the program with respect 
to a desired behavior, one only has to check that the program, modeled as a finite Kripke 
structure, is a model of (satisfies) the propositional temporal logic formula that specifies 
that behavior. Hence the name model checking for the verification methods derived from 
this viewpoint. An extensive survey of model checking can be found in [16, 37]. Model 
checking is an algorithmic approach to program verification. It is different from the de- 
ductive approach, in which in which a person, perhaps aided by computers, use deductive 
techniques to prove that a program satisfy its specification [48]. 

We distinguish between two types of temporal logics: linear and branching (see [43] 
and general discussion of temporal structures in Chapter 11 of this handbook). In linear 
temporal logics, each moment in time has a unique possible future, while in branching 
temporal logics, each moment in time may split into several possible futures. (For an 
extensive discussion of various temporal logics, see [22].) For both types of temporal 
logics, a close and fruitful connection with the theory of automata on infinite structures 
has been developed. The basic idea is to associate with each temporal logic formula a 
finite automaton on infinite structures that accepts the computations that satisfy the 
formula. For linear temporal logic the structures are infinite words [66, 45, 68, 83], 
while for branching temporal logic the structures are infinite trees [30, 69, 21, 26, 82]. 
This enables the reduction of temporal logic decision problems, such as satisfiability and 
model checking, to known automata-theoretic problems, such as nonemptiness, yielding 
clean and asymptotically optimal algorithms. This reduction is the subject matter of 
this chapter. (See also Chapter 11 for a general discussion of temporal reasoning and 
Chapters 4 and 7 for discussions of modal reasoning.) 

Initially, the translations in the literature from temporal logic formulas to automata 
used nondeterministic automata (cf. [34, 82, 83]). These translations have two disad- 
vantages. First, the translation itself is rather nontrivial; For example, in [82, 83] the 
translations go through a series of ad-hoc intermediate representations in an attempt to 
simplify the translation. Second, for both linear and branching temporal logics there 
is an exponential blow-up involved in going from formulas to automata. This suggests 
that any algorithm that uses these translations as one of its steps is going to be an 
exponential-time algorithm. Thus, the automata-theoretic approach did not seem to be 
applicable to branching-time model checking, which in many cases can be done in linear 
execution time [15, 17, 60]. 

In the mid 1990s, it was shown that if one uses alternating automata rather than 
nondeterministic automata, then these problems can be addressed [42, 74]. Alternating 
automata generalize the standard notion of nondeterministic automata by allowing sev- 
eral successor states to go down along the same word or the same branch of the tree. In 
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this chapter we argue that alternating automata offer the key to a comprehensive and sat- 
isfactory automata-theoretic framework for temporal logics. We demonstrate this claim 
by showing how alternating automata can be used to derive model-checking and satis- 
fiability algorithms for both linear and branching temporal logics. The key observation 
is that while the translation from temporal logic formulas to nondeterministic automata 
is exponential [82, 83], the translation to alternating automata is linear [27, 42, 53, 74]. 
Thus, the advantage of alternating automata is that they enable one to decouple the 
logic from the combinatorics. The translations from formulas to automata handle the 
logic, and the algorithms that handle the automata handles the combinatorics. 


Historical Note: The connection between logic and automata goes back to work in the 
early 1960s [6, 20, 73] on monadic second-order logic and automata over finite words. 
This was extended in [7] to infinite words, in [19, 72] to finite trees, and in [61] to 
infinite trees. As temporal logics can be expressed in first-order or monadic second-order 
logic [38, 35], the connection between monadic second-order logic and automata yields a 
connection between temporal logics and automata. Developing decision procedures that 
go via monadic second-order logic was a standard approach in the 1970s, see [33]. A 
direct translation to automata was proposed first in [70] in the context of propositional 
dynamic logic. A direct translation from temporal logic to automata was first given in 
[85] (see also [83] for linear time and in [80] for branching time). The translation to 
alternating automata was first proposed in [53] and pursued further in [42, 74, 75]. 


2 AUTOMATA THEORY 


2.1 Words and Trees 


We are given a finite nonempty alphabet X. A finite word is an element of X*, i.e., a 
finite sequence ag,...,@n of symbols from X. An infinite word is an element of ©”, i.e., 
an infinite sequence ao, a,,... of symbols from X. 


A tree is a (finite or infinite) connected directed graph, with one node designated as 
the root and denoted by £, and in which every non-root node has a unique parent (s is 
the parent of t and t is a child of s if there is an edge from s to t) and the root £ has no 
parent. The arity of a node z in a tree 7, denoted arity(x), is the number of children 
of x in T. The level of a node x, denoted |z|, is its distance from the root; in particular, 
je] = 0. Let N denote the set of positive integers. A tree r over N is a subset of N*, such 
that if x-i € 7, where x € N* andi € N, then x € 7, there is an edge from x to z-i, and 
if i > 1 then also z- (i— 1) € r. By definition, the empty sequence € is the root of such a 
tree. Let D C N. We say that a tree 7 is a D-tree if T is a tree over N and arity(x) € D 
for all x E€ T. A tree is called leafless if every node has at least one child. 


A branch B = %,%1,... of a tree is a maximal sequence of nodes such that xo is the 
root and a; is the parent of xi+ı for alli > 0. Note that @ can be finite or infinite; if it 
is finite, then the last node of the branch has no children. A “-labeled tree, for a finite 
alphabet ©, is a pair (7,7), where 7 is a tree and T is a mapping T : nodes(T) > X 
that assigns to every node a label. We often refer to J as the labeled tree, leaving its 
domain implicit. A branch 6 = zo, £1,... of T defines a word T (3) = T (xo), T(a1),... 
consisting of the sequence of labels along the branch. 
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2.2 Nondeterministic Automata on Infinite Words 


A nondeterministic Btichi automaton A on words is a tuple (©, S, S°, p, F), where ¥ is 
a finite nonempty alphabet, S is a finite nonempty set of states, S° C S is the set of 
initial states, F C S is the set of accepting states, and p: S x E — 2° is a transition 
function. Intuitively, p(s, a) is the set of states that A can move into when it is in state 
s and it reads the symbol a. Note that the automaton may be nondeterministic, since 
it may have many initial states and the transition function may specify many possible 
transitions for each state and symbol. 

A run r of A on an infinite word w = ao,q1,... over © is a sequence So, $1,.-., 
where so € S? and sj11 € plsi ai), for all i > 0. We define lim(r) to be the set 
{s|s = s; for infinitely many it’s}, i.e., the set of states that occur in r infinitely often. 
Since S is finite, lim(r) is necessarily nonempty. The run r is accepting if there is some 
accepting state that repeats in r infinitely often, i.e., lim(r)N F 4 Ø. The infinite word w 
is accepted by A if there is an accepting run of A on w. The set of infinite words accepted 
by A is denoted L,,(A). 

An important feature of nondeterministic Biichi automata is their closure under in- 
tersection. 


PROPOSITION 1. [12] Let Aı and Az be nondeterministic Btichi automata with nı and 
ng states, respectively. Then there is a Büchi automaton A with O(nin2) states such that 
L(A) = Lo( A1) N Lu (A2). 


One of the most fundamental algorithmic issues in automata theory is testing whether a 
given automaton is “interesting” , i.e., whether it accepts some input. A Büchi automaton 
Ais nonempty if Lu (A) # 0. The nonemptiness problem for automata is to decide, given 
an automaton A, whether A is nonempty. It turns out that testing nonemptiness for 
Büchi automata is easy A accepts some word iff in the graph G4 = (S, Ea), where 
Ey, = {(s,t)|t € p(s,a) for some a € £}, there is a path from So that reaches some state 
f € F and then cycles back to f. This can be checked using depth-first search [71] or 
space-efficient search [65]. 


PROPOSITION 2. 


1. [29, 28] The nonemptiness problem for nondeterministic Büchi automata is decid- 
able in linear time. 


2. [83] The nonemptiness problem for nondeterministic Büchi automata of size n is 
decidable in space O(log” n). 


2.8 Alternating Automata on Infinite Words 


Nondeterminism gives a computing device the power of existential choice. Its dual gives 
a computing device the power of universal choice. It is therefore natural to consider 
computing devices that have the power of both existential choice and universal choice. 
Such devices are called alternating. Alternation was studied in [11] in the context of 
Turing machines and in [5, 11] for finite automata. The alternation formalisms in [5] 
and [11] are different, though equivalent. We follow here the formalism of [5], which was 
extended in [55] to automata on infinite structures. 
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For a given set X, let B*(X) be the set of positive Boolean formulas over X (i.e., 
Boolean formulas built from elements in X using A and V), where we also allow the 
formulas true and false. Let Y C X. We say that Y satisfies a formula 0 € B+(X) 
if the truth assignment that assigns true to the members of Y and assigns false to the 
members of X — Y satisfes 0. For example, the sets {s1, s3} and {s1, s4} both satisfy the 
formula (s1 V s2) A (s3 V s4), while the set {51,52} does not satisfy this formula. 

Consider a nondeterministic automaton A = (£, S,s°, p, F). The transition function p 
maps a state s € S and an input symbol a € È toa set of states. Each element in this set 
is a possible nondeterministic choice for the automaton’s next state. We can represent p 
using B*(S); for example, p(s,a) = {81, 82,83} can be written as p(s,a) = s1 V 82 V 83. 
In alternating automata, p(s,a) can be an arbitrary formula from Bt(S). We can have, 
for instance, a transition 


p(s, a) = (s1 A s2) V (83 A s4), 


meaning that the automaton accepts the word aw, where a is a symbol and w is a word, 
when it is in the state s if it accepts the word w from both sı and s2 or from both s3 and 
s4. Thus, such a transition combines the features of existential choice (the disjunction 
in the formula) and universal choice (the conjunctions in the formula). 

Formally, an alternating Büchi automaton is a tuple A = (£, S, s°, p, F), where = is a 
finite nonempty alphabet, S' is a finite nonempty set of states, s° € 9 is an initial state, 
F is a set of accepting states, and p : S x © — Bt(S) is a transition function. As a 
convention, if p(s,a) is not specified, we assume that it is false. 

Because of the universal choice in alternating transitions, a run of an alternating 
automaton is a tree rather than a sequence. A run of A on an infinite word w = aga... 
is an S-labeled tree r such that r(e) = s° and the following holds: 


if |x| = i, r(x) = s, and p(s,a;) = 0, then x has k children 21,..., 2%, for 
some k < |S], and {r(x1),...,r(vx)} satisfies 0. 


For example, if p(so, ao) is ($1 V $2) A (s3 V 84), then the nodes of the run tree at level 1 
include the label sı or the label s2 and also include the label s3 or the label s4. Note that 
the run can also have finite branches; if |x| = i, r(x) = s, and p(s,a;) = true, then x 
does not need to have any children. On the other hand, we cannot have p(s, ai) = false, 
since false is not satisfiable. The run is accepting if lim(r(8)) A F 4 Ọ for every branch 
GB =20,%,... of the run. that is, for every infinite branch 8 = x0, 21,..., we have that 
r(a;) € F for infinitely many ts. A word w is accepted by A is A has an accepting run 
on w. 

What is the relationship between alternating Biichi automata and nondeterministic 
Biichi automata? It is easy to see that alternating Büchi automata generalize nondeter- 
ministic Büchi automata; nondeterministic automata correspond to alternating automata 
where the transitions are pure disjunctions. It turns out that they have the same expres- 
sive power (although alternating Biichi automata are more succinct than nondeterministic 
Biichi automata). 


PROPOSITION 3. [51] Let A be an alternating Büchi automaton with n states. Then 
there is a nondeterministic Büchi automaton Ana with 3” states such that Lu( Ana) = 
L(A). 

By combining Propositions 2 and 3 (with its exponential blowup), we can obtain a 
nonemptiness test for alternating Biichi automata. 
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PROPOSITION 4. 


1. The nonemptiness problem for alternating Biichi automata is decidable in exponen- 
tial time. 


2. The nonemptiness problem for alternating Btichi automata is decidable in quadratic 
Space. 


2.4 Nondeterministic Automata on Infinite Trees 


We now consider automata on labeled leafless D-trees. A nondeterministic Btichi tree 
automaton A is a tuple (©,D,5,5°,,F). Here È is a finite alphabet, D C N is a 
finite set of arities, S is a finite set of states, 9° C S is the set of initial states, F C S 
is a set of accepting states, and p : S x £ x D — 2°° is a transition function, where 
p(s,a,k) C S* for each s € S, a € E£, and k € D. Thus, p(s,a,k) is a set of k-tuples of 
states. Intuitively, when the automaton is in state s and it is reading a k-ary node x of a 
tree T, it nondeterministically chooses a k-tuple (s1,...,5,) in p(s, T (x)), makes k copies 
of itself, and then moves to the node z-i in the state s; for i = 1,...,k. A run r:T—> sS 
of A on a ¥-labeled D-tree T is an S-labeled D-tree such that the root is labeled by an 
initial state and the transitions obey the transition function p; that is, r(e) € S°, and 
for each node x such that arity(x) = k, we have (r(x-1),...,r(a-k)) € p(r(x), T(x), k). 
The run is accepting if lim(r(8)) O F Æ @ for every branch 8 = zo, %1,... of T; that is, 
for every branch 3 = x, 21,..., we have that r(x;) € F for infinitely many i’s. The set 
of trees accepted by A is denoted Tu (A). It is easy to see that nondeterministic Büchi 
automata on infinite words are essentially Biichi automata on {1}-trees. 
Again, a key issue is testing emptiness. 


PROPOSITION 5. [62, 82] The nonemptiness problem for nondeterministic Büchi tree 
automata is decidable in quadratic time. 


2.5 Alternating Automata on Infinite Trees 


An alternating Biichi tree automaton A is a tuple (©,D,S,s°,p,F). Here E is a finite 
alphabet, D C Nis a finite set of arities, S is a finite set of states, s° € Sis an initial state, 
F C S is a set of accepting states, and p: S x ux D — Bt(Nx S) is a partial transition 
function, where p(s,a,k) € Bt({1,...,k} x S) for each s € S, a € X, and k € D such 
that p(s,a,k) is defined. For example, p(s,a,2) = ((1, 51) V (2, s2)) A ((1, 83) V (2, 81)) 
means that the automaton can choose between four splitting possibilities. In the first 
possibility, one copy proceeds in direction 1 in the state s; and one copy proceeds in 
direction 1 in the state s3. In the second possibility, one copy proceeds in direction 1 in 
the state sı and one copy proceeds in direction 2 in the state sı. In the third possibility, 
one copy proceeds in direction 2 in the state s2 and one copy proceeds in direction 1 in 
the state s3. Finally, in the fourth possibility, one copy proceeds in direction 2 in the 
state s2 and one copy proceeds in direction 2 in the state sı. Note that it is possible for 
more than one copy to proceed in the same direction. 

A run r of an alternating Biichi tree automaton A on a ¥-labeled leafless D-tree (7, T} 
is a 7 x S-labeled tree. Each node of r corresponds to a node of r. A node in r, labeled 
by (a,s), describes a copy of the automaton that reads the node x of 7 in the state s. 


Automata-Theoretic Techniques for Temporal Reasoning 977 


Note that many nodes of r can correspond to the same node of 7; in contrast, in a run 
of a nondeterministic automaton on (r, T} there is a one-to-one correspondence between 
the nodes of the run and the nodes of the tree. The labels of a node and its children 
have to satisfy the transition function. Formally, r is a ©,-labeled tree (7,,7;-) where 
E, =T x S and (Tr, Tp) satisfies the following: 


1. Tele) = (e, s2). 


2. Let y E€ Tr, T,(y) = (x, s), arity(x) = k, and p(s,T (x), k) = 0. Then there is a set 
Q = {(c1, 81), (c1, S1), ---, (Cn; Sn)} © {1,..., k} x S such that 


e Q satisfies 0, and 
e forall 1 <i <n, we have y -i € 7, and T,(y-2) = (a- G, si). 


For example, if (7,7) is a tree with arity(e) = 2, T (e) = a and p(s°, a) = ((1, 81) V 
(1, s2)) A ((1, 83) V (1, s1)), then the nodes of (7,, Z;-) at level 1 include the label (1, s1) 
or (1, 82), and include the label (1, 53) or (1, 51). 

As with alternating Biichi automata on words, alternating Biichi tree automata are as 
expressive as nondeterministic Btichi tree automata. 


PROPOSITION 6. [52, 56] Let A be an alternating Biichi tree automaton with n states. 
Then there is a nondeterministic Btichi tree automaton Ay, with 3” states such that 
Tw(An) = T (A). 


By combining Propositions 5 and 6 (with its exponential blowup), we can obtain a 
nonemptiness test for alternating Biichi tree automata. 


PROPOSITION 7. The nonemptiness problem for alternating Buchi tree automata is 
decidable in exponential time. 


Does the size of the alphabet affect the complexity of the nonemptiness problem? For 
nondeterministic tree automata, the nonemptiness problem is reducible to the 1-letter 
nonemptiness problem, that is, to the nonemptiness problem for nondeterministic tree au- 
tomata over 1-letter alphabets (i.e., |X| = 1). Indeed, instead checking the nonemptiness 
of an automaton A = (£, D, S, S°, p, F), one can check the nonemptiness of the automa- 
ton A’ = ({a},D, S, S°, p', F) where for all s € S, we have p'(s,a,k) = Uaes p(s, @, k). 
It is easy to see that A accepts some tree iff A’ accepts some a-labeled tree. This can be 
viewed as if A’ first guesses a U-labeling for the input tree and then proceeds like A on 
this 4-labeled tree. 

This reduction is not valid for alternating tree automata. Suppose that we defined 
A’ by taking p’(s,a,k) = Vacs p(s,a,k). Then, if A’ accepts some a-labeled tree, it 
still does not guarantee that A accepts some tree. A necessary condition for the validity 
of the reduction is that different copies of A’ that run on the same subtree guess the 
same »-labeling for this subtree. Nothing, however, prevents one copy of A’ to proceed 
according to one labeling and another copy to proceed according to a different labeling. 
This problem does not occur when A is defined over a singleton alphabet. There, it is 
guaranteed that all copies proceed according to the same (single) labeling. 

As we see later, in our applications we sometimes do have 1-letter alphabets, which 
makes the 1-letter nonemptiness problem for alternating automata of interest. It turns 
out that this problem is easier than the general nonemptiness problem. Actually, it is 
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as easy as the nonemptiness problem for nondeterministic Biichi tree automata (Propo- 
sition 5). This result requires also uniformity, i.e., |D| = 1. 


PROPOSITION 8. [42] The 1-letter nonemptiness problem for uniform alternating Büchi 
tree automata is decidable in quadratic time. 


As we shall see later, the alternating automata in our applications have a special 
structure, studied first in [54]. A weak alternating tree automaton (WAA) is an alternating 
Biichi tree automaton in which there exists a partition of the state set S into disjoint 
sets S1,..., Sn such that for each set S;, either S; C F, in which case S; is an accepting 
set, or Si N F = f, in which case S; is a rejecting set. In addition, there exists a partial 
order < on the collection of the S;’s such that for every s € S; and s’ € S} for which s’ 
occurs in p(s,a,k), for some a € © and k € D, we have S; < S;. Thus, transitions from 
a state in S; lead to states in either the same S; or a lower one. It follows that every 
infinite path of a run of a WAA ultimately gets “trapped” within some S;. The path 
then satisfies the acceptance condition if and only if S; is an accepting set. That is, a 
run visits infinitely many states in F if and only if it gets trapped in an accepting set. 
The number of sets in the partition of S is defined as the depth of the automaton. 

It turns out that the nonemptiness problem for WAA on 1-letter alphabets is easier 
than nonemptiness problem for alternating Btichi automata on 1-letter alphabets. 


PROPOSITION 9. [42] The 1-letter nonemptiness problem for uniform weak alternating 
tree automata is decidable in linear time. 


As we shall see, the WAA that we use have an even more special structure. In these 
WAA, each set S; can be classified as either transient, existential, or universal, such that 
for each set S; and for all s € Q;, a € È, and k € D, the following hold: 


1. If S; is transient, then p(s,a, k) contains no elements of S;. 


2. If S; is existential, then p(s,a,k) only contains disjunctively related elements of S; 
(i.e. if the transition is rewritten in disjunctive normal form, there is at most one 
element of S; in each disjunct). 


3. If Qi is universal, then p(s,a,k) only contains conjunctively related elements of S; 
i.e. if the transition is rewritten in conjunctive normal form, there is at most one 
element of Q; in each conjunct). 


~ 


This means that it is only when moving from one S; to the next, that alternation 
actually occurs (alternation is moving from a state that is conjunctively related to states 
in its set to a state that is disjunctively related to states in its set, or vice-versa). In other 
words, when a copy of the automaton visits a state in some existential set S4, then as 
long as it stays in this set, it proceeds in an “existential mode”; namely, it imposes only 
existential requirement on its successors in $;. Similarly, when a copy of the automaton 
visits a state in some universal set S;, then as long as it stays in this set, it proceeds in 
a “universal mode”. Thus, whenever a copy alternates modes, it must be that it moves 
from one S; to the next. We call a WAA that satisfies this property a limited-alternation! 
WAA. 


PROPOSITION 10. [42] The 1-letter nonemptiness problem for uniform limited-alternation 
WAA of size n and depth m can be solved in space O(m log? n). 


1The term used in [42] is hesitant. 
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3 TEMPORAL LOGICS AND ALTERNATING AUTOMATA 


3.1 Linear Temporal Logic 


Formulas of linear temporal logic (LTL) are built from a set Prop of atomic propositions 
and are closed under the application of Boolean connectives, the unary temporal con- 
nective X (nezt), and the binary temporal connectives U (until) and R (release) [22]. 
LTL is interpreted over computations. A computation is a function 7 : w — 2?"°P, which 
assigns truth values to the elements of Prop at each time instant (natural number). 
(This corresponds to using the ordered natural numbers as the frame; see Chapter 11). 
A computation 7 and a point i € w satisfies an LTL formula vy, denoted 7,7 = p, under 
the following conditions: 


e m,i |p for p € Prop iff p € x(t). 
SLE EAY iff 7,7 FE and m,i H y. 


„i = ~y iff not m,i Fy 


„i= Xpif r, i+1 Ey. 


e 7,7 H €Uy iff for some j > i, we have 7,7 — w and for all k, i < k < j, we have 
TREE? 

e 7z,i = ERY iff for all j > i, if 7,7 K Y, then for some k, i < k < j, we have 
TK EE 


Note that =(Xy) is equivalent to X(7y) and =(€U%)) is equivalent to (=€)Ry. This 
implies that we can assume that formulas are in positive normal form, in which nega- 
tions are applied only to atomic propositions. This normal form is obtained by pushing 
negations inward as far as possible, using De Morgan’s laws and dualities as above. For 
example, the formula G(—request V (requestUgrant)) says that whenever a request is made 
it holds continuously until it is eventually granted. We say that 7 satisfies a formula y, 
denoted 7 E y, iff 7,0 E ¢. 

Computations can also be viewed as infinite words over the alphabet 2°7°?. It turns 
out that the computations satisfying a given formula are exactly those accepted by some 
finite automaton on infinite words. The following theorem establishes a very simple 
translation between LTL and alternating Büchi automata on infinite words. 


THEOREM 11. [53, 74] Given an LTL formula y, one can build an alternating Büchi 
automaton Ay = (©, S, 8°, p, F), where = 2P7°? and |S] is in O(|p|), such that L.,(Ay) 
is exactly the set of computations satisfying the formula vy. 


Proof. The set S of states consists of all subformulas of y. The initial state s° is y 
itself. The set F of accepting states consists of all formulas in S of the form (€Rw). It 
remains to define the transition function p. 


e p(p,a) = true ifp € a, 


e p(7p,a) = true if p Za, 


2Note that our U operator is not strict; cf. Chapter 11. 
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e p(p,a) = false if p Za, 

e p(ap, a) = false if p € a, 

e p(E^ Y,a) = p(§,a) A pv, a), 

e p(EV Y,a) = p(§,a) V p(y, a), 

e o(Xy,a) =Y, 

e p(EUY, a) = pl, a) V (P(E, a) A EUY). 
e p(ERYp,a) = pl, a) A (P(E, a) V ERY). 


By applying Proposition 3, we now get: 
COROLLARY 12. [83] Given an LTL formula y, one can build a nondeterministic Büchi 
automaton Ay = (©, S, 8°, p, F), where X = 2ProP and |S] is in 2°(l¥)), such that Lol Agp) 
is exactly the set of computations satisfying the formula ¢. 


For a description of optimized translations from LTL to automata, seefor example, 
[32]. While our focus here is on LTL, the automata-theoretic approach applies also to 
more expressive, recent industrial specification languages such as ForSpec [2]; see [1, 10]. 


3.2 Branching Temporal Logic 


The branching temporal logic CTL (Computation Tree Logic) provides temporal con- 
nectives that are composed of a path quantifier immediately followed by a single linear 
temporal connective [22]. The path quantifiers are A (“for all paths”) and E (“for some 
path”). The linear-time connectives are X, U, and R. Thus, given a set Prop of atomic 
propositions, a CTL formula in positive normal form is one of the following: 


e por ~p, for all p € AP, 
e €Awor EV Y, where € and y are CTL formulas. 


e EXE, AXE, E(EUwW), A(EUW), E(ERW), or A(ERW), where € and y are CTL for- 
mulas. 


The semantics of CTL is defined with respect to programs. A program over a set Prop 
of atomic propositions is a structure of the form P = (W, w?, R, V), where W is a set of 
states, w? € W is an initial state, R C W? is a total accessibility relation (i.e., every state 
can access at least one state), and V : W — 2??? assigns truth values to propositions 
in Prop for each state in W. The intuition is that W describes all the states that the 
program could be in (where a state includes the content of the memory, registers, buffers, 
program counter, etc.), R describes all the possible transitions between states (allowing 
for nondeterminism), and V relates the states to the propositions (e.g., it tells us in what 
states the proposition request is true); see [47] for a discussion on modelling programs. 
The assumption that R is total (i.e., that every state has an R-successor) is for technical 
convenience. We can view a terminated execution as repeating forever its last state. We 
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say that P is a finite-state program if W is finite. A path in P is a sequence of states, 
u = uo, u1,... Such that for every i > 0, we have that u;Rui+ı holds. Such a path is 
called a ug-path. 

A program P = (W, w?, R, V) and a state u € W satisfies a CTL formula y, denoted 
P,u 9, under the following conditions: 


e P,uE p for p € Prop if p € V(u). 
e P, u = =p for p € Prop if p Z V (u). 
e P uH Eny iff P,u H ¿and P, u H y. 


e P uHEvy iff Rue ¿or Rue vy. 


e P,u | EXọ if Pv = ¢ for some v such that uRv holds. 


e P, u | AXọy if P,v E ¢ for all v such that uRv holds. 
e P, u |= E(EUY) if there exist a u-path m such that 7,0 = EU y. 


E( 
e P, u | A(EUw) if for every u-path m we have 7,0 H UW. 
E( 


e P uH 


) 
) 

ER) if there exist a u-path 7 such that 7,0 H ERY. 
) 


e P, u | A(ERW) if for every u-path 7 we have 7,0 | €Rvw. 


For example, the formula AG(request + EF grant) says that whenever a request is made 
it is oon granted in some possible future. We say that p satisfies y, denoted P E y, 
if P, w? E g. 

A program P = (W,w?, R,V) is a tree program if (W, R) is a tree and w° is its 
root. Note that in this case P is a leafless 2””°P-labeled tree (it is leafless, since R is 
total). P is a D-tree program, for D C N, if (W, R) is a D-tree. It turns out that the 
tree programs satisfying a given formula are exactly those accepted by some finite tree 
automaton. The following theorem establishes a very simple translation between CTL 
and weak alternating Büchi tree automata. 


THEOREM 13. [42, 53] Given a CTL formula ọ and a finite set D C N, one can build a 
limited-alternation WAA Ag = (©, D, S, 8°, p, F), where & = 2P7°? and |S| is in O(|y]), 
such that To (Ap) is exactly the set of D-tree programs satisfying y. 


Proof. The set S of states consists of all subformulas of p. The initial state s° is p 
itself. The set F of accepting states consists of all formulas in S of the form E(€Rz) 
and A(€Ry). It remains to define the transition function p. In the following definition 
we use the notion of dual, defined in the proof of Theorem 11. 


p(p,a, k) = true if p€ a. 
p(>p,a,k) = true if pg a. 

p(p, a, k) = false if p Za. 

p(>p, a, k) = false if p € a. 

PEA, a,k) = plé, a, k) A pl, a,k). 
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e p(EV Y,a, k) = p(£, a, k) V pla, k). 
© p(EXY,a,k) = VEZ (c, 9). 
e p(AXd,a,k) = Neo (6, Y). 
© p(E(UY), a, k) = pl, a, k) V (P(E, a, k) A Vio (c, E(EUY))). 
© p(A(EUY), a, k) = p(w, a, k) V (P(E, a, k) A Azo (c, A(EUY))). 
© p(E(ERY),a, k) = plb,a,k) A (P(E, a, k) V VEZ (6, B(ERY))). 


© p(A(EUY), a, k) = plp, a, k) A (p(E,a,k) V ARI} (c, A(EUY))). 


Finally, we define a partition of S into disjoint sets and a partial order over the sets. 
Each formula w € S constitutes a (singleton) set {7} in the partition. The partial order 
is then defined by {€} < {4} iff € a subformula of w. Here, all sets are transient, expect 
for sets of the form {E(€Uy)} and {AA(gUW)}, which are existential, and sets of the 
form {A(éUw)} and {=E(€U~w)}, which are universal. Thus, A, is a limited-alternation 
WAA. Q 


While temporal logic was introduced in both a branching-time setting and linear-time 
setting [59], its introduction to computer science was in a linear-time setting [57], to 
be followed soon by a branching-time setting [14]. The debate in the computer-science 
literature regarding the relative merits of the linear-time and branching-time goes back 
to the early 1980s [3, 13, 23, 25, 28, 43, 58, 76, 78]. For a description of earlier discussions 
of this distinction in the philosophical-logic literature, see [9]. For a more recent account, 
see [79]. 


4 MODEL CHECKING 


In this section we focus on model checking finite-state programs. Our computational- 
complexity results are stated in terms of the size of the programs and the temporal 
properties being checked. The size |y| of a temporal formula y is simply its length (as 
a character string). The size of a finite-state program P = (W, w?, R, V) is the size of 
its encoding, which is proportional to the number of states in W and the number of 
transitions in R. Of course, the size of P can be rather large. For example, if P is a 
computer circuit with n memory bits, then there are 2” possible states. In general, the 
number of states of a program is at least exponential in the size of its description by means 
of a programing language or a hardware-description languages. This blow-up is referred 
to as the state-explosion problem. Much of the research on model checking is focused on 
dealing with the state-explosion problem, including on-the-fly search techniques, which 
search through the state space in a demand-driven fashion [36], and symbolic techniques, 
which represent large state spaces compactly [4]. See [16, 37] for extensive discussions. 
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4.1 Linear Temporal Logic 


We assume that we are given a finite-state program and an LTL formula that specifies the 
legal computations of the program. The problem is to check whether all computations 
of the program are legal. 

Let u = wọ, w1... be a wo-path of a finite-state program P = (W,w°,R,V). The 
sequence V (wo), V(wi)... is a computation of P (note that such a sequence can indeed 
be viewed as a function Tu : w — 2?"°?, which is how we described computations earlier). 
We say that P satisfies an LTL formula ọ if all computations of P satisfy y. The LTL 
verification problem is to check whether P satisfies y. 

We now describe the automata-theoretic approach to the LTL verification problem. 
A finite-state program P = (W,w°,R,V) can be viewed as a nondeterministic Biichi 
automaton Ap = (£, W, {w°}, p, W), where © = 2?" and v € p(u,a) iff uRv holds 
and a = V(u). As this automaton has a set of accepting states equal to the whole set 
of states, any infinite run of the automaton is accepting. Thus, L,,(Ap) is the set of 
computations of P. 

Hence, for a finite-state program P and an LTL formula y, the verification problem is 
to verify that all infinite words accepted by the automaton Ap satisfy the formula y. By 
Corollary 12, we know that we can build a nondeterministic Biichi automaton A, that 
accepts exactly the computations satisfying the formula y. The verification problem thus 
reduces to the automata-theoretic problem of checking that all computations accepted by 
the automaton Ap are also accepted by the automaton Ay, that is Lu(Ap) C L(Ay). 


Equivalently, we need to check that the automaton that accepts L,,(Ap) N Lu(Aọ) is 


empty, where L,,(A,) = Ly (Ay) = LY — Lu (Ay). 

First, note that, by Corollary 12, L,,(A,) = L,,(A,) and the automaton A_,, has 
20("l) states. (A straightforward approach, starting with the automaton Ag and then 
complementing it, would result in a doubly exponential blow-up, since complementation 
of nondeterministic Biichi automata is exponential [41, 50]). To get the intersection of 
the two automata, we use Proposition 1. Consequently, we can build an automaton for 
L.(Ap) NL, (A-,) having |W] - 2°02) states. We need to check this automaton for 
emptiness. Using Proposition 2, we get the following results. 


THEOREM 14. [44, 67, 81] Checking whether a finite-state program P satisfies an LTL 
formula y can be done in time O(|P| -2°"%)) or in space O((\y| + log |PIP). 


We note that a time upper bound that is polynomial in the size of the program and 
exponential in the size of the specification is considered here to be reasonable, since the 
specification is usually rather short [44]. For practical verification algorithms that are 
based on the automata-theoretic approach see [8, 18). 


4.2. Branching Temporal Logic 


For linear temporal logic, each program may correspond to infinitely many computations. 
Model checking is thus reduced to checking inclusion between the set of computations 
allowed by the program and the language of an automaton describing the formula. For 
branching temporal logic, each program corresponds to a single “computation tree”. On 
that account, model checking is reduced to checking acceptance of this computation tree 
by the automaton describing the formula. 
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A program P = (W, w?, R, V) can be viewed as a W-labeled tree (tp, Tp) that corre- 
sponds to the unwinding of P from w°. For every node w € W, let arity(w) denote the 
number of R-successors of w and let succr(w) = (w1,---, Warity(w)) be an ordered list of 
w’s R-successors (we assume that the nodes of W are ordered). tp and Tp are defined 
inductively: 


1. £ E€ Tp and Tp(e) = w. 


2. For y € Tp with succr(Tp(y)) = (w1ı,..., Wk) and for all 1 < i < k, we have 
y:i € Tp and Tp(y i) = wi. 


Let D be the set of arities of states of P, i.e., D = {arity(w) : w € W}. Clearly, Tp is 
a D-tree. If P is finite, then D is finite. 

Let (Tp, V - Tp) be the 2?"°?-labeled D-tree defined by V - Tp(y) = V(Tp(y)) for 
y € Tp. Let y be a CTL formula. Suppose that AD, is an alternating automaton 
that accepts exactly all D-tree programs that satisfy y. It can easily be shown that 
(tp, V - Tp) is accepted by Apy iff P | y. We now show that by taking the product of 
P and Ap we get an alternating Biichi tree automaton on a 1-letter alphabet that is 
empty iff (Tp, V - Tp) is accepted by Ap y. 

Let AD y = (24° D,S,y, p, F) be a limited-alternation WAA that accepts exactly all 
D-tree programs that satisfy y, and let S1,...., Sn be the partition of S. The prod- 
uct automaton of P and Ap. is the limited-alternation WAA Ap, = ({a},D,W x 
S, ô, (w?, p), G), where 6 and G are defined as follows: 


e Let s E S, w E W, succr(w) = (wi,...,we), and p(s,V(w),k) = 8. Then 
d((w, s),a,k) = 6’, where 0’ is obtained from 0 by replacing each atom (c, s’) 
in 0 by the atom (c, (we, s’)). 

eG=WxF 

e W x S is partitioned to W x S1,W x So,...,W x Sy. 


e W x S; is transient (resp., existential, universal) if S; is transient (resp., existential, 
universal), for 1 <i <n. 


Note that if P has mı states and Ap, has mz states then Apy has O(m mz) states. 


PROPOSITION 15. Ap is nonempty if and only if P E ọ. 


We can now put together Propositions 9, 10, and 15 to get a model-checking algorithm 
for CTL. 


THEOREM 16. [15, 42] Checking whether a finite-state program P satisfies a CTL for- 
mula pcan be done in time O(|P|- ||) or in space O(|p| log? |P}). 


See also [8, 84] for description of practical algorithms. For an extension of automata- 
theoretic branching-time model checking to more expressive branching-time logics, such 
as the branching-time logic CTL*, which merges CTL and LTL and is more expressive 
than both [25], or the modal fixpoint logic, which is more expressive than CTL* [39], see 
[42]. 


Automata-Theoretic Techniques for Temporal Reasoning 985 


5 VALIDITY CHECKING 


5.1 Linear Temporal Logic 


We are given an LTL formula y. We say that ọ is valid iff it is true in all computations. 
By Corollary 12, we know that we can build a nondeterministic Biichi automaton A, 
that accepts exactly the computations in which y is true. In other words, y is valid iff 
L,,(Ag) = ©”, where © = 2P7P, which holds iff X” — L.,(A,) = 0. Since DY — L,,(Ay) = 
L,,(A-y), we have that is valid iff L,,(A.,) = 0. Thus, validity checking is been reduced 
to emptiness checking. We can now combine Proposition 2 with Corollary 12: 


THEOREM 17. [67] Checking whether an LTL formula ọ is valid can be done in time 
0(2°l#))) or in space O((|y])?). 


We note that the upper space bound of Theorem 17 is essentially optimal, since the 
validity problem for LTL is PSPACE-hard [67]. 


5.2 Branching Temporal Logic 


We are given a CTL formula y. we say that is valid iff it is true in all programs. For 
LTL, Theorems 11 and 12 provided automata-theoretic characterizations of all models 
of the formula. This is not the case for CTL, as Theorem 13 provides only a characteri- 
zation of tree models. Fortunately, this suffices for validity checking due to the following 
proposition. 


PROPOSITION 18. [22] Let y be a CTL formula. Then vy is valid iff p is true in all 
\y|-tree programs. 


Let A, be the automaton Aller i.e., it is the automaton A? of Theorem 13, with 
D = {|y|}. It follows from Proposition 18 that a CTL formula is valid iff T,,(A.,) = 9. 
Combining this with Proposition 7, we get: 


THEOREM 19. [24] Checking whether a CTL formula is valid can be done in time 
O(20(le)), 


We note that the upper time bound of Theorem 19 is essentially optimal, since the 
validity problem for CTL is EXPTIME-hard [31]. For a practical algorithm to decide 
CTL validity, see [49]. For extension of automata-theoretic validity checking to expressive 
modal logics, see [40, 64, 77]. 
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1 INTRODUCTION 


Modal logic plays an important role in the field of artificial intelligence (AI). This can 
be understood from the fact that AI tries to capture aspects of human intelligence by 
formalizing these in such a way that they can be implemented in an artificial system, 
particularly a computer-based system. This entails the need for formalization of mental 
attitudes such as beliefs and desires. In philosophical logic one has studied many of 
these attitudes using modal logic. Therefore it is only natural that AI researchers have 
resorted to modal logic for the formal description of the mental attitudes of their intended 
artifacts. (This is not to say that modal logic is the only way to represent these mental 
attitudes, since some choose to stick to classical predicate logic as closely as possible. Still, 
it is recognized widely within the AI community that modal logic presents a valuable 
tool!) 

So, in this chapter we will be concerned with the use of modal logic techniques to 
formally describe mental attitudes of intelligent systems. We have chosen to split our 
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treatment into two parts. The first part deals with the use of modal logic for the de- 
scription of so-called intelligent agents, an area of AI that emerged at the end of the 
80s, dealing with the theory and practice of the construction of autonomous software 
or hardware entities that act intelligently (rationally). Typical issues are how to deal 
with motivational attitudes such as intentions and with informational attitudes such as 
beliefs. Special attention is paid to ‘social’ attitudes within a ‘multi-agent system’. In 
such an ‘agent society’ it becomes important to analyze multi-agent informational and 
motivational attitudes such as common knowledge and collective intention. 

The second part is related to this, but the topics discussed are older. An important 
problem in AI concerns the question as to how to formalize commonsense reasoning, the 
way humans reason ‘in daily life’, so to speak, as opposed to reasoning in formal sciences 
such as mathematics and logic. For example, here one is interested in reasoning patterns 
connected with defaults (rules of thumb) and counterfactuals (‘if ...had been the case, 
then ... would have been the case’). The study of these reasoning mechanisms appeared 
to be much more difficult than originally anticipated, and has become a major subject 
of study within AI since the beginning of the 80s. It includes so-called non-monotonic 
reasoning (reasoning in which earlier conclusions can get lost when more premises become 
available) and belief revision (dealing with how the beliefs of a reasoner change when new 
information becomes available and is incorporated). 

Of course, since also in commonsense reasoning notions such as knowledge and belief 
play an important role, there is a natural relation with the field of intelligent agents, 
but the emphasis is different. However, as artificial agents become more intelligent and 
will invade daily life (such as e.g. the application in so-called companion robots that are 
supposed to assist and entertain elderly people), undoubtedly there will be a moment 
where these agents should also employ some (possibly restricted) form of commonsense 
reasoning! 


2 INTELLIGENT AGENTS 


Intelligent agents have become a major field of research in AI. Although there is little 
consensus about the precise definition of an intelligent agent, it is generally held that 
agents are autonomous pieces of hardware/software, able to take initiative on behalf of 
a user or, more generally, to satisfy some goal. Agents are often held to possess mental 
attitudes; they are supposed to deal with information, and act upon this, based on mo- 
tivation. This calls for a description in terms of the agent’s beliefs/knowledge, desires, 
goals, intentions, commitments, obligations, etc. To describe these mental or cognitive 
attitudes one may fruitfully employ modal logic. Typically for the description of agents 
one needs an amalgam of modal operators/logics to cater for several of the mental atti- 
tudes as mentioned above. Moreover, since agents by definition act and display behavior, 
it is important to include the dynamics of these mental attitudes in the description. One 
might even maintain that the logics of some of these attitudes, such as goal directedness 
and a fortiori desire, have little interest per se: they are rather weak logics without excit- 
ing properties. What makes them interesting is their dynamics: their change over time 
in connection with each other! So, although (modal) logics for e.g. knowledge, belief, 


1The first part (section 2-8) were written by John-Jules Meyer. Frank Veltman is responsible for 
part 2 (sections 9-11). 
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desires etc. certainly play a role, it is also imperative to be able to specify the agent’s 
behavior / attitudes over time. Therefore, generally also a (modal) logic of time or action 
plays a role in agent specification logics. In this section we will first spend some time 
on modal logics for some of the mental attitudes in isolation, after which we will turn to 
agent logics proper that are proposed in the literature, which typically are mixtures of 
these ‘single-attitude’ logics and contain an element of time and/or action. Our emphasis 
in this part lies on the presentation of the logical languages and their semantics, and less 
on axiomatics and metatheory. 


3 EPISTEMIC AND DOXASTIC LOGIC 


Epistemic logic deals with the mental attitude of knowledge while doxastic logic treats 
belief. These logics have become quite popular in both computer and artificial intelli- 
gence to describe the knowledge/belief involved in (particularly distributed) computation 
processes and in agents. As to the former, the work of Halpern et al. [31] must be men- 
tioned. In this chapter we concentrate on the role of epistemic/doxastic logic in AI, and 
on the description of intelligent agents in particular. The modal approach to knowl- 
edge/belief is built on the observation that if an agent is not sure about the truth of a 
certain proposition p (say that it rains outside), it must reckon both with the possibility 
that p holds and with the possibility that p does not hold. Formally this is captured by 
a Kripke model in which in the actual world, the agent considers several possible alter- 
natives (captured by the accessibility relation), some of which satisfy p while other ones 
do not satisfy p. So we have a very intuitive use of modal semantics here: a formula ¢ is 
known / believed by the agent if all alternatives deemed possible by the agent (formally, 
all worlds accessible for the agent from the actual world) satisfy y. 

Thus, we have the following formal definitions. The language is obtained by taking 
classical (propositional) logic augmented by a clause for the knowledge or belief operator. 
We assume a set P of atomic formulas. 


DEFINITION 1. (Language of epistemic/doxastic logic) 
e Every atomic formula in P is an epistemic (doxastic) formula; 


e if pı and we are epistemic (doxastic) formulas, then 7y1,%1 V Y2 are epistemic 
(doxastic) formulas; 


e if y is an epistemic (doxastic) formula, then Ky (By) is an epistemic (doxastic) 
formula. 


Other propositional connectives (such as ^A, —, +) are introduced as (the usual) ab- 
breviations. 


DEFINITION 2. (Kripke models for epistemic/doxstic languages) 
A model for an epistemic/doxastic language is a triple 


M = (W, V, R}, 


where: 
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e W is a non-empty set of states (or worlds); 
e V is a truth assignment function per state; 


e Ris an accessibility relation on W for interpreting the modal operator K or B. In 
the former case R is assumed to be an equivalence relation, while for the latter R 
is assumed to be euclidean, transitive and serial. 


The set of worlds that are accessible from a certain world must be viewed as epistemic 
alternatives for this world: if the agent is in this world he is not able to distinguish be- 
tween these accessible worlds due to his (lack of) knowledge/belief; as far he is concerned 
he could be in any of the alternatives. 

The reason that for modelling knowledge the accessibility relation is taken to be an 
equivalence relation, can be understood as follows: the agent, being in a certain state, 
considers a set of alternatives which are all alternatives of each other and one of which 
is the actual state (so the agent considers his true state as an alternative). 

For belief this would be too strong: in particular, for belief it is not reasonable to 
assume that the agent always considers his true state as an alternative, since he may be 
mistaken. So, for belief, weaker assumptions are assumed, which nevertheless result in a 
number of interesting validities. 


DEFINITION 3. (Interpretation of epistemic / doxastic formulas.) 
In order to determine whether an epistemic (doxastic) formula is true in a model/state 
pair M, w (if so, we write M, w H ~), we stipulate: 


e M, w H p iff V(w)(p) = true, for p € P; 


e the logical connectives are interpreted as usual; 


© M, w = Ky(By) if M, w = y for all w’ with R(w, w’). 


The last clause can be understood as follows: an agent knows (believes) a formula to 
be true if the formula is true in all the epistemic alternatives that the agent considers at 
the state he is in (represented by the accessibility relation). 


DEFINITION 4. (Validity) 


e A formula ¢ is verified by a model M = (W, V, R) iff it is true in all worlds of M: 
M H gy M, w H vy for all w e W. 


e A formula is valid iff it is verified by all models of a given form: = y © M = ọ for 
all models Mt of the form considered. 


Validities in epistemic logic with respect to the given models (which we will refer to 
the ‘axioms’ of knowledge) are: 


PROPOSITION 5. 
e = K(y > 4) > (Ky > Ky) 


e. =Ky> o 
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e | Ky — KKy 


e | “Ky > K-Ky 


The first validity says that knowledge is closed under implication: if both the impli- 
cation y — Ņ and the antecedent y is known then also the conclusion w is known. This 
is of course a very ‘idealized’ property of knowledge, but its validity is at the very heart 
of using so-called normal modal logic as we do here. 

The second validity expresses that knowledge is true. (One cannot honestly, truthfully 
and justifiably state to know something that is false.) The third and fourth validities 
express a form of introspection: the agent knows what it knows, in the sense that it 
knows that it knows something (the second axiom), and, moreover, it knows what it 
does not know (the third axiom). Of course, this may be very unrealistic to assume for 
some intelligent agents, such as humans, but often it makes sense to assume it in the case 
of artificial agents, either by virtue of their finitary nature or by way of some idealization. 
In any case it makes life easier, since the resulting logic, called S5, is very elegant (has 
relatively simple models) and enjoys several pleasant properties ([56]).The logic can be 
axiomized by taking the four above validities as axioms, together with an axiomatization 
of classical propositional logic and the rules of Modus Ponens and Necessitation (y/Ky). 

With respect to doxastic logic we obtain the following validities: 


PROPOSITION 6. 
e = B(y > 4) > (By > By) 
e = -BL 


e = By — BBy 


e = —-By — B-By 


Again we observe the introspection properties, but the second validity now states that 
an agent’s belief is not inconsistent, which is weaker than the property that belief should 
be true. If one takes these properties as axioms completed by modus ponens, necessitation 
for B and (sufficient) classical propositional validities, one obtains the system known as 
KD45. 

A natural question is whether the knowledge and belief modalities are interrelated 
in some meaningful way. The answer is more involved than one might suspect. In 
the literature (for example [50, 75, 89, 90]), several interesting possibilities for such an 
interaction have been investigated. In these studies it became clear that one has to be 
careful in putting several plausible properties together, as one might otherwise end up 
with undesirable properties such as the collapse of knowledge and belief! As usual with 
applications of modal logic, one may wonder whether the properties one obtains are all 
desirable and not ‘over-idealizations’. In the realm of epistemic/doxastic logic one may 
dispute the so-called paradoxes of logical omniscience. Most of these are inherent in the 
use of (normal) modal logic using standard Kripke semantics. For example, the basic 
modal property = K(y > y) —> (Ky — Ky) gives rise to a Sorites-like paradox: the 
agent knows all consequences of its knowledge, and likewise for belief. For ‘finitary’, 
resource-bounded agents this is unrealistic. One can now either take this for granted and 
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view the modal operators for knowledge/belief as idealizations of the real thing, or one 
has to resort to non-standard (‘non-normal’) semantics (such as neighborhood semantics) 
to be able to avoid validities such as the above one. For a fuller treatment of this issue 
we refer to [56, 54]. 


4 DEONTIC LOGIC 


4.1 Standard deontic logic 


One of the first systems for deontic logic that really was a serious attempt to capture 
deontic reasoning was the now so-called “Old System” of Von Wright ([87]), of which a 
modal logic (Kripke-style) version has become known as Standard Deontic Logic (SDL). 
The syntax of SDL is that of a propositional modal logic with a modal operator O for 
obligation. Oy is read as ‘y is obligatory / obligated’ or ‘it ought to be the case that 
p’. The modalities F and P for ‘it is forbidden’ and ‘it is permitted’, respectively, are 
introduced as abbreviations: Fy = Ony and Py = Fy: something is forbidden iff 
its negation is obligatory, and something is permitted iff it is not forbidden. SDL has 
a Kripke-style modal semantics based on a set of possible worlds (, a truth assignment 
function of primitive propositions per possible world) and an accessibility relation associ- 
ated with the O-modality. This accessibility relation points to “ideal” or “perfect deontic 
alternatives” of the world under consideration. The crux behind this is that in some pos- 
sible world something (say y) is obligated, if p holds in all the perfect alternatives of 
this world, as indicated by the accessibility relation. 

So, formally these models have the following form: M = (W, V, Ro), where W is the 
set of states/ worlds, V is a truth assignment function, and Ro is the deontic accessibility 
relation, which is assumed to be serial, i.e. for all w € W there is a w’ € W such that 
Ro(w,u’). 

The operator O is interpreted by means of the relation Ro: M, w = Oy iff M, w = » 
for all w’ with Ro(w,w’). Validity is defined as usual for modal logic. We obtain the 
following validities: 


PROPOSITION 7. 
e Oly > Y) > (Oy = OY) 
e Olp ny) = (Op ^ O4) 
e P(Y ^Y) => (Pe ^ Py) 
© (Fev Fy) > F(p ^y) 
e (Op V Ov) = O( V Y) 
e P(Y V Y) > (PoV Py) 
e F(Y VY) = (Fp ^ Fy) 


e =(Oy A Ong) 
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The first and the last of these properties together with modus ponens, necessitation 
(y/Ow) and a sufficient number of axioms of propositional logic can be used to axiomatize 
SDL. (This system coincides with the system KD in the classification of Chellas ([17]).) 

Again the question arises whether the above properties are adequate for deontic rea- 
soning. SDL suffers from a number of paradoxes, again mostly inherent in the (normal) 
modal semantics of the operators. For example, Ross’s paradox: Op — O(y V w): if one 
ought to mail the letter then one ought to mail it or burn it. This sounds peculiar, but 
if one interprets O as holding in ideal alternative worlds it is evidently true. What is 
problematic here, is that in natural language an obligation of a disjunction is normally 
held to be an obligation of one of the disjuncts that may be chosen arbitrarily by the 
agent, and this intuition is simply not captured by SDL semantics. There are also more 
serious paradoxes, notably those having to do with contrary-to-duty (CTD) imperatives, 
in which certain obligations are specified in case one is already violating another obliga- 
tion. For example, one ought to refrain from killing animals. But if one kills an animal, 
one ought to do it gently. This kind of CTD obligations cannot be expressed adequately 
in SDL. To reason about CTDs, or more generally about conditional obligations of the 
form O(y/w), read as the obligation to y under circumstance w, so-called dyadic deontic 
logic was introduced, already in the 60s by von Wright [88]. However, in the 90s it be- 
came apparent that a truly adequate treatment of CTDs seems to force one to enter the 
realm of nonmonotonic / defeasible / preferential reasoning, which is beyond the scope 
of this chapter. More about this can be found in [58] and particularly [60, 15). 


4.2 Dynamic deontic logic 


Another issue that plays a role in deontic logic is the confusion about the argument of the 
modal operators. In SDL these are propositions (and we may refer to the O-operator as 
being of an ’ought-to be’ nature). But many examples in the literature (and indeed also 
the example we gave illustrating Ross’s paradox) actually seem to concern actions rather 
than propositions. (This is already noted by e.g. Castaneda [16].) One may also try 
and capture this notion of ‘ought-to-do’ in a different logic, and this is what we do next. 
DDL, introduced in [59], is a version of dynamic logic especially tuned to use as ought-to- 
do style deontic logic. It is based on the idea of Anderson’s reduction of ought-to-be style 
deontic logic to alethic modal logic ([3]), but instead it reduces ought-to-do deontic logic 
to dynamic logic ([42]). The basic idea is very simple: some action is forbidden if doing 
the action leads to a state of violation. In a formula: Fa aes [a]V, where the dynamic 
logic formula [a]y denotes that execution / performance of the action a leads (necessarily) 
to a state (or states) where ọ holds, and V is a special atomic formula denoting violation. 
(We write F instead of F to indicate that this operator is of a different (viz. ‘to-do’) 
kind than the SDL operator; likewise for the other operators in this section.) Formally, 
we say that the meaning of action a is captured by an accessibility relation Ra C W x W 
associated with a, where W is the set of possible worlds. This relation Ra describes 
exactly what possible moves (state transitions) are induced by performance of the action 
a: R(u,w) says that from world u one can get into world w by performing a. (In 
concurrency semantics and process algebra this is often specified by a so-called (labeled) 
transition system which enables one to derive (all) transitions of the kind u >a w, which 
in fact defines the relation Ra for all possible actions a.) Now the formal meaning of 
the formula [aly is given by: [a]y is true in a possible world w iff all states w’ with 
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Ra(w, wu’) satisfy y. This then provides the formal definition of the F-operator, as given 
above. In the sequel we will also employ the dual (a) of [a]: (a) is true in w iff there 
is some state w’ satisfying y such that Ra(w, w’). 

The other deontic modalities are derivatives of Ê: permission is not-forbidden (Pa < 
=Fa), and obligation is forbidden-not-to (Ôa > Fā), where @ has the meaning of 
“not-a@”. The formal semantics of this negated action is non-trivial, especially in case 
one considers composite actions (cf. [59, 91, 26, 92]). In the cited papers we considered 
connectives for composing non-atomic actions, such as ‘U’ (choice, the dynamic analogue 
of disjunction in a static setting), ‘&’ (parallel, the analogue of conjunction), ‘—’ (non- 
performance, the analogue of negation), and ‘;’ (sequential composition, which has no 
analogue in a static setting). Without giving a formal semantics here (see the papers 
mentioned above for that), the meaning of these are as follows: œ Ua2 expresses a choice 
between a; and a2 (this—roughly—corresponds to taking Raua, as the set-theoretic 
union of Ra, and Ra,), a,&ag a parallel performance of a; and ay (this amounts to more 
or less taking Ry, ea, to be the intersection of Ra, and Ra), & (we will also write —a) 
the non-performance of a, as stated above (it more or less amounts to taking Ra to be 
some complement of Ra, but see also the discussion below), and a1; a2 the performance 
of a, followed by that of az. For a full account of the semantics of particularly negated 
actions we refer to [59, 26, 23, 25]. 

With this semantics the following formulas are valid: 


PROPOSITION 8. 
e [al(y > 4) > (laly > laly) 
e [a; Ble > [al[S]y 
e [aU Be = (aly A [A]y) 
e [aly > [aks] 
e [-(a; Bp > ([-a]¢ A [al[-B]y) 
e [-aly > [-(aU B)]y 
e [-(a&B)|y = ([-a]¢ A [-B]¢) 
e Fas [alV 


e Pa œ AFa( la) aV) 


Intelligent Agents and Common Sense Reasoning 999 


e (Fav FB) > F(a&) 
e (Ôa v OB) > O(aU B) 
e P(aUB) = (Pav ÊB) 
e F(au b) = (Fan FB) 


Modal action logics that contain action negation (complement) operators have been 
studied by several authors, for instance [20, 37, 9]. From these studies, in particular [9], 
it has become clear that there are several ways to define action negation, particularly in 
the context of the operators ‘;’ and intersection. The choices made in DDL above were 
motivated mainly by the desirability of the validities concerning the deontic operators 
above. There have been proposed several dynamic deontic logics that could be viewed as 
some kind of refinement of the original logic as presented here. These concern -amongst 
other ones- issues of context (pertaining to the kind of complement / negation again) [23], 
the exact way action bring about violations [24], and of a more refined view of action 
than just input-output relations [78, 13]. 


5 BDI LOGIC 


BDI logic as proposed by Rao & Georgeff [62] came about after the ground-breaking work 
of Bratman [8] on the philosophy of intelligent (human) agents. In this work Bratman 
made a case for the notion of intention besides belief and desire, to describe the behavior 
of rational agents. Intentions force the agent to commit to certain desires and to really 
‘go for them’. So focus of attention is an important aspect here, which also enables the 
agent to monitor how s/he is doing and take measures if things go wrong. Rao & Georgeff 
stress that in the case of resource-bounded agents it is imperative to focus on desires / 
goals and make choices. This was also observed by Cohen & Levesque [18], who tried to 
formalize the notion of intention in a linear-time temporal logic in terms of the notion of 
a (persistent) goal. Here we follow Rao & Georgeff who use a branching-time temporal 
logic framework to give a formal-logical account of BDI theory. BDI logic has influenced 
many researchers (including Rao & Georgeff themselves) to think about architectures of 
agent-based systems in order to realize these systems. Rao & Georgeff’s BDI logic is more 
liberal than that of Cohen & Levesque in the sense that they a priori regard each of the 
three attitudes of belief, desire and intention as primitive: they introduce separate modal 
operators for belief, desire and intention, and then study possible relations between them. 

The language of BDI logic is defined as follows. Two types of formulas are distin- 
guished: state formulas and path formulas. We assume some given first-order signature. 
Furthermore, we assume a set E of event types with typical element e. The operators 
BEL,GOAL, INTEND have as obvious intended reading the belief, goal and intention 
of an agent, respectively, while U,,O are the usual temporal operators, viz. ‘until’, 
‘eventually’ and ‘next’, respectively. 


DEFINITION 9. (State and path formulas.) 
1. The set of state formulas is the smallest closed under the following conditions: 


e any first-order formula with respect to the given signature is a state formula; 
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e if yı and yv are state formulas then also 71, Y1 V Y2, Izy) are state formulas; 
e if e is an event type, then succeeded(e), failed(e) are state formulas; 


e if y is a state formula, then BEL(y), GOAL(y), INTEND(y) are state for- 
mulas; 


e if y is a path formula, then optional(w) is a state formula. 
2. The set of path formulas is the smallest set closed under: 


e any state formula is a path formula; 


e if %1, %2 are path formulas, then 71,01 V we, HW, Uwe, OW, OW are path for- 
mulas. 


State formulas are interpreted over a state, that is a (state of the) world at a particular 
point in time, while path formulas are interpreted over a path of a time tree (representing 
the evolution of a world). In the sequel we will see how this will be done formally. Here 
we just give the informal readings of the operators. The operators succeeded and failed 
are used to express that events have (just) succeeded and failed, respectively. As in 
the framework of Cohen & Levesque action-like entities should be given a place in the 
theory by means of additional operators. Here we see that Rao & Georgeff’s approach 
also account for the distinction of trying an action / event and succeeding versus failing. 
With the latter one may think of several things: either the agent tried to do some action 
which failed due to circumstances in the environment. For example, for an action ‘grip’ 
to be successful there should be an object to be gripped; for a motor to be started 
there should be fuel, etc.; perhaps there is also some internal capacity missing needed 
for successful performance of an action: again for an action ‘grip’ to be successful the 
robot should have a gripper. This is related to the well-known qualification problem in 
AI, [67]. 

Next there are the modal operators for belief, goal and intend. (In the original version 
of BDI theory [62], desires are represented by goals, or rather a GOAL operator. In 
a later paper [64] the GOAL operator was replaced by DES for desire.) The optional 
operator states that there is a future (represented by a path) where the argument of the 
operator holds. Finally, there are the familiar (linear-time) temporal operators, such as 
the ‘until’, ‘eventually’ and ‘next time’, which are to be interpreted along a linear time 
path. 

Furthermore, the following abbreviations are defined: 


DEFINITION 10. 
1. Oy = 70-7 (always); 
2. inevitable(w) = soptional(7w); 


3. done(e) = succeeded(e) V failed(e); 
4. succeeds(e) = inevitableO(succeeded(e)); 
5. fails(e) = inevitableO( failed(e)); 


6. does(e) = inevitableO(done(e)). 
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The ‘always’ operator is the familiar one from (linear-time) temporal logic. The ‘in- 
evitability’ operator expresses that its argument holds along all possible futures (paths 
from the current time). The ‘done’ operator states that an event occurs (action is done) 
no matter whether it is succeeding or not. The final three operators state that an event 
succeeds, fails, or is done iff it is inevitable (i.e. in any possible future) it is the case that 
at the next instance the event has succeeded, failed, or has been done, respectively. (So, 
this means that an event, succeeding or failing, is supposed to take one unit of time!) 


DEFINITION 11. (Semantics) 
The semantics is given with respect to models of the form M = (W,E,T,~<,U, B,G, 
I,®), where 


e W is a set of possible worlds; 
e F is a set of primitive event types; 
e T is a set of time points; 


e «< is a binary relation on time points, which is serial, transitive and back-wards 
linear; 


e U is the universe of discourse; 


e Ọ is a mapping of first-order entities to U, for any world and time point; 


B,G,I C W xT x W are accessibility relations for BEL, GOAL, INTEND, 
respectively. 


The semantics of BDI logic, Rao & Georgeff-style, is rather complicated. Of course, 
we have possible worlds again, but as we will see below, these are not just unstructured 
elements, but they are each time trees, describing possible flows of time. So, we also 
need time points and an ordering on them. As BDI logic is based on branching time, the 
ordering need not be linear in the sense that all time points are related in this ordering. 
However, it is stipulated that the time ordering is serial (every time point has a successor 
in the time ordering), the ordering is transitive and backwards-linear, which means that 
every time point has only one direct predecessor. The accessibility relations for the ‘BDI’- 
modalities are standard apart from the fact that they are also time-related, that is to 
say that worlds are (belief/goal/intend-)accessible with respect to a time point. Another 
way of viewing this is that — for all three modalities — for every time point there is a 
distinct accessibility relation between worlds. 

Next we elaborate on the structure of the possible worlds. 


DEFINITION 12. (Possible worlds) 
Possible worlds in W are assumed to be time trees: an element w € W has the form 
w= (Tw, Aw, Sw; Fw), where 


e T,, CT is the set of time points in world w; 
e A, is the restriction of the relation < to Tw; 


© Su : Tw X Tu —> E maps adjacent time points to (successful) events; 
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e Fo: Ty X Ty — E maps adjacent time points to (failing) events; 


e the domains of the functions Sw and Fwy are disjoint. 


As announced before, a possible world itself is a time tree, a temporal structure rep- 
resenting possible flows of time. The definition above is just a technical one stating that 
the time relation within a possible world derives naturally from the a priori given relation 
on time points. Furthermore it is indicated by means of the functions Sw and F,, how 
events are associated with adjacent time points. 

Now we come to the formal interpretation of formulas on the above models. Naturally 
we distinguish state formulas and path formulas, since the former should be interpreted 
on states whereas the latter are interpreted on paths. In the sequel we use the notion of 
a fullpath: a fullpath in a world w is an infinite sequence of time points such that, for all 
i, (ti, ti41) € Aw. We denote a fullpath in w by (wio, wi,...), and define fullpaths(w) 
as the set of all fullpaths occurring in world w (i.e. all fullpaths that start somewhere in 
the time tree w). 


DEFINITION 13. (Interpretation of formulas) 
The interpretation of formulas with respect to a model 


M = (W, E,T, <,U, B, G, I, ®) 
is given by: 
1. (state formulas) 


© M, v, we = a(yi,---5 Yn)  (v(y),---,U(Yn)) E P(g, w, t); 
e M, v, we m 7 M, v, wr A Ys 


e M, v, wr = p1 V p2 = M, v, we F 1 or DM, v, we m P2; 


xp M, v{d/x}, w; = ọ for some d € U; 


© M, v, wi HE 


e M, v, w: = optional(y) > there exists some fullpath (wto, wi,...) such that 
M, v, (wo, Wt,- -) E Y; 

e M, v, w, = BEL(y) < for all w € B(w,t) : M, v, w, = y; 

e M, v, w = GOAL(y) +> for all w’ € G(w,t) : M, v, w, = 9; 

e M, v, w E INTEND(ọ) + for all w € I(w,t) : M, v, w, = y; 

e M, v, w; = succeeded(e) +> exists t0 such that Sw(t0, t) = e; 

e M, v, w; E failed(e) +> exists t0 such that Fu (t0, t) = e. 


In the above and elsewhere v{d/x} denotes the function v modified such that 
v(x) = d, and R(w,t) = {w’ | R(w,t,w’)} for R= B,G,I 


2. (path formulas) 


e M, v, (w, wa,---) Ey e M, v, wo E y, for y state formula; 


e M, v, (w, Wi, -) = Op = M, v, (wi, wz, .) = 9; 


e M, v, (wro, Wi,- -) = OY = M, v, (wiz,..-) = y for some k > 0; 
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e M, v, (w:o, Wt...) H= wiUwe < either (i) there exists k > 0 such that 
M, v, (wer...) Æ Y2 and for alO < j < k: Mv, (wey...) = Yı, or (ii) 
for all 7 > 0: M, v, (wr, ...) H Y1. 


Most of the above clauses should be clear, including those concerning the modal op- 
erators for belief, goal and intention. The clause for the ‘optional’ operator expresses 
exactly that optionally w is true if w is true in one of the possible futures represented by 
fullpaths starting at the present time point. The interpretation of the temporal operators 
is as usual. 

Rao & Georgeff now discuss a number of properties that may be desirable to have as 
axioms. In the following we use a to denote so-called O-formulas, which are formulas 
that contain no positive occurrences of the ‘inevitable’ operator (or negative occurrences 
of ‘optional’ ) outside the scope of the modal operators BEL, GOAL and INTEND. 


1. GOAL(a) > BEL(a) 

. INTEND(a) > GOAL(a) 

. INTEND (does(e)) — does(e) 
INTEND(y) > BEL(INTEND(y)) 

. GOAL(y) > BEL(GOAL(y)) 

. INTEND(y) > GOAL(INTEND(y)) 
. done(e) + BEL(done(e)); 


oN Do fF w Wd 


. INTEND(y) = inevitableO(-INTEN D(¢)) 


In order to render these formulas validities further constraints should be imposed on 
the models, since in the general setting above these are not yet valid. For reasons of space 
we only consider the first two. (More can be found in [62, 64, 93].) In order to define 
constraints on the models such that these two become valid, we introduce the relation 
< on worlds, as follows: w” < w’ & fullpaths(w"”) C fullpaths(w’). So, w” < w’ means 
that there the world (time tree) w” represents less choices than w’. Now we define the 
B-G condition as the property that the following holds: 


Yw’ € B(w,t) dw” € G(w,t): w” < w’ 


Informally, this condition says that for any belief accessible world there is a goal accessible 
world that contains less choices. It is now easy to prove the following proposition. 


PROPOSITION 14. 
Let BG be the class of models of the above form that satisfy the B-G condition. Then 


BG = GOAL(a) — BEL(a) 


for O-formulas a. 


Similarly one can define the G-I condition as 


Vw’ € G(w,t) dw” € I(w,t) : w” dw’ 
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and obtain: 


PROPOSITION 15. 
Let GT be the class of models of the above form that satisfy the G-I condition. Then 


GI | INTEND(a) > GOAL(a) 


for O-formulas a. 


Let us now consider the properties deemed desirable by Rao & Georgeff again. Actu- 
ally, the first one is rather controversial. (Cohen & Levesque had the inverse implication 
in their framework, although admittedly that framework is quite different from Rao & 
Georgeff’s because of the different temporal model — linear time instead of branching 
time, so that it is not completely fair to compare formulas...!) Rao & Georgeff try to 
render the formula concerned (which they call ‘belief-goal compatibility’) plausible by 
considering a typical O-formula a of the form optional(w), and then note that if it is 
a goal that something is optional (true in some future) then it should also be believed 
that it is optional (true in some future). This, indeed, sounds plausible in the sense 
that a rational and realistic agent would adhere to it. But also objective (nonmodal) 
formulas are O-formulas, and whether this property is also plausible for these formulas 
is debatable. 

The second formula is similar to the first. This one is called goal-intention compat- 
ibility, and is defended by Rao & Georgeff by stating that if an optionality is intended 
it should also be wished (a goal in their terms). So, Rao & Georgeff have a kind of 
selection filter in mind: intentions (or rather intended options) are filtered / selected 
goals (or rather goal (wished) options), and goal options are selected believed options. 

The third one says that the agent really does the primitive actions that s/he intends 
to do. This means that if one adopts this as an axiom the agent is not allowed to do 
something else (first). 

The fourth, fifth and seventh express that the agent is conscious of its intentions, goals 
and what primitive action he has done in the sense that he believes what he intends, has 
as a goal and what primitive action he has just done. The sixth one says something like 
that intentions are really wished for: if something is an intention then it is a goal that it 
is an intention. 

The eighth formula states that intentions will inevitably (in every possible future) be 
dropped eventually, so there is no infinite deferral of its intentions. This leaves open, 
whether the intention will be fulfilled eventually, or will be given up for other reasons. 
Below we will discuss several possibilities of giving up intentions according to different 
types of commitment an agent may have. 

BDI-logical expressions can be used to characterize different types of agents. Rao & 
Georgeff mention the following possibilities: 


1. (blindly committed agent) INT EN D(inevitableQy) —> 
inevitable INTEN D(inevitableQy)UBEL(y)) 


2. (single-minded committed agent) INT EN D(inevitableQy) —> 
inevitable INTEN D(inevitableQy)U(BEL(y) V ABEL(optional)y))) 


3. (open minded committed agent) INTEN D(inevitableQy) > 
inevitable INTEN D(inevitableQy)U(BEL(y) V AGOAL(optionaldy))) 
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A blindly committed agent maintains his intentions to inevitably obtaining eventually 
something until he actually believes that that something has been fulfilled. A single- 
minded committed agent is somewhat more flexible: he maintains his intention until he 
believes he has achieved it or he does not believe that it can be reached (it is still an 
option in some future) anymore. Finally, the open minded committed agent is even more 
flexible: he can also drop his intention if it is not a goal (desire) anymore. 

Rao & Georgeff obtain results under which conditions the various types of committed 
agents will reach their intentions. For example, under the assumption of the axioms we 
have discussed earlier it holds for a blindly committed agent that: 


INTEN D(inevitableQy) — inevitableO BEL() 


expressing that if the agent intends to eventually obtain y (s)he will inevitably eventually 
believe that it has succeeded in achieving g. 


6 KARO LOGIC 


In this section we turn to the KARO formalism, in which action rather than time, together 
with knowledge / belief, is the primary concept, on which other agent notions are built. 
The KARO framework has been developed in a number of papers (e.g. [80, 81, 77, 57]) 
as well as in the thesis of Van Linder ([79]). 

The KARO formalism is an amalgam of dynamic logic and epistemic / doxastic logic, 
augmented with several additional (modal) operators in order to deal with the motiva- 
tional aspects of agents. So, besides operators for knowledge (K), belief (B) and action 
({a], “after performance of a it holds that”), there are additional operators for ability 
(A) and desire (D). 

Assume a set A of atomic actions and a set P of atomic propositions. 


DEFINITION 16. (Language) 
The language Cx aro of KARO-formulas is given by the BNF grammar: 


p == pEP)| =| pi^]... 
Ky | By | Dọ | [aly | Aa 


a == a(e€ A) |] aijaz |p? | 
if y then a) else ap fi | 


while y do q od 


Thus formulas are built by means of the familiar propositional connectives and the 
modal operators for knowledge, belief, desire, action and ability. The action expres- 
sions defined in the second (a)-clause are familiar from imperative programming: atomic 
actions, tests and sequential composition, conditional and repetition. 
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DEFINITION 17. (KARO models) 


1. The semantics of the knowledge, belief and desires operators is given by means of 
Kripke structures of the following form: M = (W, V, Rx, Rg, Rp), where 


e W is a non-empty set of states (or worlds); 

e V isa truth assignment function per state; 

e Rg, Rpg, Rp are accessibility relations for interpreting the modal operators 
K,B,D. 
The relation Rx is assumed to be an equivalence relation, while the relation 


Rp is assumed to be euclidean, transitive and serial. Furthermore we assume 
that Rg C Rg. (No special constraints are assumed for the relations Rp.) 


2. The semantics of actions is given by means of structures of type 
(X, {Ra | a E€ A},C, Ag), where 
e © is the set of possible model/state pairs (i.e. models of the above form, 
together with a state appearing in that model); 
e Ra (a € A) are relations on © encoding the behavior of atomic actions; 
e C is a function that gives the set of actions that the agent is able to do per 
model/state pair; 


e Ag is a function that yields the set of actions that the agent is committed to 
(the agent’s ‘agenda’) per model/state pair. 


Knowledge, belief, and desire are modeled by accessibility relationson worlds, as usual. 
Actions are modelled as model/state pair transformers to emphasize their influence on 
the mental state (that is, the complex of knowledge, belief and desires) of the agent 
rather than just the state of the world. Both (cap)abilities and commitments are given 
by functions that yield the relevant information per model / state pair. 


DEFINITION 18. (Interpretation of formulas) 
In order to determine whether a formula ọ € £ is true in a model/state pair (M, w), we 
stipulate: 


e M, w = p iff V(w)(p) = true, for p € P; 


e the logical connectives are interpreted as usual; 


e M, w = Ky if M, w E ¢ for all w’ with Rg(w, w’); 


e M, w = By if M, w E ¢ for all w’ with Rg(w, w 


, 


) 
e M, w = Dy iff M, w’ H ọ for all w’ with Rp(w,w’); 
e M, w E [aly iff W, w H y for all W, w’ with Ra( (M, w), (OW, w’)); 


© M, w = Aa iff a € C(M, w);? 


2In [76] we have shown that the ability operator can alternatively defined by means of a second 
accessibility relation for actions, in a way analogous to the opportunity operator below. 
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© M, w =| Com(a) iff a € Ag(M, w).? 


Here Ra is defined as usual in dynamic logic by induction from the basic case Ra (cf. 
e.g. [43, 79, 77], but now on model/state pairs rather than just states). Likewise the 
function C is lifted to sets of complex actions ([79, 77]). 

Knowledge, belief and desire are interpreted as modal operators, as usual. The action 
modality gets a similar interpretation: something (necessarily) holds after the perfor- 
mance / execution of action a if it holds in all the situations that are accessible from the 
current one by doing the action a. The only thing which is slightly nonstandard is that a 
situation is characterized here as a model / state pair. The interpretations of the ability 
and commitment operators are rather trivial in this setting (but see the footnotes): an 
action is enabled (or rather: the agent is able to do the action) if it is indicated so by 
the function C, and, likewise, an agent is committed to an action a if it is recorded so 
in the agent’s agenda. 

Furthermore, we will make use of the following syntactic abbreviations serving as 
auxiliary operators: 


DEFINITION 19. 


e (dual) (a)y = -[a]-¢, expressing that the agent has the opportunity to perform 
a resulting in a state where y holds. 


e (opportunity) Oa = (a)T, i.e., an agent has the opportunity to do an action iff 
there is a successor state with respect to the R,-relation; 


e (practical possibility) P(a,y) = Aa A Oa A (a)y, i.e., an agent has the practical 
possibility to do an action with result y iff it is both able and has the opportunity 
to do that action and the result of actually doing that action leads to a state where 
y holds; 


e (can) Can(a, vy) = KP(a, p), i.e., an agent can do an action with a certain result 
iff it knows it has the practical possibility to do so; 


e (realizability) Oy = Ja1,...,@nP(a1;...;an,)*, i.e., a state property ¢ is real- 
izable iff there is a finite sequence of atomic actions of which the agent has the 
practical possibility to perform it with the result y; 


e (goal) Gy = ~y A Dy A Og, i.e., a goal is a formula that is not (yet) satisfied, but 
desired and realizable.” 


e (possible intend) I(a, y) = Can(a, Y) A KGy, i.e., an agent (possibly) intends an 
action with a certain result iff the agent can do the action with that result and it 
moreover knows that this result is one of its goals. 


3The agenda is assumed to be closed under certain conditions such as taking ‘prefixes’ of actions 
(representing initial computations). Details are omitted here, but can be found in [57]. 

4We abuse our language here slightly, since strictly speaking we do not have quantification in our 
object language. See [57] for a proper definition. 

5In fact, here we simplify matters slightly. In [57] we also stipulate that a goal should be explicitly 
selected somehow from the desires it has, which is modelled in that paper by means of an additional 
modal operator. Here we leave this out for simplicity’s sake. 
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REMARK 


The dual of the (box-type) action modality expresses that there is at least a result- 
ing state where a formula y holds. It is important to note that in the context of 
deterministic actions, i.e. actions that have at most one successor state, this means 
that the only state satisfies y, and is thus in this particular case a stronger asser- 
tion than its dual formula [a]y, which merely states that if there are any successor 
states they will (all) satisfy y. Note also that if atomic actions are assumed to be 
deterministic all actions including the complex ones will be deterministic. 


Opportunity to do an action is modelled by having at least one successor state 
according to the accessibility relation associated with the action. 


Practical possibility to to an action with a certain result is modelled as having both 
ability and opportunity to do the action with the appropriate result. Note that Oa 
in the formula Aa A Oa A (a)y is actually redundant since it already follows from 
(ajy. However, to stress the opportunity aspect it is added. 


The Can predicate applied to an action and formula expresses that the agent is 
‘conscious’ of its practical possibility to do the action resulting in a state where the 
formula holds. 


A formula ¢ is realizable if there is a ‘plan’ consisting of (a sequence of) atomic 
actions of which the agent has the practical possibility to do them with ọ as a 
result. 


A formula ¢ is a goal in the KARO framework if it is not true yet, but desired and 
realizable in the above meaning, that is, there is a plan of which the agent has the 
practical possibility to realize it with ọ as a result. 


An agent is said to (possibly) intend an action a with result ọ if he Can do this 
(knows that he has the practical possibility to do so), and, moreover, knows that 
y is a goal. 


In order to manipulate both knowledge / belief and motivational matters special ac- 
tions revise, commit and uncommit are added to the language. These operators cannot 
be nested. So, e.g., commit(uncommita) is not a well-formed action expression. (For 
a proper definition of the language the reader is referred to [57].) The semantics of 
these actions are again given as model/state transformers (We only do this here in a 
very abstract manner, viewing the accessibility relations associated with these actions as 
functions. For further details we refer to e.g. [79, 77, 57]): 


DEFINITION 20. (Accessibility of revise, commit and uncommit actions) 


l. 
2: 


Rrevisey (IM, w) = update_belie f (p, (M, w)). 


Reonmita (I, w) = update_agenda* (a, (M, w)), if M, w = I(a, p) for some g, 
otherwise Reonmita (I, w) = Ø (indicating failure of the commit action). 


Runcommita (It, w) = update_agenda-(a, (Mt, w)), if M, w | Com(a), 
otherwise Runcomita(2t, w) = Ø (indicating failure of the uncommit action). 
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4. uncommita E C(M, w) iff M, w = l(a, p) for all formulas y, that is, an agent is 
able to uncommit to an action if it is not intended to do it (any longer) for any 
purpose. 


Here update_belief, update-agendat and update-agenda- are functions that update 
the agent’s belief and agenda (by adding or removing an action), respectively. Details 
are omitted here, but essentially these actions are model/state transformers again, rep- 
resenting a change of the mental state of the agent (regarding beliefs and commitments, 
respectively). The update_belie f(y, (M, w)) function changes the model M in such a way 
that the agent’s belief is updated with the formula y, while update_agendat (a, (M, w)) 
changes the model St such that a is added to the agenda. The same holds for the 
update_agenda- function, but now with respect to removing an action from the agenda. 
The formal definitions can be found in [80, 81] and [57]. The revise operator can be 
used to cater for revisions due to observations and communication with other agents, 
which we will not go into further here (see [81]). 

The interpretation of formulas containing revise and (un)commit actions is now done 
using the accessibility relations above. One can now define validity as usual with respect 
to the KARO-models. One then obtains the following validities (of course, in order to 
be able to verify these one should use the proper model and not the abstraction we have 
presented here.) Besides the familiar properties from epistemic / doxastic logic, typical 
properties of this framework, called the KARO logic, include (cf. [80, 57]): 


PROPOSITION 21. 
1. = O(a; 8) > (a)OB 
2. | Can(a; 8, p) @ Can(a, P(G, v)) 


3. = [revisey|By 


4. E Ky © [revisey|BL 
5. EK(y = 4) > ((revisey|By > [reviseu|By) 
6. EK I(a, y) > (commita)Com(a) 

7. = Ila, y) > ~Auncommit(a) 


8. | Com(a) > (uncommit(a))7Com(a) 
9. | Com(a) A =Can(a, T) — Can(uncommit(a), =—Com(a)) 


10. | Com(a) — KCom(a) 


12. | Com(if y then a; else ay fi) ^A Kọ — Com(y?; a1) 


13. | Com(if y then a; else az fi) \K-7y — Com(-7y?; a2) 


( 
( 
( 
11. = Com(a1; a2) > Com(a;) A K[a:]Com(az) 
( 
( 
( 


14. H| Com(while y do a od) A Ky — Com((y?; a); while y do a od) 
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The first of these properties says that having the opportunity to do a sequential com- 
position of two actions amounts to having the opportunity of doing the first action first 
and then having the opportunity to do the second. The second states that an agent that 
can do a sequential composition of two actions with result ọ iff the agent can do the first 
actions resulting in a state where it has the practical possibility to do the second with 
as result. The third expresses that a revision with ọ results in a belief of y. The fourth 
states that the revision with y results in inconsistent belief iff the agent knows ~g for 
certain. The fifth expresses that revisions with formulas that are known to be equivalent 
have identical results. The sixth asserts that if an agent possibly intends to do a with 
some result y, it has the opportunity to commit to a with result that it is committed to 
a (i.e. a is put into its agenda). The seventh says that if an agent intends to do a with 
a certain purpose, then it is unable to uncommit to it (so, if it is committed to a it has 
to persevere in it). The eighth property says that if an agent is committed to an action 
and it has the opportunity to uncommit to it with as result that indeed the commitment 
is removed. The ninth says that whenever an agent is committed to an action that is 
no longer known to be practically possible, it knows that it can undo this impossible 
commitment. The tenth property states that commitments are known to the agent. The 
last four properties have to do with commitments to complex actions. For instance, the 
eleventh says that if an agent is committed to a sequential composition of two actions 
then it is committed to the first one, and it knows that after doing the first action it will 
be committed to the second action. 

The KARO framework has been extended in various ways. In [76] we have given an 
account of abilities based on dynamic logic (like we did already for results and oppor- 
tunities). In [46] we considered automated reasoning (viz. resolution) methods for (a 
fragment of) KARO. Furthermore, Dignum and Van Linder [28] have extended it to deal 
with speech acts. Aldewereld et al. [2] have extended KARO with multi-agent notions 
such as joint beliefs, actions, goals and commitments. (We will return to this briefly 
in the next section.) Finally we mention that KARO can also be employed beyond the 
realm of rational agents: in [55] it is indicated how the framework may be used to describe 
emotional aspects of agency. 


7 MULTI-AGENT LOGICS 


In the previous sections we have concentrated mainly on single agents and how to describe 
them. Of course, if multiple agents are around, things become both more complicated as 
well as more interesting. In this section we will look at two generalizations of single-agent 
logics to multi-agent logics, viz. multi-agent epistemic logic and multi-agent BDI logic. 


7.1 Multi-agent epistemic logic 


In a multi-agent setting one can extend a single-agent framework in several ways. To 
start with, with respect to the epistemic (doxastic) aspect, one can introduce epistemic 
(doxastic) operators for every agent, resulting in a multi-modal logic, called S5,,. Models 
for this logic are inherently less simple and elegant as those for the single agent case 
(cf. [56]). One has indexed operators K; and B; for agent i’s knowledge and belief, 
respectively. But one can go on and define knowledge operators that involve a group of 


Intelligent Agents and Common Sense Reasoning 1011 


agents in some way. This gives rise to the notions of common and (distributed) group 
knowledge. 

The simplest notion is that of ‘everybody knows’, often denoted by the operator Ex. 
But one can also add an operator Cx for ‘common knowledge, which is much more 
powerful. The language is the same as epistemic logic, only now extended with the 
clause: 


DEFINITION 22. (multi-agent epistemic logic.) 


e if y is a multi-agent epistemic formula, then Exy and Cgo are multi-agent epis- 
temic formulas. 


For the interpretation we use the following models: 


DEFINITION 23. 
Models for n-agent epistemic logic are Kripke structures of the form 


M = (W, V, R,..., Rn, Re, Rc) 
where: 
e W is a non-empty set of states (or worlds); 
e V is a truth assignment function per state; 


e The R; are accessibility relations on W for interpreting the modal operators K;, 
assumed to be equivalence relations; 


e Rp =U, Ri; 


e Rc = Rp, the reflexive transitive closure of Rg. 


DEFINITION 24. (Interpretation of multi-agent epistemic formulas) 
In order to determine whether an multi-agent epistemic formula is true in a model/state 
pair M, w (M, w = p), we stipulate: 


e M, w H p iff V(w)(p) = true, for p € P; 
e the logical connectives are interpreted as usual; 


e M, w = Kiy iff M, w E y for all w’ with Ri(w, w’); 


e M, w E Exy if M, w H ¢ for al w’ with Rg(w, w’); 


e M, w = Cxy iff M, w H ọ for all w with Relw, w’). 


Using the analogous notion of validity as for single-agent epistemic logic, we obtain: 
PROPOSITION 25. 

e = Ek e Kip A... A Kny 

e H Ck(y > Y) > (Cky > Cry) 
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e = Cky >y 
e = Cxy > CKCxy 
e = =Cky > Cx-Cxy 


e = CKy T3 ExCxy 


e = Ck(y > Ery) > (p > Cko) 


The first statement of this proposition shows that the ‘everybody knows’ modality 
is indeed what its name suggests. The next four says that common knowledge has at 
least the properties of knowledge: closed under implication, it is true, and enjoys the 
introspective properties. The sixth property says that common knowledge is known by 
everybody. The last is a kind of induction principle: the premise gives the condition 
under which one can ‘upgrade the truth of y to common knowledge of y; this premise 
expresses that it is common knowledge that the truth of y is known by everybody. 

As to multi-agent doxastic logic one can look at similar notions of ‘everybody believes’ 
and common belief . One can introduce operators Eg and Cg for these notions: 


DEFINITION 26. (multi-agent doxastic logic) 


e if y is a multi-agent doxastic formula, then Egy and Cgo are multi-agent doxastic 
formulas 


For the interpretation we use the following models: 
DEFINITION 27. Models for n-agent doxastic logic are Kripke structures of the form 
M = (WV, Ri,..., Rn, Rr, Rp) 
where: 
e W is a non-empty set of states (or worlds); 
e V is a truth assignment function per state; 


e The R; are accessibility relations on W for interpreting the modal operators B;, 
assumed to be serial, transitive and euclidean relations; 


e Rr =U; Ri: 


Rp = R}, the (nonreflexive) transitive closure of Rp. 


Note that the accessibility relation for common belief is the nonreflexive closure of 
Rr, contrary to that for common knowledge. This has to do with the fact that common 
belief needs not to be true! 


DEFINITION 28. (Interpretation of multi-agent doxastic formulas.) 
In order to determine whether an multi-agent epistemic formula is true in a model/state 
pair M, w (M, w = p), we stipulate: 
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e ... (as usual) 

e M, w = Biy iff M, w H y for all w’ with R;(w, wv’); 
e M, w = Egy if M, w H ọ for all w’ with Rp (w, w’); 
e M, w = Cgo iff M, w H ¢ for all w’ with Rp(w, w’). 


Now we obtain a similar set of properties for common belief (cf. [50]): 
PROPOSITION 29. 

e = Egy e Bip A... A Bre 

e H Ca(y > y) > (Cay > Cay) 

e | Cgy > Epy 

e | Cpy — CpCgpy 

e | —Cgy > Cp-Cgy 

e =| Cay > EgCgo 


e = Ca(y > Epy) > (Egy > Csgo) 


Note the differences due to the fact that common belief is not based on a reflexive 
accessibility relation. 


7.2 Multi-agent BDI logic 


Also with respect to the other modalities one may consider multi-agent aspects. In 
this subsection we focus on the notion of collective or joint intentions. We follow ideas 
from [29] (but we give a slightly different but equivalent presentation of definitions). We 
now assume that we have belief and intention operators B;, L; for every agent 1 < i < n. 
First we enrich the language of multi-agent doxastic logic with operators Ey (everybody 
intends) and My (mutual intention). (We call this a multi-agent BDI logic, although 
multi-agent BI logic would be a more adequate name, since we leave out the modality of 
desire / goal.) 


DEFINITION 30. (multi-agent BDI logic.) 
Multi-agent BDI logic is obtained by taking the (analogous clauses of) multi-agent dox- 
astic logic of the previous subsection extended with the clauses: 


e if y is a multi-agent BDI formula, then so is I;y for every 1 <i < n). 
e if y is a multi-agent BDI formula, then Eyy and Myy are multi-agent BDI formulas. 
The language thus obtained is interpreted on slightly enhanced models. 


DEFINITION 31. 
Models for n-agent BDI logic are Kripke structures of the form 


M = (W, V, Ri, ..., Rn, Rr, Rp, S1,- .., Sn, SF, SD) 


where: 
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W is a non-empty set of states (or worlds); 
V is a truth assignment function per state; 


The R; are accessibility relations on W for interpreting the modal operators B;, 
assumed to be serial, transitive and euclidean relations, while the S; are accessi- 
bility relations on W for interpreting the modal operators I;, assumed to be serial 
relations. 


Re = U; Ri and Sr = EF Si; 


Rp = Rf and Sp = S}, the (nonreflexive) transitive closure of Rp and Sp, 
respectively. 


DEFINITION 32. (Interpretation of multi-agent BDI formulas.) In order to determine 
whether an multi-agent epistemic formula is true in a model/state pair M, w (M, w = p), 
we stipulate: 


M, w E Ly iff M, w H ọ for all w’ with S;(w,w’); 


M, w H Ery if M, w = ọ for all w’ with Sp (w, w’); 


M, w | Mro if M, w H yọ for all w’ with Sp(w, w’); 


Hence we get similar properties for mutual intention as we had for common belief (but 
of course no introspective properties): 


PROPOSITION 33. 


= Ery e hgy A... Aing; 

= Mi(y > 4) > (Mig > Mr); 
= Miy > Erg; 

= Mig > ErMiıg; 


= Mi(y > Erp) > (Ery > Mig). 


We see that E-intentions (‘everybody intends’) and mutual intentions are defined in 
a way completely analogous with E-beliefs (‘everybody believes’) and common beliefs, 
respectively. 

Next we define the notion of collective intention (Cz) as follows: 


DEFINITION 34. 


Ciy = Miy ^ CgMig 


This definition states that collective intentions are those formulas that are mutually 
intended and of which this mutual intention is a common belief amongst all agents in 
the system. 
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Furthermore, we mention here that in the literature there is also other work on BDI-like 
logics for multi-agent systems where we encounter such notions as joint intentions, joint 
goals and joint commitments, mostly coined in the setting of how to specify teamwork. 
Seminal work was done by Cohen & Levesque [19]. This work was a major influence 
on our own multi-agent version of KARO [2]. An important complication in a notion of 
joint goal involves that of persistence of the goal: where in the single agent case the agent 
pursues its goal until it believes it has achieved it or believes it can never be achieved, in 
the context of multiple agents, the agent that realizes this, has to inform the others of 
the team about it so that the group / team as a whole will believe that this is the case 
and may drop the goal. Also the work of Singh [71] must be mentioned here, where an 
interesting distinction is made between exodeictic and endodeictic intentions of groups, 
where the former is ‘pointing outward’ (intention of the group as viewed by others) while 
the latter is ‘pointing inward’ (intention as viewed by the group itself). 


8 FURTHER DEVELOPMENTS 


One may wonder where the development of agent logics is heading. Moreover, aren’t these 
logics which are ever increasing in expressive power, becoming much too complex in terms 
of computational complexity to be used in practice? To begin with the latter: yes, one 
may indeed expect higher complexity when stacking modalities (cf. [44]), but whether 
this is considered a bad thing, depends on the application. It is my impression that 
logics for (particularly single) agents have been employed to try and coin philosophical 
concepts more concretely and give them a precise meaning within the logical formalisms 
that have been proposed. They were not meant for practical reasoning about agents 
in the first instance. After having done this work, agent researchers such as Rao & 
Georgeff turned to devising practical implementations of agent systems, employing the 
concepts they studied in the logics in a much more practical way (e.g. databases of 
beliefs and goals instead of modal operators), which begs the very important and not yet 
completely resolved question how the formal and practical notions of e.g. BDI relate to 
each other. Other people tried to render their logical specifications directly executable 
by considering fragments of modal/temporal logics (e.g. the researchers working on the 
METATEM language [33]). On the other hand there is also some positive (or at least not 
too negative) news even for those who are interested in the computational complexity 
of the theoretical BDI-like logics. In [64] it is reported that the complexity of tableau- 
based decision procedures for propositional logic is not higher than the complexity of 
the underlying temporal logic (which is, admittedly, quite hard, viz. exponential in the 
size of the input formula). Furthermore, one may also consider restricting the languages 
of combined modal formalisms to reduce complexity, but, of course, this will generally 
come with a reduction of expressive power as well, and it depends on the applications 
whether this is sensible. We refer to [5] for a discussion of both (positive and negative) 
results on the complexity of combined modal logics and possible ways to respond to 
these results. As said before, concerning logics for specifying the behavior and attitudes 
of single agents one can observe that recent work has turned away from purely logical 
theories towards more implementation-oriented approaches. For example, research on 
agent-oriented programming languages such as Agent0 [70], AgentSpeak(L) [63], and 
3APL [45], and agent-oriented software engineering (AOSE, [94]), more generally. Of 
course, as in software engineering in general, there is a need to verify that the software 


1016 John-Jules Meyer and Frank Veltman 


one has developed is correct in the sense that it behaves as specified a priori. In the field 
of agent-oriented programming this has sparked off research on correctness logics that are 
adequate in this context. Naturally, these logics are very close to the logics we have seen 
in this chapter: if one programs in terms of cognitive notions such as beliefs, desires, goals, 
plans, etc., it is obvious that one also needs to reason about these notions when one tries to 
verify such a program! For example, Bordini et al. [7] work on the use of model-checking 
techniques for a linear-time temporal logic in which properties of programs written in 
AgentSpeak can be specified. We ourselves have initiated work on the correctness of 
(fragments of) 3APL [82]. Time will tell how successful these approaches will be. As 
for logics for multi-agent systems: if one considers ‘societies of agents’ obviously also 
other notions become important besides mere multi-agent extensions of -notions. For 
instance, one can investigate how communication takes place in such a system, and how 
this affects the mental states of the agents in the system. This, in turn, is important for 
synchronization, coordination, and cooperation in the system. There has also been done 
some work on this. As mentioned before, Dignum and Van Linder [28] have extended the 
KARO framework to deal with speech acts. Moreover, in societies it may be important 
to consider norms, obligations and permissions as a way to control societal behavior. 


In a series of papers [12, 11, 10] Van der Torre et al. have extended the BDI framework 
to what they call the BOID framework dealing with the Beliefs, Obligations, Intentions 
and Desires of agents. Although the language of BOID contains operators for belief (B), 
obligation (O), intention (I) and desire (D), and thus looks like an amalgam of BDI and 
deontic logic, BOID logic is not really a modal logic in the proper sense. The operators 
are not interpreted by means of accessibility relations in Kripke models. Instead, a 
default logic [65] is employed and a BOID agent is specified by a number of default 
rules involving the BOID notions/operators, together with a priority relation on these 
rules. The form of these rules is X; —> X 2, where X1, Xə typically are expressions of 
the form By, Oy, Iy, or Dy. The main concern is which (consistent) extensions are 
yielded representing how the beliefs, obligations, intentions and desires can be combined 
(consistently) taking the priority on rules into account. Another extension with a similar 
philosophy in mind of incorporating social notions into the BDI framework was proposed 
by Dignum et al. [27, 22]. This framework is called B-DOING, and treats Beliefs, Desires, 
Obligations, Intentions, Norms and Goals. This approach is more like a normal modal 
logic, although a number of extra elements is added. As to the deontic aspect, this 
framework is built on dyadic (conditional) obligations. Logically, the most important 
addition is the incorporation of two operators: N*(p|q) and O%,(p|q), with as intended 
meanings ‘it is a norm of the society / organization z that p should be true when q is 
true’ and ‘when q is true, individual a is obliged to b that p should be true, where z is the 
organization/society that is responsible for enforcing the penalty’, respectively. Formally, 
to give an interpretation to these operators a possible world semantics is employed that 
is rather involved. The upshot of this semantics is that N*(p|q) (O7 (p|q)) holds if p A 
q worlds are preferred to ~p A q ones and the (maximally) preferred q worlds satisfy 
p, where the preference relation on worlds is induced by (associated with) the norms 
and obligations in organization z, respectively. Related to this is a development in the 
implementation of multi agent systems where one tries to restrain/constrain individual 
agents by means of an (electronic) institution [80]). The idea here is that agents in a 
MAS or agent society must obey certain norms and to assist them in doing this certain 
protocols are devised that the agents in the system are advised or even enforced to follow 
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in order to abide by the norms. This calls for questions as to the relation between the 
typically abstract norms and the typically very concrete protocols, and how following 
the protocols guarantees non-violation of the norms. These questions are partly of a 
logical nature. For instance, how may a particular step of the protocol count as an 
implementation of an abstract norm [47]? This is of vital importance if one wants to 
verify whether the protocol guarantees norm compliance. Interestingly, also the logic of 
‘counts-as’ can be put into a modal logic setting [39], opening up a new area of modal 
logic applications. In conclusion we can state that the application area of modal logic 
to reason about multi-agent systems is still flourishing, and many interesting problems 
remain to be investigated and solved...! 


9 COUNTERFACTUAL CONDITIONALS 


A chapter on modal logics in Artificial Intelligence should contain a section in which 
conditional logics are discussed, because conditionals logics, in particular the logics de- 
veloped for counterfactual conditionals, pop up everywhere in AI where non-monotonicity 
plays a role. 

Counterfactual conditionals are sentences of the form 


(1) "If it had been the case that ọ, it would have been the case that y? 


They are typically uttered in contexts where the antecedent is false and known to be 
false. Therefore, they cannot be analyzed as material implications, because material 
implications with a false antecedent are true no matter what the consequent says. 

Counterfactuals cannot be analyzed as strict implications either. One cannot equate 
a sentence of the form given in 1 with a formula of the form 


(2) Ol > 4) 


where U is the necessity operator of any normal system of modal logic, because any 
such system validates logical principles that do not hold for counterfactuals. One such 
principle is Strengthening the Antecedent. In any extension of K, we have 


(py > x) FACA Y) > x) 

However, from 

(3) If I had put sugar in my coffee, it would have tasted better, 

it does not follow that 

(4) If I had put sugar and diesel oil in my coffee, it would have tasted better. 


The starting point for the discussion in the following sections is the analysis of coun- 
terfactuals developed by Robert Stalnaker [72] and David Lewis [52]. Roughly put, they 
proposed the following truth condition for counterfactual conditionals. 


e A sentence of the form "Jf it had been the case that p, it would have been the case 
that Y is true in the actual world w iff the consequent w is true in all accessible 
worlds in which (a) the antecedent y is true, and which (b) in other respects differ 
minimally from w. 


1018 John-Jules Meyer and Frank Veltman 


In other words, the consequent w need not be true in all accessible worlds in which the 
antecedent y is true, which it would have to be if counterfactuals were strict implications. 
What matters is w’s truth value in a particular subset of this set, the y-worlds that are 
most similar to the actual world. It is easy to see how this semantics blocks the inference 
from 3 to 4. Consider the set S of worlds in which (i) I put sugar in my coffee is true 
and which (ii) in other respects differ minimally from the actual world. Presumably, I 
put diesel oil in my coffee is false in all these worlds. Given this, the set T of worlds in 
which (i) I put sugar and diesel oil in my coffee is true, but which (ii) in other respects 
differ minimally from the actual world will not be a subset of S. Now, the coffee tastes 
fine could very well be true in every world in S, but false in some of the worlds in T. 

Let us get more precise. In the sequel we are interested in languages, frames and 
models that are built up as follows. 


e Extend the languages of propositional logic with a new binary operator ~~. Until 
further notice we will read ‘y ~ w’ as ‘If it had been the case that p, it would have 
been the case that p’. 


e Interpret the resulting languages in frames § = (W, <}, where (i) W 4 @ and (ii) 
< is a function which assigns to every w € W a strict partial ordering <w on 
some subset W,, of W. The elements of W will play the role of possible worlds. 
Until further notice the strict partial ordering <w is meant to play the role of a 
comparative similarity relation; read ‘u <, v’ as ‘ u is more similar to w than v’. 
The field W,, of this relation <w is the set of worlds that are accessible from w. 
Inaccessible worlds, i.e. the worlds outside W, are supposed to be so unlike w that 
in w it is absurd to assume that the real world might have been be one of those. 


e Supply a frame with a valuation V which assigns a truth value to every atomic 
sentence in every world to get a model M = (W, <, V}. As elsewhere in this book, 
M, w H vy’ is used to indicate that the formula ¢ is true in the world w (of the 
model M). I will write ‘[y] om’ to refer to {w € W | M, w — p}, and call this set the 
proposition expressed by y (in M). When it is clear which model 2M is at stake the 
subscript ‘W in [y] will be omitted. Worlds in [y]m will be called [y]-worlds. 


e Add the following clause to the list of truth conditions for the standard connectives. 
M, w H p ~ vw iff for every u E€ Ww [y] the following holds: 
there is some wu’ € [y] such that u’ <w u and WM, u” H w for every u” € [y] such 
that u” <y w. 


Part of the complexity of this truth condition is due to the fact that the partial orders 
introduced above do not have to satisfy the so-called 

Limit Assumption : For every w € W, the relation <w is well-founded. 
Call any u € U a closest U-world to w iff u € Wẹ ÑU and there is no v € U such that 
V <w u. Given the Limit Assumption we can be sure that in every non empty subset U 
of Wy we can find some worlds that are closest to w. This enables us to reformulate the 
truth condition in a more perspicuous way. 


e Suppose the frame ¥ = (W, <) satisfies the Limit Assumption, and consider the 
model M = (W, <, V}. The following holds: 


M, w H (y ~ Y) iff M, u H y for every closest [y]-world u to w. 
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Is it reasonable to assume that the comparative similarity relation is well-founded? 
Are there propositions [p] such that for every [y]-world u some [y]world v exists that 
is more similar to w than u is — so that one can get closer and closer to w without ever 
getting in a [y]-world that is closest to w? It is not difficult to think of examples. How 
tall would you be in the closest world in which you are taller than you actually are? 

The logic generated by the semantics sketched above is given by the following axioms 
and rules: 


(CI): Fy~y 
(CC): F (l~ Aer x)) = (e~ (PAX) 
(CW): F(y~) > y~ (WV x) 
(ASC): F (gy v)A(e~ x) = (PAY) ~ x) 
(AD): F((ye x) A~ x)) levy) ~ x) 
(MP—): po y,pF y 
(REA): IfF youd, then yw xF drwy 


Here, (CI) is short for Conditional Identity , (CC) for Conjunction of Consequents, (CW) 
for Weakening the Consequent, (SAC) for Strengthening the Antecedent with a Conse- 
quent, (AD) for Disjunction of Antecedents, (MP—)for Modus Ponens for >, and (REA) 
for Replacement of Equivalent Antecedents.® 

This system, called P, is for conditional logic what K is for modal logic: it is the 
minimal system, which you get if you assume that the relations <w are just partial 
orderings’ and have no additional properties. That P is (weakly) complete with respect 
to the class of partial orders was first proved by Burgess in [14]. This proof has been 
simplified by Friedman and Halpern in [41]. An altogether different proof of (strong) 
completeness is given in Veltman|[84]. 

If in P the scheme (ASC) is strengthened to 


Strengthening the Antecedent (AS): (p~ x) = ((pAW) ~ x) 
one gets the system K”, which is just K in disguise. 


PROPOSITION 35. 


1. In the language of modal logic, define p ~ w by Olp — y). Suppose AU {yp} 
consists of formulas of the language of conditional logic. Then A Fg- y iff A Fk 


gp. 


2. In the language of conditional logic, define Op as ~y ~ L. Suppose AU{ 49} consist 
of formulas of the language of modal logic. A Fg vy iff A Fk- g. 


It is straightforward to prove (i) and (ii) from left to right. To prove (i) from right to 
left use (ii) from left to right, and similarly for (ii) from right to left use (i) from left to 
right. 


6Given CC and WW, one does not need a separate Replacement rule for Equivalent Consequents to 
prove the full Replacement Rule: If F y > y, then x F x’ where x’ is the result of substituting y for w 
at one or more places where w occurs in x. 

T Actually, the only property that matters is transitivity. Irreflexivity is not expressible. 
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Does the Limit Assumption make a difference to the logical properties of ~~? It does, 
but only for arguments with infinitely many premises. Under the Limit Assumption 
compactness fails: 


PROPOSITION 36. 
Let pi,.--,Pn,.-. be countably many distinct atomic sentences, and let pk, and wx, for 
any k be defined as follows: 


Pk = ((p1 V.--,Pet1) œ a(p1 V.. -,Pk)) 


Wk = 7((pi V ..-, Peri) © (P1 V ...,DK)) 


Consider the set A consisting of all p,’s and w,’s. The Limit Assumption holds iff A is 
not satisfiable. 


So far no constraints have been imposed on the comparative similarity relation < that 
distinguish it from any other other relation that holds between three objects u,v and w 
when ‘u is more ... to w than v. What extras does the fact one has to fill the dots with 
the word ‘similar’ bring? 


Weak Centering: w E€ W for every w € W, and for no v € W, it holds that v <w w. 


Imposing this constraint means the next rule gets valid. 
Modus Ponens for ~ (MP7): prwwu,pkw 


Weak centering says that no world can be closer to a world w than w itself. If in 
addition you think that no world different from w can be equally close to w as w itself, 
you get this. 


Strong Centering: w E Ww for every w € W, and for every v € Wy such that v £ w, 
W <w V. 


The logical pay off is this: 
Conjunctive Sufficiency: (p Ay) > (p~ 4) 


If in establishing similarities and dissimilarities all characteristics of the worlds are 
taken into consideration, one of the consequences will be that only the world w itself will 
resemble the world w as much as the world w does. But in cases in which only some 
characteristics matter, there will often be more than one world that is just like w in 
all relevant respects. In these cases the structures will satisfy Weak Centering, but not 
Strong Centering 

If you believe that two different worlds cannot be equally close to the actual one, you 
will support the following constraint: 


Connectedness: for any u,v € Ww, either, u = w, Or U <w V, OF V <w U. 


In the presence of the Limit Assumption Connectedness implies that there will always 
be for any antecedent y at most one [y]-world most resembling the actual world. This 
uniqueness assumption brings the following principle in its train: 


Conditional Excluded Middle (CEM): (y ~ Y) V (Y ~ =) 
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Couldn’t there be cases where we have several [y]-worlds, all equally close to the actual 
world and all closer to the actual world than any other world? In [52] Lewis brings in 
the following example, due to W.V.O. Quine, to show that such cases do exist: 


(5) If Bizet and Verdi had been compatriots, Bizet would have been Italian. 
(6) If Bizet and Verdi had been compatriots, Verdi would have been French. 


Now, if there is only one world closest to the actual world in which Bizet and Verdi are 
compatriots, it is impossible that both (5) and (6) are false while (7) is true: 


7) If Bizet and Verdi had been compatriots, either Verdi would have 
been French or Bizet would have been Italian. 
According to Lewis one can accept (7) without having to accept (5) or (6), and so he 
rejects the uniqueness assumption. 
Lewis does accept the following constraint: 


Almost-Connectedness: for any u,v,w E€ W,, if u <, w, then either u <, v or v <, w. 


Define u ~, v iff neither u <w v nor u <w v. The relation ~,, is reflexive, and 
symmetric, but not necessarily transitive. Requiring that the relation <,, is almost 
connected amounts to requiring that ~w is transitive. In that case we can read ‘u Yw v’ 
as ‘u and v are equally similar to w’, and we can picture the relation <w as a linear order 
of equivalence classes of worlds. The corresponding axiom scheme is this: 


Strengthening with a Possibility (ASP): (~(y ~ 4) A (p = xX) > (y^p) ~ x) 


The axiom ASP says that an antecedent of a counterfactual y ~> y may be strength- 
ened with a formula w provided that the counterfactual assumption y does not exclude 
the possibility that w. So, given the validity of ASC, this leaves only one case in which it 
is not allowed to strengthen the antecedent of a counterfactual p ~~ x with the formula 
w. That’s when y ~ ~y is true and y ~ vw is false. In the other three cases: 


1. p ~ w is true, y ~ ~y is true 
2. p~ Wis true, y ~ ~y is false 
3. p~ wis false, y ~ ~y is false 


strengthening the antecedent y with w is valid. 

Is it reasonable to assume that the comparative similarity relation is almost connected? 
Everybody who has tried to analyze the notion of comparative similarity and to explain 
how it comes about, concluded that it is not.® Still, it is not easy to find a convincing 
counterexample to ASP. Ginsberg [38] suggests: 

It’s not the case that if Verdi and Satie had been compatriots, Satie and Bizet would not 
have been compatriots. 

If Verdi and Satie had been compatriots, Bizet would have been French 

If both Verdi and Satie, and Satie and Bizet had been compatriots, Bizet would have been 
French. 


Despite this counterexample and the theoretical arguments underlying it, presently the 
most popular system for counterfactuals is given by P + ASP + MP”. 


8For a critical analysis of the notion comparative similarity see Fine[32], Veltman[83], [86], Tichy[73], 
Pollock[61], Lewis[53], Kratzer[48], Kratzer[49]. 
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10 NON-MONOTONIC CONSEQUENCE RELATIONS 


The standard model theoretic notion of logical validity is monotonic: if 7 follows from 
P1,- --, Pn, then Y follows from ¥1,.--,n;Pn41- This is so, because the standard notion 
requires that the conclusion be true in any model in which the premises are true, and, 
clearly, if ~ is true in any model in which ¢1,..., Yn are true, then certainly so in any 
model in which ¥j,..., Yn plus Yn+1 are true. 

Non-monotonic logic started when in the late seventies logicians working in Artificial 
Intelligence noticed that in many practical situations when people draw a conclusion, 
they do not reckon with all conceivable possibilities left open by the premises, but only 
with some of these, the most normal ones or the ones most likely to occur. Something 
similar happened in the field of epistemic logic when at some point one got interested in 
arguments in which the premises represent ‘all that is known’. In such cases the question 
is not so much whether the conclusion holds in all situations in which the premises hold, 
but whether it holds in the ‘most ignorant’ situations among these. 

There are more examples in which the phrase ‘any model’ occurring in the definition 
of the standard notion of validity is restricted to ‘the most ... models’, where the dots are 
to be filled by some adjective. All these alternative notions of validity can be formally 
captured by assuming that the models of the language are ordered by a well-founded 


partial ordering < and to stipulate that ~ is a (non-monotonic) consequence of ~1,..-, Yn 
iff w is true in all models that are <-minimal in the class of models in which the premises 
Y1,-++,Yn are true. 


This must remind the reader of the frames and the truth-condition for counterfactuals 
introduced in the preceding section. Indeed, we are dealing here with a special case of 
the framework introduced there. In addition to the Limit Assumption, the following 
constraints are at stake. 


Universality: for every w € W, Wu = W. 
Absoluteness: for every u, w E€ W, xu=<w - 


Absoluteness says that the relation <w is in fact independent of w, so that one can omit 
the subscript. Universality adds that < is an ordering of the set of all possible worlds. 
So, the relations <w are all equal to one and the same well-founded partial ordering < 
of the set of all possible worlds. 

Secondly, given Universality and Absoluteness, if a sentence of the form y ~ vw is true 
in one world of a model WM, it will in fact be true in every world of Mt. This means that 
the following holds: 


ME y ~ Y iff M, w H y for every <-minimal world w in [y]. 


Finally, let’s write ‘y1,...,n ~ Y instead of ‘(yi /A...A~n) > Y, and ‘y1,.--,n bon 
w’ instead of ‘M = (p1 A... A Yn) ~ x’. In doing so, we arrive at what in Kraus et 
al.[51] appears as the definition of ‘the entailment relation |~ defined by the model 
mM. 

(*) P1,- -3 On hm PIEM, w H y for every <-minimal world w in [vy]. . Alyn]. 


The authors of [51] refer to the relation < as a preference relation, and to the models 
M = (W,~X,V) as preferential models. They are interested in the properties of the 
preferential consequence relation f~, formally modeled by (*). 
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It will come as no surprise that |~ behaves like a counterfactual implication ~>. 
However, there is an important syntactic difference between between |~ and ~>. Con- 
ditionals sometimes occur nested in other conditionals — as in y ~ (Ww ~ x) — but 
nesting sentences expressing an entailment relation is quite incomprehensible. The en- 
tailment relation belongs to the metalanguage rather than the object language. What 
could Y W (# W x) possibly mean? 

This, however, does not give rise to important semantic differences between |~ and 


~~», 


PROPOSITION 37. 
Let A be a set of formulas containing only non-nested conditionals. If A is satisfiable on 
any frame, then it is satisfiable on a frame with a universal and absolute < relation.® 


Given this, one might expect the system P to give a complete characterization of the 
properties of }~. Kraus et al.[51], using the methods of [84], prove that this is indeed 
the case. One easily recognizes the axiom schemes introduced in the previous section in 
the next principles of entailment. 


(CI) becomes Reflexivity: y Nọ 
(CC) becomes And: If y H yand y N x, then y W (WAx) 
(CW) becomes Right Weakening!?: If p þ y and Y E= x, then y W x 
(ASC) becomes Cautious Monotony : If y N y and y N x, then gy, W xX 
(AD) becomes Or: If yy anda Nx, then (pV w) Fx 
(REA) becomes Left Logical Equivalence: If p/w and w FE y, then 


ify W x, also y W x 


The literal translation of (CW) would be‘ If ph Y, then ph wVy’. Right Weakening 
is equivalent to this. (} stands for the classical entailment relation.) 

As a characterization of an entailment relation the system P is a bit odd. One would 
expect only purely structural principles. The principles Or, and And, however, presup- 
pose that the object language has connectives with the properties of conjunction and 
disjunction. Kraus et al.[51] also discuss a weaker system consisting of only structural 
rules. It is called C, where ‘C’ stands for ‘cumulative’, and it was originally proposed by 
Dov Gabbay[34] as a system describing the weakest reasonable consequence relation. It 
is given by: Reflexivity, Right Weakening, Cautious Monotony, Left Logical Equivalence, 
and 


Cut: Ify, y WNxand y Ny, then yb xy 
It is left to the reader to show that Cut is a derived rule of P. 


An important field in which a non-monotonic consequence relation is employed is the field 
of default reasoning. Actually, in the modal approach to default reasoning not only the 
consequence relation but also the defaults rules themselves are modeled after conditionals. 
Read ‘y ~ y’ as ‘If p, then normally w’, and take the underlying well-founded ordering 
~< of the set of possible worlds to be the relation ‘...is more normal than...’. Then a 
rule y ~~ w will hold in a model if w is true at the most normal [y]-worlds. An agent 


This proposition does not hold for arbitrary sets of formulas. If nesting is allowed one has to add 
the S5 axioms Llp — y, Llp —> p, and Op — Uy to P in order to get a system that is complete 
with respect to the universal and absolute frames. (Here Dy =a -y ~ L.) 
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who has learnt that y is the case and who accepts the rule y ~ w will expect that y% is 
the case provided there is no evidence that the case at hand is exceptional. 

More generally, default rules are of crucial importance when some decision must be 
made in circumstances where the facts of the matter are only partly known. In such a 
case one must reckon with several possibilities. Default rules serve to narrow down this 
range of possibilities: some of these possibilities are more normal than other. An agent 
will expect that the actual world conforms to as many standards of normality as possible 
given the information at hand. 

Several theories have been developed that formalize this phenomenon. They differ in 
the way they formally capture the idea that an agent will expect the actual world to be as 
normal as possible given the circumstances described by the premises. James Delgrande 
[21] was the first who proposed a definition for the set of worlds that best meet the 
agent’s expectations. Alternative definitions are proposed in Asher & Morreau[4] and 
Veltman [85]. See [6] for a detailed comparison of these theories and Halpern et.al.[41] 
for technical insights. 


11 BELIEF REVISION 


There is still another way to read y ~~ 4%: ‘After a revision by 9, it is believed that 7’. 
Here the topic is belief revision, and the question at stake is how an agent should change 
his or her beliefs in the face of new information. The formula y is supposed to bring new 
information — possibly contradicting the information available — and if y ~~ w is true, 
this means that w is accepted after the incorporation y in ones stock of beliefs. 

Checking the axioms for ~ with this reading in mind, we find that many of them 
sound quite plausible. For example: Conditional Identity, p ~ p, becomes ‘After a 
revision by y, it is believed that p’, and Disjunction of Antecedents, (p ~ x) A (Ww ~ 
x)) = (eV Y) ~ x), can be read as ‘If both a revision with p and a revision by y lead 
to the belief x, then so does a revision by p V Y’. Are we here once more dealing with P 
or one of its extensions? 

Let’s start at the beginning. In 1985 Carlos Alchourron, Peter Gardenfors and David 
Makinson published a by now classic paper [1] in which they discuss three forms of belief 
change: expansion, contraction and revision. Modeling an agents beliefs by a deductively 
closed theory K, called a belief set, a number of rationality postulates are laid down for 
the expansion K, 2 of K by y, the contraction K of K by ọ, and the revision K5 of K 
by . 

The constraints for expansion uniquely determine K H as the set {Ww | K, F 4}. The 
constraints for contraction and revision do not uniquely determine Kz and K% because 
the outcomes of these operations do not depend on logical factors only. Epistemic factors 
may also play a role. For example, in revising their beliefs agents may be prepared to 
give up one sentence rather than the other because the empirical support for the one is 
much better than for the other. 

Here are the so-called AGM postulates for revision as formulated in Gardenfors[35]: 


K*1 For any sentence ọ and any belief set K, K% is a belief set 
K*2 pe K% 
K*3 K% C Kł 
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K*4 If ~y Z K, then Kł c K% 
K*5 K% = {4 |1 F4} iff ~y; 
K*6 If F yoy, then K% = K} 


* * *\+ 
K*7 Kony © (Koly 


K*8 If ~y ¢ K, then (K3)$ C Kny 


Adam Grove|40] was the first to notice that the semantics for counterfactuals as defined 
in section 9, supplies an interpretation for these postulates. For every belief set K, we 
consider the set of models for K, where a model Mg for K is given by Mg = (W, <, V}, 
where 


e W is the set of all maximal consistent theories of the language in which K is 
formulated; 


e ~ is a well-founded and almost connected strict partial ordering of W such that the 
~<-minimal elements of W are given by the set of maximal consistent extensions of 
K: 


, 


e V(p)(w)=1 if pE w. 


PROPOSITION 38. 
Let Mx = (W, <, V) be a model for K. Define K% for every p as follows: 


p KG iffy E€ w for every w such that w is < -minimal in [py]. 


Then the postulates K*1 to K*8 are satisfied. 


Conversely, we have 


PROPOSITION 39. 
Let K* be a revision function for some belief set K satisfying K*1 to K*8. 
Define Mg = (W, <, V) as follows: 


e W is the set of all maximal consistent theories of the language in which K is 
formulated; 
e u< w iff r(w) Cr(u) and u € T(w). 


Here, T is given by: v € T(w) iff v E€ W and there is some p such that Kf C w and 
peu. 


e Vip,w) =1 iffpew. 


Then Mg = (W, <, V) is a model for K for which the following holds: 


p E€ Kọ iffy E€ w for every w such that w is < -minimal in [yp]. 
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This means that whenever y € K¢, the model Mg verifies y ~> ~. This model is 


almost connected. Therefore, in view the observations we made in section 1 and 10, it 
follows that the AGM revision constraints endow ~ with the logic P + ASP."! 


One may be tempted to conclude from the above that revising ones beliefs by y and 


making the counterfactual assumption if it had been the case that p amount to the same 
thing. However, even though these cognitive operations have much in common formally, 
there are huge differences between them. When you believe that y is true and you try 
to imagine what would have been the case if y had been false, you have to change your 
cognitive state, but it is it not the kind of change you would have to make if you were to 
discover that ọ is in fact false. It is not a correction. Consider for example y = Oswald 
killed Kennedy. Supposing that Oswald had not killed Kennedy might make you think 
‘If Oswald had not killed Kennedy, Kennedy might still be alive’. If, however, at some 
point you were to find out that your belief that Oswald killed Kennedy is in fact wrong, 
and you had to revise your beliefs accordingly, it is very likely that after this revision 
you would still believe that Kennedy is dead.” 


The rise of ‘dynamic’ versions of epistemic and doxastic logic have given new impetus 


to the study of of belief revision in the setting of modal logic. See van Benthem[74], 
Segerberg/68, 69] and Chapter 20 for further details. 
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1 INTRODUCTION 


That logic and language are closely related is almost true by definition. Logic is concerned 
with the study of valid inferences in arguments, and these are most commonly defined in 
terms of truth in models. Symbolic logic studies formal languages (logics) as models of 
certain aspects of natural languages, such as quantification, while abstracting away from 
certain other aspects of natural languages, such as ambiguity, as models typically do. 
Linguistics studies the structure of natural languages as well as the relation of language 
to other areas of cognitive science. The roles that logic in general, and modal logic in 
particular, play in linguistics are quite varied, as we shall see. 

In linguistic semantics, logic is used to formalize, or interpret, an object language. We 
take as given that we want to study the semantics of some natural language, and in this 
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chapter the language that we shall deal with is English. Above all else, we would like 
to directly interpret English sentences in some formally specified model. So even at this 
point we can see some connection to the Kripke semantics of modal operators: just as 
all of the other phenomena in this “applied” section of the handbook have been modeled 
with mathematical structures involving possible worlds, so too have these been used in 
semantic applications. For example, all manner of linguistic phenomena involving time 
have led to proposals for using the models from temporal logic. More generally, the main 
models of all types of intensional phenomena are closely related to the models in modal 
logic. 

But so far we have only considered the matter of interpreting natural language directly. 
Usually, this is difficult or even impossible. (For example, consider the famous quantifier 
scope ambiguities in sentences like every handbook has a famous editor. The ambiguity 
is neatly expressed in logical notation as SV vs V4: is there one person, let’s call him 
Dov, who edits all the handbooks, or is it merely that every handbook has some editor 
or other? One lesson to take from such ambiguities is that it is impossible to associate a 
function from (English x models) to truth values in a way that respects our intuitions.) 
So one way or another, we translate natural language to some artificial language and then 
interpret that other language, in such a way that ambiguous sentences will be translated 
into multiple logical formulas. And here is a second place modal logic comes in: the 
language of higher-order modal logic has been used extensively to drive this translation 
process, as we shall see when we discuss Montague semantics. 


We next turn to syntax, a field in which one finds several different uses of logic. 
There are syntactic frameworks which are heavily proof-theoretic, so the question of 
whether a given string is a sentence or not boils down to whether a related (formal) 
sentence is a theorem in some logical system. This proof-theoretic move is especially 
prominent in categorial grammar. Another quite different use of logic is as a meta 
language in which one formalizes a linguistic formalism declaratively. This is the move 
of model theoretic syntax, a research program we consider in depth in the second half 
our chapter. This application relates logic to linguistics in the same way that logic can 
be applied to formalize theories of other sciences, like set theory. However, the aims of 
this formalization are somewhat different from those of other areas, since model theoretic 
syntax is particularly interested in using decidable logics for this formalization so that 
matters can be implemented. This is of course one of the reasons why modal logics are 
attractive in this context, although much of the focus has been on monadic second-order 
logic of trees, which is decidable as well. 


Applications of logic in linguistics have traditionally not been too concerned with 
meta-results. The main uses of modal logic in semantics are independent from the main 
concerns of modal logicians: completeness and correspondence. We are not aware of any 
serious application of the basic theory of modal logic in semantics, let alone the advanced 
theory that is showcased in various chapters of this handbook. The only exception is 
definability theory, interest in which is motivated by trying to find a logic for linguis- 
tic applications that has the right kind of “expressiveness.” For example, the fact that 
most A are B is not first-order definable is of some importance for semantics. On the 
other side, the application of logic in syntax has led to more applications of sophisticated 
meta-results, for example proof theoretical results like cut-elimination or normalization 
in categorial grammar. It is interesting to note that definability is also of importance 
in model theoretic syntax, due to its relation to descriptive complexity theory. A re- 
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lated point: because so many current syntactic frameworks are designed with a hope of 
implementation, sharper theoretical results about them are called for. 

In this chapter, we only survey applications of modal logic to the syntax and semantics 
of natural languages. We concentrate on these two applications because of the historical 
importance of modal logic in the development of natural language semantics and because 
of the significance of model theoretic syntax in current research in mathematical linguis- 
tics. There are many areas of applications of logic in linguistics that we do not mention, 
some of which are surveyed in the Handbook of Logic & Language [4]. 


2 SEMANTICS 


Linguistic semantics studies meaning in natural languages. The central assumption of 
current semantic theory is that meaning should be studied model theoretically, in the 
same way that semantics of logics are studied. Thus, the study of meaning is tied to the 
concept of truth. Of course, there are other ways to pursue the project of understanding 
meaning, most notably to tie it to action in some way. As it happens, for some purposes 
possible worlds semantics is even better for this second purpose than for the first; see, 
for example, [69]. 

The interpretation of logical formulas usually involves the interpretation of subformulas 
in some systematic fashion. For instance, in propositional logic we have interpretational 
clauses like 


[le Av) = IAN (lel, fe) 


where [A] is the boolean and function. The methodological principle that stipulates 
that all interpretations of complex expressions should involve the interpretations of its 
parts is called the “principle of compositionality,” and it plays a central role in linguistic 
semantics. Whether that principle is in fact a meaningful restriction on semantic theory 
or whether it is vacuous is a point of ongoing debate. For one source that discusses the 
matter at length, see Janssen [41]. 

Since natural language semantics applies model theoretic methods, the role of modal 
logic in this context involves the application of possible worlds semantics to natural 
languages, mainly to model intensional phenomena. However, in order to follow the 
principle of compositionality uniformly, the meanings of some expressions are modeled 
using higher-order logic. Thus, the most influential, systematic application of modal 
logic to linguistic semantics, usually referred to as Montague semantics after its founder, 
involved higher-order intensional logic. Although Montague’s application of higher-order 
intensional logic to natural language semantics yielded many important results, almost 
all of the contemporary research is concerned with finding suitable alternatives to this 
framework. Many of these are surveyed in the Handbook of Logic and Language [4]. 
Another handbook in this area, with a more empirical and linguistic, as opposed to 
theoretical and logical, slant is the Handbook of Contemporary Semantic Theory [57]. 
There are many introductory textbooks in linguistic semantics, including [15, 22, 36]. 


2.1 Possible worlds in semantics 


The major use of modal logic in semantics stems from possible worlds semantics. Indeed, 
this is the only kind of application we are considering in this chapter. 
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This is a good point to make a comment which relates to the place of this chapter 
in the overall handbook, and also one relating to current practice in the field of modal 
logic. One of the main subtexts in this volume is that research on modal logic has much 
to contribute to other areas. So the volume downplays the problematic points of possible 
worlds semantics by emphasizing topics in modal logic which are interest in areas far 
removed from those problems. In other words, one can put aside ontological worries (as 
one would like to do in any mathematical study) because in the kind of transition-system 
models emphasized in the study, these worries are not relevant. This kind of move is not 
appropriate for semantics: on the one side, problems about the status of possible worlds 
come up quicker and they persist; we shall shortly see an example. On the other side, 
there are few, if any, technical matters of interest in semantics. It is essentially all a 
matter of studying data from language, proposing treatments that use possible worlds, 
describing informal models related to the phenomena or the treatments, and occasionally 
working out the semantics of one or another formal logical language. In this section, we 
are mainly trying to provide a reader who is conversant with modal logic a feeling for 
what goes on in semantics. 

Here is an example that motivates the use of possible worlds in semantics, taken from 
McCawley [64]. In a normative English sentence, two uses of a first person pronoun 
(I/me/myself) must be coreferential. And if the sentence has both a first person subject 
and object, the object must be the reflexive pronoun myself. So one cannot say I kissed 
me but instead must have I kissed myself. The only exception to this, and this is heart of 
the matter, is that “Multiple references for first-person pronouns arise when the sentence 
alludes to an alternative world in which the speaker ... is presented as experiencing 
something from someone else’s vantage point” (McCawley [64]). For example, 


(1) I dreamed that I was Brigitte Bardot and that I kissed me. 


This would not mean the same thing as I dreamed that I was Brigitte Bardot and that I 
kissed myself. Getting back to (1), it shows what appears to be a hard-and-fast syntactic 
rule has to be understood in essentially semantic terms. (This is not as surprising as 
it might at first be: try formulating a principle of reflexive pronouns without using the 
semantic concepts of subject and object.) 

(1) also shows that in some implicit sense speakers refer to “dream worlds” and more 
generally to alternative worlds of other kinds, or alternative ways this world could be. 
Note that the status of who J and me are in the dream world is problematic, but we 
shall not delve into this. The point is that if one wants to construct a formal semantics 
for (1) using Kripke models, then prima facie one would want to use worlds: a world 
where the speaker has a dream, and a world that represents what is happening in that 
dream. Note as well that what happens in dreams might be logically inconsistent, so 
Kripke models as one standardly finds them in modal logic are not going to be sufficient 
for representations of this kind. But they are a useful first step. Indeed, practicing 
semanticists have found the informal talk about possible worlds to be convenient and 
motivating. Like contemporary modal logicians, they are usually not interested in, or 
bothered by, worries about whether possible worlds are real. But again, the difference 
is that for modal logicians, the worries go away precisely because they tend to avoid 
modeling anything like an imaginary world, something which is evidently of linguistic 
interest. 

For another example of why semanticists want to think in terms of possible worlds, 
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consider the following contrasting sentences: 


(2) i. It’s certain that you'll find a job, and it’s conceivable that it will be a 
good-paying one. 


ii. ??It’s conceivable that you'll find a job, and it’s certain that it will be a 
good-paying one. 


This example is from McCawley [64] in a section entitled “‘World-Creating’ Predicates.” 
(Incidentally, the quotes here are his, betraying already a certain discomfort with either 
the notion or the terminology. In any case, we shall expand on just this point below. 
But the terminology again shows an embrace of possible worlds as well.) The question 
marks in (2ii) indicates a semantic anomaly. That is, what appears strange in (2ii) is 
not due to syntactic ill-formedness: from (2i) and the fact that certain and conceivable 
both take sentence complements, one would expect (2ii) to be grammatical. So one of 
the goals of any analysis would be a principled explanation of the different acceptability 
judgments between (2i) and (2ii). 


We encourage readers who are not familiar with semantics to attempt a translation 
into any logical language of (2i), and also to draw pictures of Kripke models to explain 
their intuitions. Incidentally, in both (2i) and (2ii), we are concerned with the “non- 
referential” interpretations: there is no specific job that Gladys is looking for. 


Since the sentences in (2) are in the future, a representation should have at least two 
worlds: the present world, in which (presumably) you do not have a job but are seeking 
one, and at least one future world. Thus we are inclined to model (2i), say, by having 
one actual world, w and many alternative worlds for the relatively-near future, each 
with the property that you find some job or other in it. This is quite typical for semantic 
analysis: if one is going to use worlds to represent alternatives which are only partially 
specified, then very quickly one must consider many alternatives. Frequently there will 
be infinitely many. It is the second half of the sentence which gives more trouble; it 
seems to require that in some (or perhaps some significant proportion of) the successors 
of w, your job is a good-paying one. And even with this sketch of a representation, we 
have not learned the lesson that (2) teaches. The point is that a use of it in the second 
part of (2i) is dependent on the existence of a job. If the existence of a job is in doubt, 
as it is in the first part of (2ii), then it is infelicitous to use it to refer to one later. This 
kind of reasoning could be fleshed out in a fuller analysis in several ways. One would 
be to use a theory of presupposition. Another would be to ground the whole discussion 
in Discourse Representation Theory (DRT) [43] or some “dynamic” theory which has 
enough theoretical apparatus around to talk about different occurrences of pronouns like 
it. In any case, a DRT analysis of the sentences in (2) would most likely use possible 
worlds at the very least. 


One last comment: from more sophisticated examples, such as ... it is more likely than 
not that it will be a good-paying one, we see that complex relations between worlds are 
going to be the norm rather than the exception. These relations can involve additional 
structure, as in this probabilistic setting, or various notions of nearness (as we find in 
treatments of conditionals). 
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2.2 Specific contributions: an overview 


In an assessment of the importance of possible worlds semantics for linguistics, Partee 
[74] highlights the following six areas: 


1. The identification of propositions with sets of possible worlds. 


2. The analysis of intensional phenomena with functions from possible worlds to their 
extensions. 


3. The semantics of propositional attitudes. 

4. The semantics of conditionals. 

5. The semantics of questions and the pragmatics of the question-answer relations. 
6. Pragmatics in general, and presuppositions in particular. 


Beginning with this subsection, we shall explore several of these contribution areas in de- 
tail. Some of these topics are not treated in our chapter: we won’t have much to say about 
questions and answers or pragmatics. The prevalent view of the role of pragmatics in 
linguistics is that it is the part of semantics that is concerned with the contezrt-dependent 
meaning of linguistic expressions. In the narrowest sense, pragmatics is concerned with 
the interpretation of indexical or deictic expressions, like personal pronouns, and that is 
the sense in which the term was used by Montague [99]. Since then, the subject matter 
of pragmatics has been extended to include many of the topics discussed by ordinary 
language philosophers like Austin, Grice, Strawson, and Searle. Thus, pragmatics now 
includes topics such as implicature, presupposition, and speech acts. There is also some 
overlap between pragmatics and sociolinguistics, though that overlap has little to do with 
modal logic. 

Of the subjects of pragmatics mentioned above, primarily indexicals and presuppo- 
sitions have been analyzed using possible worlds semantics, although Posner [78] re- 
constructs communicative actions and ultimately speech act theory in terms of suitable 
iterations of modal operators for believing, causing, and intending. 

Concerning work related to questions and answers, we only mention one quite recent 
reference, the dissertation Murakami [68]. This proposes an analysis of notions like 
complete and just complete answer to a question based on the modal logic of partitions. 

With respect to the first two items listed by Partee, one set of notions worth keeping in 
mind goes back at least to Carnap [14]. He emphasized the distinction between extension 
and intension, and linked these to particular syntactic items as follows: 


Expression Intension Extension 
sentence proposition truth-value 
predicate property set 


individual term individual concept individual. 


Note that the identification of propositions with sets of possible worlds is a special case 
of this analysis, since sets of possible worlds are essentially the same as functions from 
possible worlds to the set of truth values. In essence, this identification of propositions 
with sets amounts to the imposition of a boolean algebra structure on the set of propo- 
sitions. This kind of structure needs to be supplemented with accessibility relations or 
other more typically modal structures to be relevant to our discussion. 
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2.8 Intensionality 


We have yet to discuss intensionality in a general way, and now is the time to do just 
that. It is relatively uncontroversial that some linguistic expressions refer to objects. 
For instance, names refer to the object that they name. Frege [29] postulated that 
there is another dimension to “meaning” other than reference in order to explain the 
apparent difference between statements of the form a = b and a= a. While the latter 
is true a priori, the former, when true, typically requires some kind of observation. The 
difference between these two statements, according to Frege, is that, if a = b is true, a 
and b have the same reference (Bedeutung), but different sense (Sinn). However, Frege 
did not give a formal definition of “sense.” Carnap [14] used the concepts of extension 
and intension as a model of reference and sense, which is one of the first and most 
influential applications of modal logic to natural language semantics. Carnap, however, 
used state descriptions, maximally consistent sets of literals, instead of Kripke models 
for the semantics of modal logic. Montague is credited with bringing together Carnap’s 
analysis of sense and reference with Kripke’s possible world semantics. (Incidentally, a 
different analysis of sense along algorithmic lines has been suggested in recent years by 
Moschovakis; see [67].) 

David Lewis [59] expressed the motivation for this approach to natural language se- 
mantics particularly well: 


In order to say what meaning is, we may first ask what a meaning does and 
then find something that does that. [...] It is the meaning which determines 
how the extension depends on the combination of relevant factors. What sort 
of things determine how something depends on something else? Functions, 
of course [...] 


Thus, intensions are defined by Lewis to be functions from possible worlds (and possibly 
other indices, which are the relevant factors, above) to extensions. This is the central 
idea behind the possible world analysis of intensionality. So far, we have only mentioned 
the extensions of names: individuals. What about the extensions of other kinds of 
expressions? It has been part of the Fregean orthodoxy to consider the extension of a 
sentence to be its truth value. Since intensions are functions from possible worlds to 
extensions, the intensions of sentences are functions from possible worlds to truth values, 
or simply sets of possible worlds; i.e., those possible worlds in which the sentence is true. 
The intensions of sentences are also called “propositions.” As Partee [74] points out, 
this analysis of the meaning of sentences gives a good approximation to the notion of 
“synonymity,” since two sentences that have the same intensions are true in exactly the 
same possible worlds. 

Other, classical, examples of intensional phenomena include intensional transitive 
verbs, like seek, and propositional attitude verbs, like believe. Interacting with both 
of these are the de re and de dicto distinctions. To illustrate this distinction, consider 
the following sentence, and note the intensional transitive verb: Barney wants to drive 
the fastest car in town. One reading of this sentence is where there is a specific car, say 
c, and Barney wants to drive c. (But the fact that c is the fastest car in town is not 
germane to Barney’s wish: he just wants to drive c.) This is the de re reading. The 
de dicto reading is where Barney wishes to drive whatever car is the fastest in town; so 
if that description were to change referents over time, then Barney’s desire would also 
change. 
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Before moving on, we should mention that the entire treatment of intensionality via 
possible worlds semantics is not universally accepted in semantics by any means. A good 
source for some criticisms is John Perry’s side [76] of a discussion with Barbara Partee. 
In other areas as well, one has the feeling that the whole application of possible worlds 
in semantics is, as one prominent semanticist privately told one of us, a “counterfactual 
exercise”: even though possible worlds semantics are the community’s standard and the 
best thing known, many researchers believe that in the long run they cannot succeed at 
everything they are being applied to. 


2.4 Propositional attitudes 


The phenomena of interest in the context of propositional attitudes are belief and knowl- 
edge, and also the root modals like can, may, and should. The main lines of the standard 
treatments are probably closest to the heart of a semantically-oriented modal logician: 
one takes a space of worlds which is equipped with a relation corresponding to each at- 
titude or modality of interest. Then one defines semantics for the attitudes themselves 
as modal operators in the expected way, by quantifying using the accessibility relations. 
Modal logicians will also recognize the parallel to the algebraic semantics of modal logic; 
see Chapter 6. The point is that by moving to the power set algebra of the set of worlds 
of a model is like moving to the space of intensions. So the propositional attitudes turn 
into operators on the intensional rather than extensional level. This is a two-edged sword: 
on the one hand, it allows us to explain why statements of identity are not preserved 
in modal contexts. But the down side is the problem of logical omniscience: logically 
necessary propositions wind up as being known by everyone at every point. So exactly 
the same advantages and disadvantages come up as in the theory of knowledge. 

Here is one textbook treatment of the basics of propositional attitudes, following the 
final chapter of Heim and Kratzer [36]. This chapter is called a “first step” on the way to 
an intensional semantics, and the authors emphasize, and close with, the limitations of 
their work. The point for us concerns the treatment of the attitude verbs such as know 
and believe. The way things work syntactically, attitude verbs take sentences as their 
arguments; a verb phrase then results. So their categorial type (see Section 2.11 below) 
would be VP/S, and so their semantics is a function from propositions (i.e., functions 
from worlds to truth values) to VP meanings (here functions from individuals x to truth 
values). The semantics is then given by 


(3) [believes] = 
Aw.Ap.[vAx.(Vw") (if w is belief-consistent with w for x, then p(w’) = 1)]. 


“Belief consistent” here a relation on worlds defined as follows: we say that w’ is belief 
consistent with w for (person) x if all of x’s beliefs in w are true in w’. (So in effect this 
treatment does not work on a set Kripke model whose accessibility relation is up to the 
semanticist to specify, but rather that the accessibility relation is given in terms of what 
we are calling belief consistency here.) 

To illustrate this, we consider a sentence of the form Mary believes S, where S is 
another sentence. Overall principles of compositionality insure that for all worlds w, 


[Mary believes S]w = [believes SJu( Mary). 


The definitions in the semantics are set up so that the following holds: 
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(4) [believes S]u(Mary) = [believes] (Aw’.[S]w(Mary)). 


At this point we apply the general definition of [believes] from (3). We see that Mary 
believes S is true in a world w just in case for all worlds w’ which are belief consistent with 
w for Mary, S is true in w’. So in this way we reconstruct the semantics of the attitudes 
which would be expected from the Kripke semantics of modal logic. We shall discuss 
how the calculation in (4) works when we turn to Montague grammar in Section 2.11. 

Before returning to a discussion of the modalities in language, here is another point 
on the treatment of belief in linguistics. McCawley [64] suggests a departure from what 
modal logicians might expect concerning belief when he writes, “Belief worlds may even 
conform to a different version of logic than the real world is taken to be subjected to; 
such worlds would be appropriate devices for analyzing such sentences as those in which 
an adherent of standard logic attributes beliefs to an intuitionist.” But he also holds also 
that “one has a single set of beliefs at a time (possibly inconsistent beliefs, but a single 
set nonetheless).” So this seems to suggest that belief worlds might be paraconsistent 
in some sense. But later, in connection with wishes, he is of the opinion that “It will 
probably be clearest if one simply avoids terms such as ‘wish world,’ which misleadingly 
suggest that there is a single system of wishes whose simultaneous fulfillment is at issue, 
and instead use circumlocutions to say that a particular world corresponds to a particular 
wish. ... These worlds may serve as reference worlds for other worlds that correspond to, 
say, the fulfillment of wishes, hopes, and so forth, that are contingent on the fulfillment 
of a given wish.” 

In any case, much of the linguistic discussion is not about these kinds of points, but 
rather questions of reference and presupposition. For example, here are sentences from 
McCawley [64], page 426: 


(5) i. Arthur thinks that a unicorn has been eating his roses. He hopes he can 
catch it. 


ii. Arthur denies that a unicorn has been eating his roses. ??He hopes he can 
catch it. 


The underlined it in the first sentence refers to the unicorn in the preceding sentence. 
Actually, a unicorn is best understood non-referentially here; there is no particular uni- 
corn which Arthur is thinking about, just some-unicorn-or-other. The point is that it 
is a property of think that it allows nonreferential NP’s in its complement to be the 
antecedents of later pronouns (the subsequent it). In contrast, deny does not have this 
property. This is why the second sentence in (2 ii) is anomalous. This last example is 
intended to be more typical of the linguist’s concerns than the previous paragraph on 
ontological points. 


2.5 Conditionals 


Modal-type notions are of central interest in work on conditionals, following Lewis [60] 
and Stalnaker [90]. The idea here is to analyze counterfactual conditionals (those whose 
antecedents are known or taken to be false) using a semantics that comes with some 
extra apparatus or other. One should see Chapter 18 for an extensive treatment of 
the logical systems that come from the natural semantics of counterfactual conditionals. 
But counterfactuals are only one type of conditionals, and another important type are 
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indicative conditionals (where the antecedent is true). See von Kutschera [106] for a 
proposal on indicative conditionals related to, but different from, the standard treatment 
of counterfactuals. 

As it happens, most contemporary work in semantics does not use the Lewis-Stalnaker 
semantics but instead works with elaborations based on it. Probably the main proposal 
in the area is due to Kratzer [55]. Her work allows one to work with the combination of 
conditionals and modals, as in Jf this is an article on linguistics, there must be examples 
from many languages. Kratzer’s semantics makes use of a “modal base”; this is basically 
a spelled out version of an accessibility relation. It also uses a three-placed similarity 
relation on worlds. It was later observed by Frank [28] and independently Zvolensky [107] 
that sentences of the form If X, then it must be the case that X came out automatically 
true in Kratzer’s semantics. Modal logicians might find it interesting to note that a 
similar debate about the adequacy of modal semantics crops up in areas like deontic 
logic. Indeed, one of the lessons we learned in writing this chapter is exactly that similar 
questions about the adequacy of various semantic proposals coming from modal logic 
come up independently in different forms. From the point of view of applied modal logic 
it would clearly be of value for people to pay close attention to points like this, in order 
to make theoretical contributions that could be appreciated by people in different fields. 


2.6 Time and tense 


Another semantic area where ideas of possible worlds semantics are put to use concerns 
time and tense in natural language. Our discussion of these issues is once again intended 
only as an invitation to this fascinating field. It is based largely on the survey of the area 
in Mark Steedman’s draft textbook [91] and also on Dick Crouch’s ESSLLI notes [21]. We 
have also again found McCawley’s book [64] full of insightful examples and proposals; see 
Section 12.2 on Tense Logic.! An essential resource for researchers in this area is Robert I. 
Binnick‘s web site [5] entitled “The Project on Annotated Bibliography of Contemporary 
Research in Tense, Grammatical Aspect, Aktionsart, and Related Areas”: 


http://www.scar.utoronto.ca/~binnick/TENSE/. 


In particular, the logic part of the site lists a large collection of papers relevant to the 
subject of this handbook chapter. 

For readers of this handbook, perhaps the primary observation concerning the analysis 
of time in natural language is that the whole matter of temporal ontology is highly 
complicated and problematic. First of all, there are words, endings, and expressions 
which are usually used to indicate past, present, and future time references. But even 
these have exceptions. For example, ing usually indicates a present tense, but in examples 
like the editors are calling Larry tomorrow to complain that his paper contained a lot of 
misleading remarks, the word tomorrow changes this to a future time reference. Yet 


lIndeed, at various places in this chapter we have marveled at McCawley’s use of the best logical 
tools available to him. He wrote “I teach courses on logic from a linguists point of view, taking a broad 
view of the subject matter of logic (logic has suffered 23 centuries of myopia, which I try to make up for) 
and giving full weight to linguistic considerations in revising (or replacing) existing systems of logic to 
maximize their contact with natural language syntax and linguistic semantics.” [65] We therefore wonder 
what he as a linguist would have found useful in the exploding logical literature. Although we never 
met him personally, we would like to think that some of our comments about various connections and 
possible applications would have inspired him (and those who follow in his footsteps). 
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another point concerns embedded tenses; as our last example shows, it is not always 
straightforward even to interpret these constructions, let alone represent and analyze 
them. For another example along the same lines, Sonia said that Rajiv liked to dance 
should have the same meaning as Sonia said “Rajiv likes to dance”; the problem then 
is to account for this sameness. Finally, important temporal information is often absent 
from the surface forms. Consider 


(6) John went to kindergarten with a bank president. 


The intended meaning is that at some past time John went to kindergarten with some 
individual who would later become a president of a bank. 

The first, and most basic, proposal for the representation of temporal phenomena is to 
add an explicit time parameter to propositional functions. So instead of a predicate like 
alive(x) which indicates whether an object is alive or not, we might have alive(x,t). Then 
one might want to translate various tense constructions into, say, a two-sorted first-order 
logic; the point is that one then has quantification over times and also a symbol < for 
the relation of preceding on times. Then one can translate a future sentence like Sonia 
will go as 


(At > to)(go(Sonia, t)). 


Note that there is a “now” time to; this can be taken to be either a constant or a variable. 
However, this is usually not what is done. There are logical and also linguistic reasons 
for making other moves. In a comment directly related to this, Thomason [100] writes: 


Physics should have helped us realize that a temporal theory of a phenomenon 
X is, in general, more than a simple combination of two components: the 
statics of X and the ordered set of temporal instants. The case in which all 
functions from times to world-states are allowed is uninteresting; there are 
too many such functions, and the theory has not begun until we have begun 
to restrict them. And often the principles that emerge from the interaction 
of time with the phenomena seem new and surprising. 


The new and surprising principles here are the interactions of tense and modality that 
Thomason discusses in his handbook article [100]. But mention of physics also raises 
the question of the structure of time. In the linguistic literature, the emphasis nearly 
always is on what might be called linguistic time, the common-sense notion that we want 
to tease out and model from “people on the street”. It is not the notion that we would 
get from physics. 

An alternative way to go is to take the basic sentences of language to be tenseless and 
then to add temporal modal operators P (for the past) and F (for the future). This is 
the basic move of Tense Logic, usually mentioned in connection with its main developer, 
Arthur Prior. 

These are interpreted on linear orders (L, <). The semantics is the standard one from 
temporal logic 


(7) l = Po iff m H= @ for some m < l 
l= Fo iff m H @ for some m >l 


So P and F are past and future modalities. 
Let us see how this idea fares with some examples. We should think of an atomic 
proposition as representing an untensed assertion. After a moment’s thought, one can 
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The oracle speaks p The oracle spoke/has spoken Pp 

The oracle will speak Fp The oracle had spoken PPp 

The oracle will have spoken FPp The oracle never spoke aPp 

There will be a time after which the oracle will not speak F~ Fp 
There was a first time the oracle spoke P(pA -=Pp) 


Figure 1. Sentences and Priorean Translations 


see that the very question of whether “untensed assertions” are possible will be a source 
of debate in this area. But let us ignore this and think of stative present tense assertions 
like the oracle speaks as an untensed assertion. Suppose that we take its semantics to be 
an atomic proposition p of the logic above. Then we can translate some English sentences 
as in Figure 1. 

It is important to make a few comments about the contents of the figure. As with all 
translations from natural language into a formal language, one has to be clear on what 
has been achieved and what some of the problems are. 

We also mention some ways that the system can be fruitfully extended. For example, 
it is straightforward to add binary modalities S and U for since and until. With a little 
more work, we can also add now. The simplest way to do this is to work on models 
(L,<) with a distinguished /* for the “present moment”. Then we add to the clauses in 
(7) the following 


LE N@ if “Ed. 


This proposal is due to Kamp [42], and it is discussed further in Burgess [11], Section 
4B. Among the facts shown in these references is the fact that N is actually eliminable 
in this language. However, if one moves from a purely propositional setting one with 
more linguistically interesting phenomena, this reduction is rightfully lost. For example, 
consider 


(8) i. The oracle predicted that there will be an earthquake. 
ii. The oracle predicted that there would be an earthquake. 


A natural representation of (1) is Pr(o, NFe); the important point is that the future 
operator F is evaluated from the vantage point of “now”. This contrasts with (2). Here 
a representation might be Pr(o, Fe). The difference is that the prediction in (2) is that 
there will be an earthquake at some point later than the prediction, not the moment of 
utterance of the sentence. 

There are some linguistic problems with any treatment of time as an extra parameter. 
One problem again concerns embedded tenses; these are especially interesting for modal 
logic since all of the important problems in modal logic arise precisely because modalities 
in formal systems may be iterated, and because accessibility relations in models can be 
deep. The natural symbolization of (6) in a modal approach comes out as something like 


P ((Ax) (Ay) (kindergarten(x) A go(J, x) A goly, 2)A 
F'((az)(bank(z) A president(y, z))))). 
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But then consider John went to kindergarten with someone who has become a bank pres- 
ident. Here the intended reading is that the person became a bank president before the 
utterance time. So having F in the scope of P in the representation would be a mis- 
take. Another problem is that many temporal phenomena pertain more to events that 
distributed in time and hence do not admit a nice formulation: Boris took piano lessons 
for siz months. 

Sentences like Pp may be rendered either in the simple past as The oracle spoke or in 
the present perfect as The oracle has spoken. This means that whatever differences we 
ascribe to the two English forms will not be representable in the Priorean formalism. 

Further, the logic contains forms like PF. PP Fp which cannot be rendered into English 
except by transcribing the formal semantics into mathematical English. This is a problem 
not just for this work, but also for practically all accounts of any phenomenon which use 
recursion: the formalism will quickly contain forms not naturally renderable without 
heavy uses of devices like numbered or named pronouns. 

For other natural English sentences that cannot be translated adequately in the Pri- 
orean formalism, consider The oracle did not speak. What we have here is an implicit 
reference to a particular time or set of times. So our sentence is not captured by —Pp, 
since that sentence amounts to a universal quantification over past times. 

Furthermore, one would suspect that since we can add operators corresponding to 
Since and Until, we might also add an operator Y for Yesterday. Suppose our semantics 
makes use of a function 1+ l — 1 and works by l | Yọ iff l — 1 H ¢. However, here the 
a sentence like Yesterday the oracle spoke would correspond to Yp rather than Y Pp. So 
we are left with a puzzle about why the natural language sentence uses the past tense 
marker in the first place. 

Hinrichs [37] noted that the sentence Vincent left yesterday has two natural renderings: 


Y(P(leave(Vincent))) and P(Y (leave(Vincent))). 


However, these both fail to have the intended meaning: the Y operator shifts the evalu- 
ation point to the previous day, but then the P operator takes the past from this point. 
A similar problem, noted by Partee [73] and reiterated in Hinrichs’ paper is that tense 
and negation do not work well in Prior’s approach. Translating “Vincent did not leave” 
by either P(-leave(V)) or the other alternative do not work. 

Even though the rest of our discussion has dwelled the shortcomings of the Priorean 
approach, some aspects of the temporal system of language clearly are captured in it. 
Further discussion of tense logic and standard logic may be found in van Benthem [103, 
104] and also Chapter 11 of this handbook. We also discuss an extension of Prior’s 
approach due to Patrick Blackburn in Section 2.8 below. 


2.7 The reference time 


One of the key contributions to this area comes in Reichenbach’s textbook (on logic 
(!)) [82]. He points out that linguistic tense does not involve only “now” and “then” but 
also a third time, the reference time. So he described the tense system in terms of three 
times, S (the speech point), Æ (the event point), and R (the reference point). R is the 
time in a sentence “that we are really talking about”. 

For example, consider the difference between the simple past and past perfect in En- 
glish. The simple past is exemplified by I saw John; the past perfect by I had seen John. 
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The difference between these is that in the past perfect, E is prior to R (and both come 
before S): the speaker is describing an event from a vantage point (R) which is later 
than the time (E) of the event itself. In contrast, in the simple past, the event time and 
reference time are the same. 

Incidentally, although Reichenbach seems to have preferred to think in terms of R, 
E, and S as points, there is good reason to prefer to take them to be intervals. The 
use of intervals in tense logic is a natural move, and many semantics papers do in fact 
make it. Here are some examples of the way various tense and aspect combinations in 
Reichenbach’s system come out when we take R, E, and S to be intervals, writing < for 
the subinterval relation: 


> d d 
E R S 
the past perfect: I had seen John. 
d d 
E R, S 


the present perfect: John has been to Boston. 


d d 
E, R S 
the simple past: I gave a lecture. 


+ > 
E,R,S 
the present: I name this ship Chips. 


> d > 
S E, R 
the simple future: I lecture (next week). 


We have completed a quick tour of some of the central proposals concerning temporal 
ontology. It goes without saying that we have barely scratched the surface, that further 
work is in large measure concerned with corrections and criticisms of the classical ideas, 
etc. But we would be remiss in ending without mentioning that much of the current 
work is concerned not with points of time but rather with events; see for example, the 
book The Proper Treatment of Events [105]. Figure 2 contains a chart of some of the 
Reichenbach examples, worked in terms of events for S, E and R. The relation < is that 
of subevent. 


2.8 Temporal reference and hybrid logic 


Reference to specific times can be incorporated into a Prior-style formalism by using 
ideas from hybrid logic (see Chapter 14 of this handbook). The basic idea of hybrid logic 
is to add a new sort of propositional symbol to the underlying modal language; these 
symbols are called nominals, and they are typically written 7, j, and k. When working 
with nominals, one adds a semantic constraint that they be true at exactly one point. In 
this way, nominals ‘name’ the unique point they are true at. 
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This gives us a way of coping with some of the difficulties noted earlier. For example, 
we saw that The oracle could not speak could not be translated into the standard Priorean 
formalism; the simple representation —Pp amounts to universal quantification over past 
times. But with the aid of nominals we have a better representation: 


P(i ^ the oracle not speak). 


This anchors the silence of the oracle at a particular time in the past, namely the time 
named by the nominal i. 

Moreover, we now have a way handling reference times. Consider the sentence The 
oracle had not spoken. This picks out some past time (the reference time) and locates 
the silence of the oracle before that. This cannot be handled in the standard Priorean 
formalism, but once again with the aid of nominals, we can capture its meaning: 


P(i A P(the oracle not speak)). 


This formula says that there is some time in the past (namely the one named by i) 
and that before that the oracle did not speak. In fact, as Blackburn [6] observes, all of 
Reichenbach’s analyses can be handled in this way; the required hybrid representations 
are given in Figure 3. 

It’s also worth remarking that the ideas of hybrid logic combine naturally with multi- 
dimensional modal semantics of the type mentioned above. For example, Blackburn [6] 
uses this style of semantics to interpret propositional symbols like yesterday. The use 
of such symbols avoids the problems associated with the yesterday operator Y. For 
example, the hybrid representation of Vincent left yesterday would be 


P(yesterday ^ Vincent leave), 
and this has the required interpretation. Moreover, the hybrid approach also correctly 
classifies sentences such as Vincent will leave yesterday as semantically anomalous. This 
sentence would be represented by the hybrid formula 


F (yesterday \ Vincent leave). 


This formula is false at all points in all models, hence the anomaly. 


Past Present Future 
Simple B=R,R<S E=R=S E=R,S<R 

Mary saw John Mary sees John Mary will see John 
Perfect E<R<S E<R=S E<R,S<R 

Mary had seen John | Mary has seen John | Mary will have seen John 
Progressive | E = R, R< S E=R=S E=R,S<R 

Mary was seing John | Mary is seeing John | Mary will be seeing John 


Figure 2. Tense and Aspect in Terms of E, R, and S 
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Structure | Name English example Representation 
E-R-S Pluperfect I had seen P(iA Po) 
E,R-S Past I saw P(i ng) 
R-E-S Future-in-the-past I would see P(i n Fo) 
R-S,E Future-in-the-past I would see P(id Fe) 
R-S-E Future-in-the-past I would see P(i n Fe) 
E-S,R Perfect I have seen iN Po 
S,R,E Present I see ing 
S,R-E Prospective Iam going to see iA Fo 
S-E-R Future perfect I will have seen F(iA Po) 
S,E-R Future perfect I will have seen F(i n Po) 
E-S-R Future perfect I will have seen F(iA Po) 
S-R,E Future I will see F(i ng) 
S-R-E Future-in-the-future | (Latin: abiturus ero) | F(i A Fy) 


Figure 3. Reichenbach’s analysis in hybrid logic 


2.9 A note on multidimensionality 


One very interesting application of modal logic to semantic analysis is the use of mul- 
tidimensional modal logic in connection with cross-world comparatives. Consider, for 
example, sentences like This article is shorter than it might have been. One approach 
to its semantics is to use not just a single world in the semantics, but to move to two 
or even more worlds. We might have an “actual” world and an “evaluation” world. For 
applications in semantics related to comparatives, see Cantwell [13]. By now there are 
also quite sophisticated modelings of tense and aspect; see, for example ter Meulen [94]. 


2.10 Problems and prospects 


Even with the move to a Reichenbachian treatment of tense and aspect, there are re- 
maining stubborn problems. Many of these are especially pertinent to the discussion 
of the application of possible world semantics; they indeed cause one to either re-think 
the use of possible worlds, or to propose modifications or extensions of it. Consider, for 
example, the present relevance of the perfect. For example, Jimmy has lost his mind 
intuitively entails that Jimmy has not gotten it back. 

It is also important to note that a lot of real-world knowledge goes into judgments 
about sentences using time and tense. For example 


(9) i. ??James McCawley has written many books. 


ii. James McCawley wrote many books. 


The first is anomalous, but only to one who knows that McCawley died in 1999. For 
someone who didn’t know this, (9i) carries the implicature that McCawley is still alive. 
The point here is that (9i) and (9ii) are not equivalent, but the difference is due to 
background knowledge. So the entire system of time/tense/aspect interacts with the 
knowledge background of speakers and hearers. With this in mind, consider also, and 
note the difference between 
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Category Description Examples 

S Sentence John seek a unicorn 

CN Common nouns man, woman, unicorn 

IV Intransitive verb phrases walk 

S/IV Noun phrases the man, every unicorn, John 
(S/IV)/CN Determiners every, a, one, the 

IV/(S/IV) Transitive verb phrases love, seek 

IV/S Sentential complement verbs believe, hope, doubt 

CN/CN Adjectives red, fake 

S/S Sentential adverbs frequently, necessarily 


Figure 4. Categories and Sample Expressions in a Categorial Grammar 


(10) i. The authors have regretted that they never met McCawley. 
ii. The authors had regretted that they never met McCawley. 


Many recent papers and books in the area emphasize the presence of causality and real- 
world knowledge in discourse about time; see Steedman [91]. Another book on this topic 
which emphasizes connections to logic programming and even robotics is van Lambalgen 
and Hamm [105]. 


2.11 Montague semantics 


As was mentioned above, Montague’s application of higher-order intensional logic marked 
the starting point for applications of modal logic in natural language semantics. Mon- 
tague developed his theory of natural language semantics over the course of three papers 
(collected in [99]), each of which differs from the others in some respect. In the following, 
we give a survey of a “streamlined” approach, taken from Gamut [32]. 

Montague semantics consists of three parts: syntactic categories, semantic types, and 
operations on the members of each of these, where each operation on members of syn- 
tactic categories has a corresponding operation on the members of the corresponding 
semantic types. This correspondence is Montague’s formalization of the principle of 
compositionality. 

The theory of syntactic categories assumed in Montague semantics is loosely based on 
categorial grammar. The categories of categorial grammar are either basic categories or 
derived categories, which are formed by closing the basic categories under two operators: 
/ and \. An expression that has a category of the form A/B is “looking to its right 
for” an expression of the category B to make an expression of the category A. And an 
expression of category B\A is looking to its left for an expression of category B to again 
make one of category A. Thus, derived categories have a functional behavior. 

The full set of categories, CAT, is obtained by closing the basic categories, S (for 
sentence), CN (common noun), IV (intransitive verb), under the / operator. Thus, only 
one of the two operators of categorial grammar is used by Montague. Figure 4 has 
examples of the most common categories and some of their expressions. 

At this point, we have described the set of syntactic categories and given examples. 
One forms the full set of expressions of the various categories by juxtaposition following 
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the categorial rules. For example, John walks is an S because John is S/IV and walks is 
an IV. From this, believes John walks is an IV. And then Mary believes John walks is 
again an S. This is as it should be, since we have a grammatical sentence. 

We return to the syntactic categories and expressions below, after a digression con- 
cerning the formal semantics. Let e and t be any distinct objects, and define the set T 
of semantic types by the following inductive definition: 


1. e,tET, 
2. if a,b E€ T, then (a,b) ET, 
3. ifa E€ T, then (s,a) E T. 


The idea is that e stands for entity and t for truth value, s for a set of possible worlds, and 
(a,b) for the set of all functions from a to b (or rather for the set of functions from the 
set that a stands for to the set b stands for). The difference between syntactic categories 
and semantic types is that syntactic categories have a notion of “order” built-in. In the 
following, we will use upper-case letters for syntactic categories and lower-case letters for 
semantic types. 

Given infinite sets of variables for each type a, denoted by VAR,, and, possibly empty, 
sets of constants for each type a, denoted by CONg, we define the well-formed expressions 
of type a, denoted by WEg, as follows: 


1. VAR, C WE, and CON, C WE,, 
2. if a € WE;a p») and 8 € WEa, then a(8) € WE, 
if y, w E€ WE;, then ~y € WE, and (py Aw) E€ WE;, 


Poe 


if y € WE; and v € VARg, then Vuw € WE;, 
. ifa,@ € WEg, then a = 8 € WE, 
. if a € WE, and v E€ VAR,, then Ava € WE; a), 


5 
6 
7. if p € WE, then Oy € WE;, 
8. if a € WEg, then “a € WE;s a), 
9. 


if a € WE;.q), then Ya € WEa. 


We will use other connectives: $,V,—,<,4, to abbreviate their usual definitions in 
terms of the connectives above. The reason that these types are referred to as semantic 
types is that each type has a corresponding domain. Given a set of individuals, D, and 
a set of worlds, W, we define the domain of a type t, denoted by D;,p,w as follows: 


1. D.pw =D 
2. Dip.w = {0, 1} 
DaD W 


3. D(a,b),D,W = D,D w 


4. Disaj, D,w = DY ow 
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where A? denotes the set of functions from B to A. We now define the interpretation of 
expressions. A model, M, is a triple, (D, W, I), where D is a non-empty set of individuals, 
W is a non-empty set of worlds, and J is an interpretation of the constants at a world. We 
define [a].¢,u,g, Where M is a model, w € W is a world, and g is a variable assignment. 
As usual, we denote the variable assignment that differs from g at most in that it assigns 
d to v by g[u/d]. 


1. if a € CONg, then [a] aw. = [(w, a); if a € VARg, then [a]m, w, = gla), 
2. if a € WE;a b») and 6 € WEg, then [a(@)]ot,w,9 = Lo]at.w.g(LF]at,w,9); 


3. if p, Y € WE,, then [-¢lot,0,9 = 1 iff [el] avt,w,9 = 0, and [ea P)Ivt,w,9 = 1iff 
[¢lacw.g = 1 and [b]ne,0,9 = 1, 


4. if y € WE; and v € VAR., then [Vuy]at,w,g = 1 iff for all d € Da, [elm w,gtw/a] = 1, 
5. if a, 8 € WEg, then [a = blm w, = 1 iff lalm, wg = [B]m,w,g, 


6. if a € WE, and v € VARz, then [Ava]m,w,g is the function h € Diya), such that 
for all d € Dp, h(d) = Lo] t,w,g[v/a) 


7. if p © WE, then [Op]m,w,g = 1 iff for all w € W, [yl atw.g = 1, 


8. if a € WEg, then [^a]m,w,g is the function h € Disaj, such that for all w” € 
W, h(w') = [ol] ne,w',95 


9. ifae WE ‘s a), then alm,w,g = lalm,w,g (w). 


This allows us to have formal terms for what we informally wrote above in (3). 

There is a symmetry between à-abstraction and application (i.e. 3 conversion), and 
abstraction and Y application. However, while the following form of 8-conversion can 
only be applied in the eztensional fragment of this system, it only holds in restricted 
cases in the intensional system. 


THEOREM 1. In the extensional fragment of Axp(y) is equivalent to Bla > 7] if all free 
variables in y are free for x in y. 


A 


However, in the extensional system this equivalence fails. It is possible to extend this 
equivalence to a restricted set of expressions of the intensional system: the intensionally 
closed expressions, whose extension does not vary from world to world. The intensionally 
closed expressions in L, denoted by ICE”, is the minimal subset of WE” such that 


1. If x € VARg, then v € ICE”, 


2. If a € WEX, then ^a € ICE” 


3. If p € WEY, then Oy € ICE” 


4. ICE” is closed under boolean connectives, quantifiers, and \-abstraction. 


The above mentioned symmetry is summarized in the following two theorems: 
THEOREM 2. Y(‘q) is equivalent to a. 
THEOREM 3. Axßb(y) is equivalent to Bla q] if 
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1. all free variables in y are free for x in y; and 


2. either y € ICE”, or no free occurrence of x in B lies within the scope of O,^. 


Now, we associate semantic types with syntactic categories as follows using the fol- 
lowing function f: 


f(S)=t 
FCCN) = f(IV) = (e,t) 
f(A/B) = ((s, f(B)), F(A)) 
With each syntactic category, A, we associate a set of basic expression of that category, 
denoted by Ba, and a set of expressions of that category, denoted by Pa. 
The next step involves the definition of syntactic operations that create complex ex- 


pressions. In the following, we will use the same rule numbers as [32]. Here are the first 
three rules: 


Ba C Pa (S1) 
If œ € Pejy and 8 € Py, then F(a, 8) € Ps, and F\(a, 8) = af", where 8’ (S2) 
is the result of replacing the main verb in £ by its third-person singular present form. 
If a € Ps/v)ycn and 8 € Pen, then F(a, 3) € Psy, and F(a, 3) = af. (S3) 


Rule S1 simply makes the basic expressions of category A expressions of category A. 
Rule $2 combines noun phrases with verb phrases to make sentences, the side condition 
enforcing subject-verb agreement. Rule $3 combines determiners with common nouns to 
form noun phrases. 


EXAMPLE 4. Here is a derivation for “every man walks”: 


F (every, man) = every man 


Fy (every man, walk) = every man walks 


Since the syntactic derivations in Montague grammar are very straightforward, we will 
dispense with them in the rest of this article. 

We now define a function +> that associates with each expression of category A an 
expression of type f(A), its meaning. First, the translation of most basic expressions will 
simply be a constant. We will denote the constants corresponding to basic expressions 
using CAPS. Thus, the constant corresponding to walk is WALK. The only exceptions to 
this rule are noun phrases, determiners, the verb be, and necessarily. 


TIS 
John = AX(“X(ĵ)) 
Mary AX(“X(m)) 
hen œ AX(“X(zn)) 
every = AYAXV2(YY (x) =>“ X(x)) 
Ifa € Psy, b E Py,a = a’, and B+ 6", then Fi (a, 8) = a (^B) (T2) 


If a € Ps/vyycn 8 € Pon, aa’, and B+ 6", then Fo(a, 8) = a (^p) (T3) 


Applications of Modal Logic in Linguistics 1051 


EXAMPLE 5. Here is the translation for “every man walks.” 


AY AXVa(YY (x) >“ X(x)) MAN 

AXVa(MAN(r) —Y X(x)) WALK 

AXVa(MAN(x) Y X(a))(“ WALK) 

Va(MAN(xr) =>“ (4WALK(z))) 
Va(MAN(x) —> WALK(z)) 


(-conversion 


Vv*_cancellation 


Now we will consider transitive verbs. Again, we first give a syntactic rule, followed 
by a semantic rule: 


Ifa € Pvjis/v) and p € Psjy, then F(a, 8) € Py, and Fe(a, 8) = af" (S7) 
where ’is the accusative form of 8 if 3 is a syntactic variable; otherwise 6’ = 8. 
Ifae Psv, b € Pv, a E? a’, and p k b, then F(a, 3) bre a’ ("6"). (T7) 


We will use the following two notational conventions from Gamut [32]. The first is 
just an instance of what computer scientists call uncurrying. 


If y is an expression of type (a, (b, t)}), œ and expression of type a, and 3 (NC1) 
an expression of type b, then we may write 7(3,a) instead of (y(a))((). 


Before discussing the second notational convention (NC2), we need to review how Mon- 
tague proposed to treat transitive verbs. In Montague’s system, the meanings transitive 
verbs are relations between individuals and second-order properties, i.e. they are of type 
((s, ((s, (e, t)), t)), (e,t)). Thus, since they are not relations between individuals, we can 
have a statement such as “John seeks a unicorn” be true, without it entailing the ex- 
istence of unicorns. However, there are certain transitive verbs, so-called extensional 
transitive verbs which entail the existence of their arguments. For these expressions NC2 
will allow us to move from Montague’s higher-order interpretation of transitive verbs to 
relations between individuals. 


If 6 is an expression of type ((s, ((s, (e, t)), ¢)), (e,t)), then we may write 6, (NC2) 
instead of \yArd(a, AXY X(y)). 


The expression 6, refers to the relation that holds between x and y iff the relation ô holds 
between x and the intension of the set of all properties of y, i.e. “AX YX (y). For further 
details and discussion, see Gamut [32]. 
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EXAMPLE 6. Here is a derivation for “every man loves a woman.” 


AY AX Aa(YY (x) >Y X(x)) WOMAN 
AYAXWy(YY(y) >` X(y)) MAN 


LOVE \X dax(woman(zx) AY X(z)) 
>“ Y(y)) LOVE(“ AX dx(WwoMAN() AY X(x))) 
>“ Y(y))(ALOVE(SAX dx(woMAN(x) AY X(x)))) 
—Y (ALOVE(SAX dx(WoMAN(a) AY X(x))))(y)) 
Vy(MAN(y) > (LOVE(^AXJzr(woman(z) AY X(x))))(y)) 
Vy(MAN(y) > LOVE(y,” AX dx(WwoMAN(zr) AY X(x))) 
Vy(MAN(y) > Ja(WOMAN(2z) A LOVE, (y, £))) 


AY Vy(MAN(y) 
AY Vy(MAN(y) 
Vy(MAN(y) 


T7 
T2 
G-conversion 


VA 


-cancellation 
NC1 
NC2 


we 


— 


The following rule schema is used to create different derivations for ambiguous sen- 
tences. 


Ifa € Psj and y € Ps, then F7,,(a,y) = y’, where y’ is the result of (S8,n) 
the following substitution in y : 

(i) if a is not a syntactic variable heg, then replace the first 

occurrence of he, or him, with a,and the other occurrences of hen or himy 

with the appropriate anaphoric pronoun.; 


(ii) if a = hex, then replace every occurrence of he, and of him, with hime. 
And the corresponding semantic rule: 
Ifa € Psjy,¢ E€ Ps,ara’, and yr y’, then Fy nla, p)  a’(“Arny’) (T8,n) 


EXAMPLE 7. Here is another derivation of “every man loves a woman.” This time, 
“everybody loves him,” is derived first, and “a woman” is quantified in. 


AY AX Ax(YY (x) —Y X(x)) WOMAN LOVE AXYX(2x1) 


\X3x(woMan(x) AY X(z)) Vy(MAN(y) —> LOVE, (y, 21)) 
AX dx(WoMAN(z) AY X(x))(^Az1ıVy(MAN(y) > LOVE, (y, £1))) 
Jr(WwoMAN(x) AY (^Ax1Vy(MAN(y) > LOVE. (y, £1))(£))) 
da (WOMAN(2) A (AxıVYy(MAN(y) > LOVE, (y, x1))(x))) 
Jr(WOMAN(x) A (Vy(MAN(y) —> LOVE, (y, x)))) 


T8,1 


G-conversion 


Vv 


’-cancellation 


(-conversion 


Now we can use quantifying-in to derive multiple interpretations of believe-sentences, 
corresponding to the above-mentioned de dicto-de re distinction. Assuming that the 
syntactic category of believe is IV/S, we need new syntactic and semantic rules for such 
expressions: 


Ifae Pwys and B € Ps, then Fi1(a, 8) E€ Py, and Fi1(a, 8) = ab (S15) 
Ifa € Pyjs,9 € Ps,a m= a', and yr y’, then Fii(a, p) => a (^g') (T15) 
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EXAMPLE 8. Here are derivations for John believes that a man walks. The first gives 
us the de dicto reading: 


AYAXa(VY (z) AY X(z)) MAN 


AXJr(mMaN(z) AY X(x)) WALK 


WUNGA WALK(x) 
AX(“X(j)) BELIEVE(“Ja(MAN(a) A WALK(2)) 


BELIEVE 


T15 


BELIEVE(J, (*3a(MAN(z) A^ WALK(2))) 
While the quantifying-in version gives the de re reading: 


AY AX Aa(YY (x) >Y X(x)) MAN AXY X (#1) WALK 


erence AY X(x)) BELIEVE(J, (“WALK(21)) 
AX dax(MAN(x) AY X (x))(°Av1 BELIEVE(J, (SWALK(21))) 


T8,1 


Jr(MAN(x) A nimat (4WALK(z)))) 


In addition to epistemic modalities, we can give a treatment of of sentential adverbs, 
like necessarily, using the following two rules: 


If a € Psjs and 8 € Ps, then Fii(a, 6) € Ps, and Fii (a, 8) = ap (S20) 
Ifa € Pes, y € Ps,a m a', andyry’, then Fila, p) = a (“y’) (T20) 


However, we need to distinguish non-logical adverbs, like rarely, from logical ones, 
like necessarily, because we want the meaning of the former, but not the latter, to 
vary across models. This is accomplished through meaning postulates, an invention of 
Carnap’s [14], which can be used to relate logical constants with expressions and also 
to relate expressions with each other, e.g. bachelor with ~married. The relevant meaning 
postulate for necessarily would be: 


VpU(NECESSARILY(p) => O“ p) 


We conclude this section with the example: Necessarily, John walks. 


EXAMPLE 9. 
AX(“X(j)) WALK 
NECESSARILY WALK( j) 
NECESSARILY (“WALK(j)) 
Y(Cwatk(j)) 
(WALK(J)) 


T20 
MP 


-cancellation 


VA 


The preceding examples are meant to be illustrative of the way that higher-order 
intensional logic is used in Montague grammar to model the meanings of natural language 


1054 Lawrence S. Moss and Hans-Jörg Tiede 


expressions. There are many shortcomings of Montague’s framework, some formal and 
some empirical, the rectification of which can be seen as the motivation for the majority 
of the current approaches in semantic theory. See [24] and [75] for additional details of 
Montague grammar and for discussions of its shortcomings. 


3 SYNTAX 


3.1 Mathematical linguistics 


Mathematical linguistics is concerned with models of natural languages and linguistic 
theories and their formal properties, especially those theories about syntax. The prop- 
erties of interest are typically those of theoretical computer science, particularly from 
formal language theory, complexity theory, and learnability theory. Applications of logic 
to syntax combine the first two by giving tools to assess the complexity of formal lan- 
guages descriptively. This line of research is related to finite model theory [25] and 
descriptive complexity theory [40]. 

We will review the basics of formal language theory as it applies to this setting. For a 
more detailed introduction see Partee, ter Meulen, and Wall [72], or, at a more advanced 
level and including many applications of modal logic, Kracht [54]. In order to model 
natural language syntax mathematically, we use strings. An alphabet is a finite set © of 
symbols, and a string over © is a finite sequence of elements of X. This includes the empty 
sequence, denoted by £. A fundamental operation on strings is string concatenation which 
we will denote by juxtaposition. We denote the set of all strings over X by X*, and the 
set of all non-empty strings by ©*. A (formal) language is a set of strings; i.e., a subset 
of &*. In the intended applications, © is the set of words (or even morphemes) of a 
natural language (rather than just letters of some alphabet), however, for the purpose 
of examples we will frequently just use letters. Mathematical linguistics uses formal 
languages as models of natural languages: we identify English with the set of English 
sentences. 

The purpose of grammatical theories is to distinguish the well-formed (grammatical) 
strings from the ill-formed (ungrammatical) strings. This can be achieved in a number 
of ways, using automata, grammars, algebras, or logic. However, it is an important 
assumption of linguistic theory, dating back at least to American Structuralism, that 
sentences of natural languages are not just linear sequences, but that they contain hier- 
archical structures: constituents. Furthermore, the division of a string into constituents 
plays an important part in semantics, since the principle of compositionality stipulates 
that the meaning of a string depends on the meaning of the words and the way they are 
put together, the latter of which can be captured by the constituent structure. While 
automata, algebras, and logics can be used to define languages, formal grammars play a 
central role in mathematical linguistics because they can associate a hierarchical struc- 
ture with the strings that they generate: the derivation tree. Note that not all formal 
grammars can associate derivation trees with the strings they generate, but for linguistic 
applications, grammars that do are typically more interesting. Thus, we distinguish the 
weak generative capacity, the set of strings generated by a grammar, from the strong 
generative capacity, the set of structural descriptions or trees assigned by the grammar 
to the strings that it generates. 

We will be referring frequently to a particular class of grammars and the languages 
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they generate: the context-free grammars (CFGs) and context-free languages (CFLs). 
CFGs are specified in terms of two alphabets, © and I, which are called the terminal 
and non-terminal alphabets, respectively. The terminal alphabet consists of the symbols 
that make up the strings that the grammar generates; the non-terminal alphabet can 
be thought of as corresponding to the syntactic categories of traditional grammar. In 
addition, CFGs are specified in terms of a finite set of rules, P, and a distinguished 
member of T, the start symbol, denoted by S. The rules in P are of the form A > w, 
where w € (XUT)*. CFGs derive strings of terminal symbols by successively rewriting 
non-terminal symbols. Let x,y,z € (X UT)*, and A € r. We write rAz =g xyz to 
indicate that xyz can be obtained from xAz by using the rule A — y of G. We use >% 
to denote the reflexive, transitive closure of >g. The language generated by a CFG, G, 
denoted by L(G), is defined as 


L(G) = {w | w € £*, S seu} 


A language, L, is called a CFL if there is a CFG, G, such that L = L(G). 

The CFLs play a central role in mathematical linguistics; they are in some sense a 
yardstick, because they approximate many natural language languages reasonably well 
[33] and they can be processed efficiently [39]. On the other hand, many formalisms are 
defined for the explicit purpose of extending the weak generative capacity of CFGs, that 
is to obtain non-CF languages. The reason for this is that there are natural language 
phenomena that are not context-free [89]. There are also some proposals which only go 
beyond CFGs in terms of strong generative capacity, although they are weakly equivalent 
to CFGs. That is, they are interested in obtaining sets of structures which go beyond 
the sets of parse trees of CF languages, but which generate CF string languages. Both 
the Lambek calculus [101] and regular tree languages (see below) are examples of such 
proposals. 


3.2 Preliminary: logics of strings 


The logic of strings was first studied by logicians interested in decidability [10]. It was 
continued within formal language theory, and had an algebraic slant [77, 92]. The case of 
strings has not found many applications to linguistics, as the more involved settings below 
have. However, this simpler case is useful in getting an intuition about the more complex 
cases. For a more detailed introductions to this area see Khoussainov and Nerode [45] 
and Thomas [98]. 

First of all, our intended models are what we shall call string structures. These are 
Kripke frames of the form 


1 >92 > sae ——>n. 


The idea is that a string on some alphabet gives rise to a frame as above. Adding 
a valuation amounts to specifying subsets of the model. Since we intend the atomic 
propositions to be the alphabet symbols, the subsets of the frame corresponding to these 
symbols correspond to the positions in the given word with the given symbols. Thus there 
is an extra condition that each world in the frame satisfy exactly one atomic sentence. A 
string model is a pair (W, v) consisting of a string structure W together with a valuation 
v that meets this extra condition. We usually omit the valuation from our notation. Let 
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Syntax Sentences p = pi |>% | PAY | [>] | l>*le 
Semantics Main Clauses W,i } |-]y iff W,i +1 H ọ 
W,i- [3*]y iff for all j > i, W, j Ey 


Figure 5. Modal logic of strings: £(—, —>*) 


X be an alphabet, considered also as a set of atomic propositions for our modal language. 
A set of string models over © corresponds to a subset of E® of non-empty words over X. 
The correspondence associates to the string model (W, v) the string W,---W,, where n 
is the length of W and each W; is the unique element of © satisfied by i in the model W. 


Modal Logic of Strings 


Figure 5 contains the basic modal logic of strings which we will call £(—-,-*). The 
semantics in Figure 5 defines the relation W, i — vy. We say that a string W satisfies a 
formula y if W,1 = y. A language L is definable in this (or another language) if there is 
a sentence y so that L is exactly the set of strings satisfying a sentence yp. 

In order to study the languages definable in £(—,—*), we introduce a class of lan- 
guages, called the star-free languages (the reason for the name will become apparent 
later). The star-free languages, which are defined in Figure 6, were introduced by Mc- 
Naughton and Pappert [66] to study first-order (FO) definable languages. It should be 
noted that star-free languages are sets of strings, and as such might well contain the 
empty string £. Since we are going to be interested in classes of models which correspond 
to strings, and since the carrier sets our models must be non-empty, we are going to be 
interested in e-free star languages as defined in Figure 7. 


Syntax Expressions r 0|1|a|rs|r+s|-—r 
Semantics [Oo] = 2 
[1] = {e} 
[a] = {a} 
[rs] = {st | s € [r],t € [s]} 
[r + s] = [r] Y [s] 
[l-r] = >* - [r] 


Figure 6. The syntax and semantics of star-free expressions 


Syntax Expressions r O0|a|rs|r+s|-r 
Semantics Main Clause [-—r] = £* — [r] 


Figure 7. The syntax and semantics of e-free star-free expressions 


Here are some examples of formulas in £(-—,-—>*) and the star-free languages that 
correspond to them (taken from [19]). Notice that we are using regular expressions (see 
below) to describe these star-free languages because they are shorter; these languages 
can also be described with star-free expressions. 
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Syntax Formulas yp; | ~~ | eA Y| [F]¢ | “le | Uy, y) 
Semantics Main Clause W,i = U(y,v) iff there exists a j > i, such that 


W, j H g, and for all n,i < n < j, W,n H Y 


Figure 8. Temporal logic of strings: PTL 


EXAMPLE 10. The language (ab)* is defined by the formula 
a ^ (*) (BA a(>)a A n{=)b) An >“) la A (>)a) A") O A (—>)b) 


Here and in the following, (-)y abbreviates —|-|=y. This formula says that the first letter 
is an a, the last letter is a b, and there are no consecutive a’s or b’s. Notice that (aa)t 
is not &(—, —*) definable; in fact it is not even FO definable. 


EXAMPLE 11. Let A = {a,b,c}. The language A*a(a + c)* is defined by the formula 


(3")(@A (2)9(-4*)0) 


The following proposition states the relationship between £(—,-—>*) definability and 
star-freeness. There is also an algebraic characterization in Cohen et al. [19] which is 
omitted here. 


PROPOSITION 12. If LC X+ is definable in L(—,—*), then L is star-free. 
However, there are star-free languages that are not definable in £(—,-"*). 


PROPOSITION 13. The language a*b(a + b+ c)* is not L(—,—*) definable. 


Proof. We use a version of Ehrenfeucht games for £(—,—*) between word models W 
and V. The r-round game works exactly as in the standard game for modal logic on 
Kripke models. There are distinguished points in the two models, and they are updated 
in each round of a play. The difference from the standard games is that player J may 
decide at each round to play a standard move or else a *-move. In the *-move, I picks 
one of the two structures and moves the distinguished point (say w;) to some w; with 
j > i. Then H does the same in the other structure. If the distinguished points are 
labelled differently at any round, then J wins the play; otherwise IT wins. 

To show that L = a*b(a+ b + c)* is not definable, we show that for each r there are 
words w and v such that w € L and v ¢ L, but player IT has a winning-strategy in the 
r-round game on the string models corresponding to w and v. We take 


w = al bd(a™ea"b)" 
v a(a”ca"b)". 


II 


Let n;(b,W) be the number of b points strictly greater than the distinguished point in 
W at the end of round i; similarly for n;(b, V). The winning strategy for player I 
is to match a b with a b and a c with a c, and to maintain the assertion that either 
ni(b, W) = n;(b, V), or else both numbers are at least r — i (and similarly for c). m) 
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Syntax Expressions r 0|a|rs|r+s|rt 
Semantics Main Clauses [rt] =U, ,[r]”. 
where [|r]! = [r] and [r] +! = [r]"[r] 


Figure 9. The syntax and semantics of e-free regular expressions 


Temporal Logic of Strings 


We can define all star-free languages if we add the temporal operator U, called until. 
This logic, which we will call PTL, is defined in Figure 8. We can define the language 
from Proposition 13 in PTL. 


EXAMPLE 14. The language a*b(a + b + c)* is defined by the following formula 


U(b, a) 


Thus, adding U gives us a more expressive language. In fact, Etessami and Wilke 
[26] have shown that there is an “until hierarchy,” based on the nesting depth of U. 
The following theorem characterizes the expressive power of PTL extending the classical 
characterization of temporal logic by Kamp [44]. 


THEOREM 15. The following are equivalent for a language L C X+: 


1. L is FO definable (over the signature < and monadic predicates corresponding to 
the alphabet letters). 


2. L is definable in PTL. 


3. L is star-free. 


Proof. The equivalence (1) iff (3) is due to McNaughton [66]. For an accessible proof, 
see [25]. The equivalence (1) iff (2) uses Gabbay’s [31] separation method, but can also 
be proved algebraically [19]. See also [30]. Q) 


EXAMPLE 16. The language (aa)t is not PTL definable. 
Proof. See [92]. m 


We will now consider an extension of the star-free languages, called the regular lan- 
guages, defined in Figure 9. 


Propositional Dynamic Logic of Strings 


The regular languages were first logically characterized by Büchi who showed that they 
correspond to the languages definable in the monadic second order logic of strings (MSO). 
We will use propositional dynamic logic (PDL), defined in Figure 10, to characterize them. 
First, notice that (aa)* is definable: 


EXAMPLE 17. The language (aa)* is defined by 


a^ (>)a A [>;a?; >; a?|*a(3)T 
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We will now define the automata theoretic model of the regular languages: finite au- 
tomata. A finite automaton (FA) M is a structure (©, Q, F, qo, A) where © is a alphabet, 
Q is a finite set of states, F C Q is the set of final states, qo is the initial state, and A is 
a finite set of transition rules of the form (q,a) > p with a € X and p,q E Q. We define 
the transition relation > )¢C (Q x &*) x (Q x X*) inductively as follows: 


(q, £) =M (q, £) 
(q, aw) =m (p, w) 


where (q,a) — p is a transition rule in A. We say that M accepts a string w if (qo, w) >% 
(p,€) where p € F and =}, is the reflexive, transitive closure of >m. Given an FA M, 
the language accepted by M, denoted by L(M), is defined as 


L(G) = {w | (qo, w) =m (p,£) p € F} 


One interesting observation, using the automata theoretic characterization of regular 
languages, is that they are closed under complementation (notice that “— ” is not included 
in the definition of regular expressions). 


Syntax Formulas ọ pilal gay | [rly 
Programs 7 —|?p|aa|mUo |x 
Semantics Main Clauses W,i | |z]y iff for all j such that 
(ij) € [tlw W, j E p 
?elw = {@,4) : i€ [elw} 
olw = [r]w; lolw 
U olw = [z]w U [olw 


“Iw = ([r]w)* 


Figure 10. Propositional Dynamic Logic (PDL) on string models 


THEOREM 18. The following are equivalent for a language L C X+: 
1. L is definable in PDL. 
2. L is definable in MSO. 
3. L is regular. 


4. L is accepted by a FA. 


Proof. The equivalence (2) iff (3) is Büchi’s theorem. Again, see [25] for an accessible 
proof. The equivalence (3) iff (4) is known as Kleene’s theorem, see e.g. [39]. For a proof 
of the equivalence (1) iff (3), see Kracht [53]. Q) 


Two interesting results that use algebraic proofs show that it is decidable whether a 
regular language is definable in £(—,-—*) or in PTL [19]. Since it is decidable for any 
regular language L whether L = +, it is decidable whether a formula in MSO is valid 
over string models [10]. 
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Variations 


Other non-modal logics that have been studied in the context of strings include monadic 
transitive closure (MTC) [3] and least fixed point (MLFP) logic [79], as well as logics 
with modular counting quantifiers [93]. The latter are of interest because they allow to 
extend FO logic so that (aa)* becomes definable without going to the full power of MSO. 
The logics MTC and MLFP define precisely the regular languages, since it is easy to see 
that PDL < MTC < LFP < MSO. The equivalence then follows from theorem 18. 


Extensions 


The first proof that a natural language is not regular was given by Chomsky [16, 17]. 
Thus, we would have to find stronger logics to describe natural languages within this 
framework. This is however not the line of research pursued (Rounds [85] being a no- 
table exception), for two reasons. First, decidability of the logical formalism employed 
is of some importance, as this line of research ultimately aims to contribute to computa- 
tional linguistics. However, trying to find decidable extensions of PDL or MSO is quite 
challenging (a point we will revisit later). There exists a characterization of the CFLs in 
terms of an extension of MSO [58], allowing quantification over special kinds of binary re- 
lations, so-called “matchings”. Even though the question whether this logic is decidable 
is not addressed there, validity is undecidable for any logic characterizing CFLs, since 
the questions whether L(G) = =* is undecidable for CFGs. Such logics are also bound 
to be odd, since CFLs are not closed under complementation. The second problem is 
that using a logics for strings does not give a notion of strong generative capacity: the 
process of verifying that a formula is true of a string does not assign a structure to that 
string, as the process of deriving a string using a grammar does. 


Digression 


One point which should be of interests to modal logicians concerns the sense in which 
words are like (modal) sentences. The analogy is neatly captured in coalgebra (see 
Chapter 6), especially in studies pertaining to coalgebraic logic. We are considering 
several functors on the category of sets. Here P is the power set functor, and Py is the 
finite power set functor. AtProp is a set of atomic propositions, and A is an alphabet. 
We have the following analogies, 


Kripke semantics | automata 
Functor F(x) on sets || P(x) x P(AtProp) | deterministic : 24 x {0,1} 
A 


non-deterministic : P(x)” x {0,1} 
coalgebra Kripke model deterministic automaton 
final coalgebra canonical model regular languages 
notion of equivalence || bisimulation bisimulation. 


Kripke models, deterministic, and non-deterministic automata are described as coalge- 
bras of the given functors. In both cases, the elements of the carrier of the coalgebra 
may be thought of as states. (However, coalgebras do not include specified “real worlds” 
or “start states”.) In the case of the automata, the state sets might be infinite, but our 
use of Py insures that they will be finitely branching. The set {0,1} in the automata 
functors is there to equip the state set with accepting and non-accepting states. The final 
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coalgebra in each case turns out to be an important mathematical object, and the reader 
can see the sense in which the canonical model is the analog of the regular languages. 
Indeed, modal sentences might be thought of as the record of “possible observations” on 
Kripke models in the same way that words are on automata. Finally, from coalgebra 
we have a very general notion of equivalence, the coalgebraic bisimulation. The special 
cases of this are bisimulation of Kripke models and also the bisimulation of automata 
(the largest such is the Myhill-Nerode equivalence relation). See Rutten [86] for more 
information on the connection between automata and coalgebra. 


3.3 Logics of trees 


Since extending the logic of strings to capture more complex string languages than the 
regular languages often leads to undecidability, one approach to extending the coverage 
of our logic is to describe more complex structures: move from strings to trees. Thus, 
the Kripke structures we will be considering are trees, and the logics will contain more 
complicated modalities to describe trees. One immediate advantage of this approach for 
linguistic purposes is that these logics will automatically be connected to strong genera- 
tive capacity, since they describe sets of trees. One disadvantage is that the recognition or 
parsing problem, which in the string case just amounts to model checking, now involves 
satisfiability checking (see below). 

The extension of the descriptive approach to trees was originally also motivated by 
decidability questions [97]. Even though the connections to CFLs were pointed out 
by Thatcher [95], this line of research did not find applications in linguistics until the 
development of constraint based grammar formalisms which replaced the derivational 
approach to natural language syntax. The work of Rogers [83], Kracht [54], and others 
provided formal models for these constraint based grammar formalisms and established 
formal language theoretic results for them at the same time. 

As mentioned above our Kripke structures will now be trees. We will use the concept 
of tree domains [35] to define such Kripke structures. A (finite, binary) tree domain, T, 
is a finite subset of {0,1}*, such that for all u,v € {0,1}* 


1. if wv € T, then u € T, and 
2. if ul € T, then u0 E T. 


A string in T describes a path from the root to a node, where 0 means “go left” and 1 
means “go right”. We identify nodes with the path leading to them. Thus, € is the root. 
The first condition above says that if there is a path to a node, then there is a path to 
any node above it (this is called prefix closure). The second condition says that if a node 
has a right daughter, then it has a left daughter (called left sibling closure). 

The main relations between nodes in a tree that are of interest in linguistics are 
domination and linear precedence. We say that that a node u € T dominates a node 
v € T if for some w € {0,1}*, v = uw. A special case of domination is the parent-of 
relation, defined by: u is the parent of v if v = u0 or v = ul. We say that u linearly 
precedes v if for some x,y,z € {0,1}*, u = xOy and v = z1z. Following Rogers [83], 
we will denote the domination relation by <*, the parent-of relation by <, and linear 
precedence by <. Thus, our Kripke frames will be variations of the form (T,<,<*, <), 
where T is a tree domain. 
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Regular tree languages 


In order to generalize from strings to labeled trees, we will now consider ranked alphabets 
in which each symbol has an arity or rank. For surveys of tree languages see Gécseg and 
Steinby [34] or Thatcher [96]. Let X be a ranked alphabet. We will denote the set of 
n-ary symbols in X by Ny. The set of terms over X is denoted by Ty. A subset of Ts is 
called a tree language. 

In a number of settings, trees are considered to be labeled with boolean features, rather 
than with ranked symbols. We note that these two approaches commensurable using the 
following representation. Given a finite set of boolean features F = {f1,..., fn}, the 
binary ranked alphabet based on F, £F, is defined as 


y= {fi, fi} xx {fn fn} x {0,2} 


where each fi, =f; represents whether or not a feature holds at a given node and 0 or 
1 represent the arity of the symbol. Thus, (fı, —f2,0) would be a leaf symbol, and 
(fı, >f2,2) would be an internal node symbol. The previous definition can be easily 
generalized to trees of any arity. 

The yield of a tree, t, is the string over “ig which is obtained by concatenating the 
symbols at the leaves of t from left to right, or more formally: 


yield(c) = c, for c € Xo 
yield(f(ti,...,tn)) = yield(t,)...yield(tn), for f € En 


A (bottom-up, non-deterministic) finite tree automaton (FTA) M is a structure of the 
form (£, Q, FA) where © is a ranked alphabet, Q is a finite set of states, F C Q is the 
set of final states, and A is a finite set of transition rules of the form f(q1,..., qn) > q 
with f € Xn and q,q,---,dn E Q. An FTA is deterministic if there are no two transition 
rules with the same left-hand-side. It can be shown that the bottom-up variety of finite 
tree automata can be determinized, while the top-down variety cannot. 

A contest s is a term over © U {x} containing the zero-ary term x exactly once. We 
write s|x + t] for the term that results from substituting x in s with t. Given a finite 
tree automaton M = (£, Q, F, A) the derivation relation >mC Tous x Tous is defined 
by t =m t if for some context s € Tyugu{e} there is a rule f(q1,..-, qn) > q in A, and 


t = sje => f(q,---,dn)] 
t = s| = q] 


We use =}, to denote the reflexive, transitive closure of >m. A finite automaton M 
accepts a term t € Ts if t +4, q for some q € F. The tree language accepted by a finite 
tree automaton M, L(M), is 


L(M) = {t € Ts | t =m 4, for some q E€ F}. 


A tree language, L, is regular if L = L(M) for some FTA M. 

The following example is concerned with the Circuit Value Problem (CVP), in which 
the trees labeled with boolean functions are evaluated. It is interesting to note that a 
number of separation results of logically defined tree languages use trees labeled with 
boolean functions [79]. 
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EXAMPLE 19. Let © = {A,V,0,1}. The tree language CVP C Ts such that each tree 
in CVP evaluates to true can be accepted by the following FTA, M = (%,Q,F,A), 
where 


Q = {t, f} 
F= {t} 
and 
0> f, 1—-t, 
Att) >t, AGS) fF, 
A=4 Nf, o A(f, o 
V(t,t) > V(t, f) > 
V(O >t, WEA) 


Given a finite sets of feature F = {f1,..., fn} and a feature f; € F, we define the 
projection, m, that eliminates f; in the natural way: 


m: DE od 
This definition can be extended to arbitrary subsets G C F, where 
ric? — pC 


yF-G 


Given a projection 7: EF > , we extend 7 to a tree homomorphism 7 : Tyr —> 


Tsr-c as follows: 


T(f(ti,.--,tn)) = 


with c € No and f € X,,n > 0. For a tree language L, we define 7(L) = {7(t) | t € L}. 
We will consider the relationship between regular tree languages and the derivation 
trees of CFGs. 


PROPOSITION 20. (Thatcher [95]) If L C Ts is a regular tree language, then 
{yield(t) |t € L} 


is a CFL. 


While the yields of regular tree languages are CFLs, regular tree languages are more 
complex than the derivation trees of CFG. In order to compare the regular tree languages 
to the derivation trees of CFGs, we formalize the latter using the local tree languages. 

The fork of a tree t, fork(t), is defined by 


fork(c) = 
fork(f(t1,--+ ,tn)) = {(f, root(ty), ...,root(t yu fork(t 


t=1 
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with c € No, f E€ Un, n > 0, and root being the function that returns the symbol at the 
root of its argument. For a tree language L, we define 


fork(L) = U fork(t) 


teL 


The intuition behind the definition of fork is that an element of fork(Ts) corresponds to 
a rewrite rule of a CFG. Note that fork(Ts) is always finite, since © is finite. 

A tree language L C Ty is local if there are sets R C X and E C fork(Ts), such that, 
for all t € Ty, t € L iff root(t) € R and fork(t) C E. 

We quote without proof the following two theorems by Thatcher [95]. 


THEOREM 21. (Thatcher [95]) A tree language is a set of derivation trees of some CFG 
iff it is local. 


THEOREM 22. (Thatcher [95]) Every local tree language is regular. 


While there are regular tree languages that are not local, the following theorem, also 
due to [95], demonstrates that we can obtain the regular tree languages from the local 
tree languages via projections. We will review the main points of the proof, because we 
will use some of its details later on. 


THEOREM 23. (Thatcher [95]) For every regular tree language L, there is a local tree 
language L' and a one-to-one projection n, such that L = 7(L’). 


Proof. Let L be a regular tree language. Assume that L is accepted by the deterministic 
FTA M = (£, Q, F, A). We define L’ terms of R and E as follows: R= = x F and 


BSA CE Ql Fis 1) -> (fnsdn)) | F(a,- --;304n) = 4 E€ A, Tipe fn E€ D} 


We then define L’ = {t € Tsxo | root(t) € R, fork(t) C E}. Notice that the trees in L’ 
encode runs of M. The tree homomorphisms 7 based on the projection 7: X x Q > X 
maps L’ to L as can be easily verified. 

It should be noted that, since M is deterministic, there exists exactly one accepting 
run for each tree in L(M) and thus the homomorphism 7 : L’ — L is one-to-one. Q) 


This rather technical result is of some importance in the context of linguistic applica- 
tion, for it implies that we can use frameworks of lower complexity to describe the same 
structures as a more complex framework if we use more complex categories or features. 
Since we can also add new categories as names for the more complex ones, we can use 
a less complex framework to describe the same structures as a more complex framework 
by adding more categories. Thus, parsimony would seem to imply that we should always 
use the simpler framework. However from the point of linguistics, the use of complex 
or additional features needs to be justified. To further elaborate on the previous point, 
we will have to keep in mind that all of the logics we will consider can define the local 
tree languages and all the languages they can define are regular. Thus undefinability will 
always mean undefinability over a fixed finite set of propositional variables, since we can 
always define a regular, undefinable tree language by using more features. 


The basic modal logic of trees: Decore 


To the best of our knowledge, the first explicit use of modal logic to define tree languages 
can be found in [7]. Two variations of this logic were considered in [8, 9], of which we 
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Syntax Formulas y pil wp | gA | [rly 
Programs 7 >|<—|tll|a 
Semantics Main Clauses [—]r = {(u0,ul) | ul €T} 
[<]r = {(wl, uO) | ul E€ T} 
[lr = {(u, ut) |i € {0,1}, ue € T} 
[Tlr = {(ui,u) |i € {0,1}, ue € T} 


Figure 11. Modal logic of trees: Deore 


will consider the latter. The basic modal logic of trees, Leore, is defined in Figure 11. 
Again, we say that a tree T satisfies a formula y if T,e = y. A language L is definable 
in this (or another language) if there is a sentence y so that L is exactly the set of trees 
satisfying a sentence y. 

The following proposition establishes that Lcore is expressive enough to define any 
binary branching, local tree language. The restriction to binary branching is only due to 
the fact that we defined our tree domains to be binary branching. 


PROPOSITION 24. Let L C Ty be a local tree language. There is a sentence pg in 
Decore that defines L. 


Proof. By Theorem 21, there is a CFG G such that L is equal to the derivation trees 
of G. Let G = (%,T, P, S). Since we are only considering binary branching trees, every 
rule in P is of the form A— BC or A— a with A,B,C €T and a € X. We can simply 
encode the rules directly in our logic: 


A> V Ea) 


A—BCEP 


and 


A> VE (a) 


A—aeP 


This ensures that the models of yg are parse trees of G. However, we further need to 
ensure only the parse trees of G model yg. So, we need to express that each node makes 
exactly one symbol true: 


WIC V aa A Cav -8)) 


ac (SUP) a+b 


that the start symbol of the grammar is true at the root: S, that the terminal symbols 
are true at the leaves: 


LIV a aT) 


aed 


and that the non-terminal symbols are true at the internal nodes 


ICY 4 0T) 


AET 
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As is observed by Blackburn and Meyer-Viol, this translation of a CFG into logical for- 
mulas brings with it a change in perspective. Instead of a procedural or derivational 
perspective that considers CFG rules to be rewrite rules, we move to a declarative or 
descriptive perspective that considers CFG rules to be constraints. This change in per- 
spective is the main motivation for the application of logic in syntax, because of a similar 
change in perspective that occurred in a number of grammar formalisms proposed by lin- 
guists in the 1980s, most notably Chomsky’s “Government and Binding” (GB) [18] and 
Gazdar, Klein, Pullum, and Sag’s “Generalized Phrase Structure Grammar” (GPSG) 
[33]. 


ID/LP Grammars 


The rules of a CFG encode two kinds of information: the categories of a node and its 
children, and the order in which the categories of the children occur. Thus, a rule of 
the form A — BC tells us that a node labeled A can have two children, one labeled 
B, the other C, and that the node labeled B precedes the node labeled C. Linguists 
have observed that separating these two notions can lead to more compact grammars. 
Thus, ID/LP grammars have been proposed that consist of unordered rewrite (immediate 
dominance or ID) rules, A > B,C, and linear precedence (LP) rules, B < C. Linear 
precedence rules only apply to sisters, which is why we used < rather than < which 
applies to arbitrary nodes. 

ID/LP grammars can be very naturally expressed in Lore; in fact ID/LP grammars 
are, in some sense, a very limited logic for trees. See Gazdar et al. [33] or Shieber [88] 
for applications and detailed examinations of ID/LP grammars. 


Variations of Decore 


Two additional basic modal logics of trees have been considered by Blackburn and as- 
sociates [7, 8]. The first includes the connectives y > wW and e(p1,... Yn). The latter 
is used in the context of trees with n children, so we will only consider the case where 
n is 2. Their semantics are given by T,v — y => y iff for all u, T,u = y —> y, and 
T,v = e(y,w) iff T,u0 = ọ and T,ul H w. Notice that the purpose of è is to combine 
immediate dominance and linear precedence into one connective. 

Blackburn and Meyer-Viol [8] define a modal logic of trees that differs from Lore in 
that it contains modalities for the left and right daughter: |j, |2. 


Temporal Logic of Trees 


We now move on to an extension of £.5;,¢, temporal logic. The syntax and semantics of 
propositional tense logic on trees, Xuntiz, is defined in Figure 12. The main application of 
Xuntit Was given by Palm [70], though with a different formulation which we will consider 
below. We follow here the formulation of Marx [63], because it lends itself to a more 
direct proof of equivalence with FO. 


THEOREM 25. /63] The following are equivalent for a tree language L C Ty: 
1. L is FO definable. 


2. L is definable in Xuntit- 
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Syntax pi lel pny | UY, y) | Uy, ¥) | Ue, ¥) | Uy, p) 
Semantics T,u | U (y, Y) iff there exists a v such that u <* v, 
T,v H| y, and for all w such that u <* w <* v, T, w = wv 


Figure 12. Temporal logic of trees: Xunziz (only one clause in the semantics) 


Syntax Formulas ọ pilal gay | [zly 
Programs 7 >| | TIL] To | T* 
Semantics Main Clauses [z,]7 = {(u,v) | (u,v) € [r]r,T,u = p} 


Figure 13. Conditional path logic of trees: Lep 


While the notion of regular expressions can be generalized to trees, the correspondence 
between star-free expressions and FO (or Xuntii) definability breaks down at this level. In 
fact, Thomas and Potthoff [81] showed that every regular language that does not contain 
unary branching symbols is star-free. The question whether FO definability of regular 
tree language is decidable is still open. 


Variations of Xuntit 


As was mentioned above, Palm’s [70] application of Xunti was carried out using a different 
formulation which he called propositional tense logic and which Afanasiev et al. [1] called 
conditional path logic, Lep- The syntax and semantics of Lep are defined in Figure 13. 


X-bar theory 


As was mentioned above, which non-terminals are used in a natural language grammar 
matters to linguists. The point again is that the label assigned to a node in a tree signifies 
the grammatical category of the constituent it dominates. One theory of the organization 
of non-terminals and their rules is X-bar theory, which provides the foundation for a 
variety of grammar formalisms, including GB and GPSG. There are many variations 
of X-bar theory, so the particular formulation discussed here may not agree with those 
found in other places. 

In terms of the organization of the non-terminals of a grammar, X-bar theory stipu- 
lates that there is a finite set of lexical categories, like N(oun), V(erb), P(reposition), 
A(djective), Adv(erb), corresponding to the parts of speech, and that all other non- 
terminals are projections of the lexical categories. The idea of a projection is best mo- 
tivated by the following example. The constituent tall man consists of two words, a 
noun and an adjective. When considering what the category of the constituent should 
be, we should take into account that tall man behaves more like a noun than like an 
adjective, which can be verified by substituting tall man for a noun in a sentence, pre- 
serving grammaticality, and substituting it for an adjective in a sentence, not preserving 
grammaticality. Thus, the category of tall man should be derived from the category of 
man. The category that X-bar theory assigns to the phrase is called N’ (pronounced 
N-bar). N’ is a projection of N. While X-bar theory within GB considered N and N’ 
as atomic categories, the idea that the bar-level of a node is a syntactic feature is due to 
GPSG. 
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While there are various proposal for X-bar theory, we will assume that all rules of an 
X-bar grammar should be of the form 


(11) Xt —> X’, Y" 
(12) X > xX', Y" 
(13) X >xX,Y" 


The non-terminal Y” has different roles in the three rule schemata, each of which has 
a name in X-bar theory. In rule schema (11), Y” is called the specifier; in rule schema 
(12), it is called the adjunct, and in rule schema (13), it is called the complement. In 
each of the rules, the X or X’ on the right hand side is called the head. 

It has been observed in a variety of contexts [48, 51, 70] that it is desirable to dispense 
with the bar-feature and to define the constraints posed by the X-bar schemata in terms 
of projections. Thus, we would like to define a constraint that states that every node 
has a path to a leaf such that the node, the leaf, and all the nodes on the path have the 
same lexical features. This can expressed in Lep as follows. First, we state that a feature 
vy belongs to a head: 

hd p= y ^ head 


Then, we state that a feature ọ is projected from a leaf: 


proj p = (lha p) (hd p A leaf) 


Finally, we can restate the X-bar convention by requiring every node to be a projection, 
given a finite set of lexical features Lex: 


UC VV prog p) 


pELex 


Notice that we would need a feature to indicate that a node is the head in case two 
siblings share the same lexical feature. Furthermore, there are certain regularities that 
this head feature has to observe, such as that no two sisters may both be heads: 


[|*](head > ~((—}head V (—)head)) 


Dynamic Logic of Trees 


The first descriptive characterization of the regular tree languages was obtained by Doner 
[23], and Thatcher and Wright [97]. They generalized Biichi’s theorem to trees. 


THEOREM 26. The following are equivalent for a tree language L C Ty: 
1. L is regular. 


2. L is definable in MSO. 


Kracht [49] introduced PDL on trees in the context of model theoretic syntax. 

While the correspondence between Xunti and FO continues to hold in the generaliza- 
tion from strings to trees, the same is not true for the correspondence between PDL and 
MSO on strings, as was shown by Kracht, a topic we shall investigate in detail in the 
next section. 
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Syntax Formulas y p;|7~|~AW| [zy 
Programs r —|<—|fT|l|?y|ao|mUoa|x* 


Figure 14. Dynamic logic of trees 


Undefinability: Inessential Features 


The relationships between the three logics discussed above are well-understood, in that 
Decore is properly included in Xanti, which is properly included in PDL, which in turn is 
properly included in MSO. There is a central property that can be used to describe the 
languages that can be defined in one logic, but not in another. This property was first 
introduced by Kracht [50] and it is defined in terms of inessential features. 

Let F be a finite set of features, G C F, L C Tyr, and 7 : EË — DS? bea projection. 
We call the features in G inessential for L if the homomorphism 7 : L — Tyr-c based 
on 7 is one-to-one. The intuition for this definition of inessential features is that no two 
trees in L can be distinguished using features in G. Thus, given a tree t in 7(L), we can 
recover the features from G in t using ®t, since 7 is one-to-one. 

EXAMPLE 27. The bar feature of the version of X-bar theory sketched above is inessen- 
tial. To see that, notice that there is only one head (bar-level 0) which has a maximal 
projection (bar-level 2) and all projections in between are of bar-level 1. 

While being an inessential feature is defined with respect to a language, being elim- 
inable is defined with respect to a logic and a language. Let F be a finite set of features, 
GCF,LCTsr,27: 4% — FC be a projection, and £ be a logic. Suppose that L is 
definable in L”. We say that G is eliminable in £ for L if 7(L) is definable in L*~. 

It should be noted that this definition of eliminability does not coincide with Kracht’s 
[50], who defines eliminable as being globally explicitly definable. Kracht’s definition 
implies the definition used here, and thus is stronger. However, since we are interested in 
ineliminability, by contraposition, the definition employed here implies Kracht’s definition 
of ineliminability. 

The following, well-known, inclusions follow primarily from the definition of the three 
modal logics. 


THEOREM 28. Leore < Lep < PDLiree < MSO 


Proof. The first two inclusions follow from the definitions of these logics. The third 
inclusion follows from the fact that transitive closure is MSO-definable. m 


Next, we consider strictness of these inclusions. 


PROPOSITION 29. /87] Let F = {a,b}. The tree language Lı C Tsr such that each 
tree in Lı contains a path from the root to a leaf at which exactly one a holds is not 
Lcore-definable, but is Lep-definable. 


PROPOSITION 30. Let © = {A,V,0,1}. The tree language CVP C Ts such that each 
tree in CVP evaluates to true is not Lep-definable, but is PDLiree-definable. 


Proof. Potthoff [80] showed that CVP is not definable in an extension of first-order 
logic with modular counting quantifiers, and since Lep is equivalent to first-order logic 
on trees [1], the undefinability follows. That CVP is definable in PDLiree is shown in 
[1]. Q 
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PROPOSITION 31. /52, 53] Let F = {p,q}. Let Ly C Tyr where each tree in L is a 
ternary branching tree such that p is true along a binary branching subtree and q is true 
at all leaves at which p is true. The language L3 C Tyta} obtained from the projection 
that eliminates p is not PDLiree-definable, but is MSO-definable. 


These three propositions demonstrate the strictness of the inclusion of the three modal 
logics and MSO. Next, we will consider how languages that are undefinable in one of these 
logics can be defined with additional features. 


THEOREM 32. /102/ There exists a set of features F, a tree language L C Tyr, and 
a subset G C F, such that G is ineliminable in Leore (resp. Lep) but eliminable in Lep 
(resp. PDLtree). 


Proof. Both of these constructions work the same way. Given two of our logics £1, Lo, 
with L, < Lo, pick a tree language, L, that is not definable in £; but is definable in Lo, 
which exists by propositions 29 and 30. 

By Theorem 28, we know that L is regular, and by Theorem 24, we know that any 
local tree language is definable in £1. Given a deterministic FTA M = (£, Q,F,A), 
with L = L(M), we can use theorem 23 to construct a local tree language L’ C Tsx 
such that 7(L’) = L. Now, the features in Q are inessential, since M is deterministic, 
but ineliminable, since L is undefinable in £,. However, since L is definable in £2, the 
features in Q are eliminable in £5. m) 


The previous theorem can be strengthened in that it can be used to characterize the tree 
languages that are undefinable in some logic £, but definable in some other logic £2, 


THEOREM 33. /102/ Any tree language that is not definable in Leore (resp. Lep) but 
is definable in Lep (resp. PDLiyee) can be defined with additional, inessential features in 
Decore (resp. Lep) that are not eliminable in Leore (resp. Lep). 


Model Theoretic Syntax and Parsing 


Recall that we generalized from strings to trees because we wanted to retain decidability 
and because we wanted to have a formalism that associates grammatical structure to an 
unstructured string. While decidability has been retained by this move, we need to say a 
little bit about how model theoretic syntax associates structures with strings. It should 
be noted that CFGs are formalisms that generate strings and that the structures that 
they assign to the strings arise in the process of generating the string, i.e. that trees are 
not a primary but a derived notion for formal grammars, Tree Adjoining Grammars being 
a notable exception. It should also be noted that, in our move to logics of trees, strings 
are no longer a primary notion because we are talking about trees directly. However, 
when we are interested in, say, checking whether a particular sentence is grammatical, 
we are given a string. So, while parsing, the process of determining whether a given 
grammar generates a given string, for CFG amounts to checking whether the grammar 
generates the string, this is not quite as straightforward here. The following quote from 
[2] gives an outline of how parsing in the logical framework might look like: 


The intent here is to translate a given grammar G into a formula pg such 
that the set of trees generated by the grammar is exactly the set of trees that 
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satisfy yg. Parsing, then, is just identifying the set of models of ye that 
yield a given string. 


Following an idea proposed by Cornell [20] in the context of parsing with finite tree 
automata, we can improve on the above parsing procedure by observing that we can 
describe the set of all trees that yield a given string w, Yw, and then simply check 
whether Yw A Ya is satisfiable. Notice, though, that having moved from logics of strings 
to logic of trees entails that the complexity of parsing, which in the string case is that 
of model checking, now is that of satisfiability checking. For all of the modal logics 
considered here, satisfiability checking is EXPTIME-complete. This is still significantly 
better than MSO or even FO with <* both of which are non-elementary. However, model 
checking for the modal logics considered here is linear. For another approach to parsing 
and model theoretic syntax, see Palm [71]. 


Variations 


Just as in the case of strings, monadic transitive closure (MTC) and least fixed point 
(MLFP) logic and logics with modular counting quantifiers have been considered on 
trees [79], as well as Thomas’ chain and anti-chain logics [98]. While, over trees, MLFP 
is equally expressive as MSO, the question whether this equivalence also holds for MTC 
is currently open. 

Kracht [54] also considers a modal logic with quantifiers ranging over propositions 
which is equivalent to MSO over trees. 


Extensions 


While the fact that natural languages are not regular has been known since the 1950s, 
examples of non-context-free phenomena in natural languages were only found in the 
1980s; see Shieber [89]. Thus, we again need to consider how to strengthen the logics 
employed here if we want this approach to be applicable to all natural languages. 

One approach, a generalization of the logical characterization of CFLs to trees, is 
Langholm’s [56] characterization of the indexed languages by an extension of MSO which 
generalizes the logical characterization of CFLs mentioned above to trees. The indexed 
languages are located strictly between the CFLs and the context-sensitive languages. 
However, as was pointed out above, since parsing with tree logics involves testing for 
satisfiability rather than model checking, using an undecidable logic makes this approach 
uninteresting to computational linguistics. 

Other approaches to extending model theoretic syntax to non-regular tree languages in- 
clude Rogers’ [84] extension of MSO to n-dimensional trees and the approach by Monnich 
and colleagues [47] that encodes non-regular tree language in regular tree languages. Both 
approaches have in common that they introduce a new level of abstraction, since the di- 
rect connection between a logical formula and the tree it encodes is only available via a 
translation, which is explicit only in the latter approach. While this move from trees to 
more complex structures is analogous to the move from strings to trees, the latter move 
still corresponds to structures employed by linguists (derivation trees) while the former 
does not. However, both approaches retain decidability. Whether decidable, non-regular 
extensions of PDL can be used to define interesting classes of tree languages is, at present, 
an open problem. 


1072 Lawrence S. Moss and Hans-Jörg Tiede 


3.4 Assessment: why modal logic for syntax and which one? 


The foregoing multitude of tree logics raises two questions: what are the advantages and 
disadvantages of modal logics over classical logics for the description of trees, and simi- 
larly between the different modal logics? With respect to classical logic, the advantage 
is not, as in the general case, that modal logics are decidable while classical logic is not, 
since even MSO over trees is decidable. However, there is an advantage in complexity: 
all the modal logics considered are EXPTIME-complete [1], while MSO and FO with <* 
are not elementary. One exception is FO with two successors, S1, S2 which is elementary 
[27], but not very expressive, since not even <* is FO definable from S1, S2. For further 
discussions of complexity theoretic aspects of MSO, see [61]. 

Another more general question: why should logic be used at all to formalize grammat- 
ical theories? The first advantage that the approach outlined in this chapter has is that 
it connects a descriptive approach to grammars to a procedural approach: grammars 
formalized in these logics can be translated into tree automata which can be imple- 
mented. Another issue has to do with methodology in linguistics. While some linguists 
have become downright hostile towards formalization, the methodological paradigm of 
Government and Binding theory was to formulate more and more “principles;” i.e., gen- 
eral statements about the structure of sentences that were supposed to be true for all 
languages. However, it was quite unclear how one would check whether or not any new 
principle was consistent with all the previously stated principles. Formalizing principles 
from GB in one of these logics would allow to check whether an adding a given principle 
would make a particular theory contradictory. For further discussions of methodological 
issues in GB, see Hintikka and Sandu [38]. 


4 CONCLUSION AND OPEN PROBLEMS 


Like other areas of applied mathematics which use formal tools to model phenomena 
under consideration, logic in general, and modal logic in particular, is one of the main 
tools for modeling in mathematical linguistics. As we have seen, modal logic is used in 
semantics to give a formal model of the meanings of the object language, while it is used 
in syntax to formalize grammatical theories; i.e., the meta-language. While the use of 
logic in semantics has considerable history with many significant successes, the logical 
approach to syntax outlined here is relatively new, although its foundations date back 
further. 

There are many applications of logic in linguistics that we have not discussed here, 
however, two stand out because they contain applications of modal logic: categorial 
grammar and feature structures. However, both of these topics have already received 
authoritative surveys in the Handbook of Logic & Language [4]. 

One area of research in mathematical linguistics that has had considerable success 
in recent years has been the study of learnability of grammar formalisms, particularly 
of variations of categorial grammars; see Buszkowski [12]. Similar results for model 
theoretic syntax have not been obtained yet. While there exist interesting approaches to 
learning logical theories [62] which would seem to be relevant to extending learnability 
theory to model theoretic syntax, these approaches depend heavily on properties of their 
main tool, first-order logic. Thus, a significant amount of groundwork would have to be 
done before one could extend this approach to model theoretic syntax. 
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Further open problems in model theoretic syntax include computational implementa- 
tions, for which some progress has already been made by the existing implementations of 
monadic second order logic [46]. However similar implementations of modal logics of trees 
or applications of the existing applications to linguistic problems do not seem to exist. 
The relationship between the different approaches to extending model theoretic syntax 
to non-regular tree languages outlined above is also currently open. For example, is there 
an easy way to translate between Rogers’ extension in [84] of MSO to n-dimensional trees 
and the approach by Moénnich and colleagues [47] that encodes non-regular tree language 
in regular tree languages? Finally, while the different modal logics in this chapter were 
separated using the tree languages in Propositions 29, 30 and 31, it would be interesting 
to find linguistically motivated tree languages that can also separate these logics. Until 
such examples are found, very little motivation seems to exist to use the more expressive 
logics. 

One interesting property that the logical approaches to both syntax and semantics 
outlined here have in common is that extending their empirical scope to different natural 
language phenomena depends on corresponding coverage of these phenomena in some 
syntactic theory. Since it is the main aim of model theoretic syntax to formalize linguistic 
theories, instead of being a linguistic theory, this dependence is clear here. In the case of 
semantic theory, coverage of linguistic phenomena depends, because of the principle of 
compositionality, on syntactic representations from which the semantic representations 
are built. 
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1 INTRODUCTION 


Game-theoretic ideas have a long history in logic. A game-theoretic interpretation of 
quantification goes back at least to C.S. Peirce, and game-theoretic versions for all essen- 
tial logical notions (truth in a model, validity, model comparison) have been developed 
subsequently. The connections between game theory and modal logic, on the other hand, 
have been developed only more recently. At the time of writing, the area is still an active 
one, so active in fact, that one might even argue that it is too early to be included in a 
handbook of modal logic. In spite of this concern, we believe that the volume of research 
falling into the category of modal logic and game theory justifies a survey. Our attempt 
in this chapter is to put some structure on the various strands of research, to create 
an organisation which highlights what we consider to be the essential lines of research. 
As with all endeavours of this sort, one cannot include all the research considered valu- 
able, and we are well aware that our choice of topics also reflects our own interests and 
expertise. 

Game theory has developed a wealth of interesting ideas for describing interactions 
which may involve a conflict of interest. So far, the logic community has restricted its 
attention to relatively few of these, mainly studying 2-player extensive games of perfect 
information which are strictly competitive (even win/lose). In fact, even this restricted 
class of games has turned out to be extremely rich, as set theory and computer science 
can testify. Still, given this traditionally narrow focus of logic, it is encouraging to see 
that more recent work in logic has extended the game-theoretic toolbox considerably, 
introducing, e.g., cooperative game theory, imperfect information and games involving 
more than 2 players. While even this can only be a beginning, by now the game-theoretic 
ideas used in logic certainly go beyond the intuitively natural idea of a winning strategy, 
and hence we will start our chapter with a section explaining the necessary background 
in game theory. 

Having packed our game-theoretic baggage, our tour starts in Section 3 with new 
sights of a familiar landscape, possibly the most natural way to link games to modal 
logic. Game trees can be viewed as Kripke models, where the possible moves are modeled 
by an accessibility relation and additional information about payoffs and turn taking are 
encoded by propositional atoms. Structural equivalence notions such as bisimulation 
then turn into game equivalence notions, and we can investigate extensions of the modal 
language which can capture game-theoretic solution concepts such as the subgame-perfect 
equilibrium. 

Leaving the first three sections together with the concluding Section 12 aside, the rest 
of this chapter can be divided into three reading tracks, epistemic logics (Sections 4-8), 
game logic (Section 9), and coalition logics (Sections 10-11), which can be pursued inde- 
pendently. The epistemic logic track describes approaches based on (dynamic) epistemic 
logic for dealing with imperfect information in games. The section on game logic de- 
scribes an extension of Propositional Dynamic Logic for reasoning about games, focusing 
on operations for combining games like programs. The coalition logic track, finally, dis- 
cusses a range of logics developed for modeling coalitional power in games, possibly also 
adding temporal or epistemic operators. 

In Section 4 we introduce a widely accepted logic for knowledge in the area of games, 
where the assumptions impose that players are fully introspective and their knowledge is 
veridical. The more interesting properties are to be found when studying knowledge of 


Modal Logic for Games and Information 1079 


groups of players though, with common knowledge being the main and most intriguing 
notion in this palette. Section 5 introduces interpreted systems, a dominant paradigm in 
computer science to deal with knowledge and time, where time corresponds with steps 
in a protocol, or, for our purposes, indeed a game. 

Such epistemic notions as introduced in Section 4 and 5 play an important role in games 
of imperfect information, and, as some major results in early game theory indicate, even 
beyond that (see Section 8). For instance, a procedure that yields a Nash equilibrium 
in extensive games, called backward induction, finds its justification in the assumption 
about common knowledge about rationality of the players. We will see, however, that 
nowadays epistemologists put the need for the inherently infinite conjunctions that come 
along with common knowledge into perspective and a non-trivial analysis of games can 
be given without falling back on such strong assumptions. 

Where the emphasis in Section 4 is on the knowledge that the players have about the 
game, in Sections 7 and 8 the emphasis will be on how knowledge evolves during a game. 
Hiding one’s knowledge can be beneficial for a player within a game, but revealing his 
ignorance can also be disastrous, and may benefit other players. Moreover, in certain 
games (like Cluedo and many card games) the winning conditions are purely epistemic: 
the game ends in a win for that player who is the first who happens to know some crucial 
information. 

The dynamic logic of games discussed in Section 9 takes Propositional Dynamic Logic 
as its starting point. By a change in the underlying semantics, programs become 2- 
player games which can be combined using the old program operations of sequential 
composition, test, etc. Besides these program operations, a new duality operator is added 
which interchanges the roles of the players. Using this new operator, nondeterministic 
choice splits into two versions depending on which player makes the choice. A typical 
formula [(aMb); (aUc)]p, for instance, expresses that player 2 has a strategy for achieving 
p in the game where first, player 1 chooses between a and b, and then player 2 chooses 
between a and c (for details, see Section 9). 

Section 10 introduces Coalition Logic, a basic modal logic for reasoning about the 
ability of groups in different kinds of games. For a set of individuals C, the formula [C]p 
expresses that the members of C have a joint strategy for achieving p at the next stage 
of game. In Section 11, this language is extended to Alternating-time Temporal Logic 
(ATL) by adding operators for talking about the long-term future, where we can state, 
e.g., that a coalition can achieve p eventually. ATL is a game-theoretic generalisation 
of Computation Tree Logic (CTL), with applications in the formal verification of multi- 
agent systems. Further extensions of ATL to ATL*, the alternating p-calculus and ATEL 
are presented. ATEL adds epistemic operators to ATL in order to express, e.g., that a 
coalition has a strategy for getting an agent to know something eventually. 

While our focus in this chapter is on modal logic for games, there are also many games 
for modal logic. The reader interested in this reverse connection is referred to other 
chapters of this handbook (i.e., Chapter 12 and 17) for more details. The similarity 
between programs and games and the relevance of epistemic and temporal issues, on 
the other hand, suggest that modal logic may provide an interesting new perspective on 
games, and it is this perspective we would like to present in this chapter. 
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2 GAME THEORY 


The purpose of this section is to introduce the basic game-theoretic notions needed for 
the logics discussed in later sections. Hence, this section will also give the reader an 
indication of the size and nature of the game-theoretic territory which has come under 
logical investigation. 

In Sections 2.1 and 2.2, we discuss games in strategic and extensive forms, respectively. 
We cover some central solution concepts developed for these models, namely Nash equi- 
libria and subgame-perfect equilibria. For a more detailed discussion of these notions, 
standard texts on game theory (e.g., [56, 11]) can be consulted. Section 2.3 focuses on a 
game-theoretic model of cooperation (effectivity functions) which has been investigated 
in social choice theory [52] and which will play a central role in the logics discussed in 
Sections 9, 10 and 11. 


2.1 Games in Strategic Form 


One of the most general models for situations of strategic interaction is that of a strate- 
gic game. Because of its generality, strategic games form the standard model in non- 
cooperative game theory. In a strategic game, the different players choose one of their 
available alternative actions/strategies, and taken together, these actions determine the 
outcome of the game. Note that we do not distinguish actions from strategies in strategic 
games; in extensive games, we will distinguish these two notions. Also, note that game 
forms can be conceived of as ‘uninterpreted games’: they only deal with the structure of 
the game, determining which moves are possible in which states, but they do not specify 
which states are ’good’ or *bad’ for any player, i.e., they say nothing about winning, 
losing, a payoff or utility, when a particular state is reached. 


DEFINITION 1 (Strategic Game Form). A strategic game form F = (N,{%,|i € N}, 
o, S) consists of a nonempty finite set of agents N, a nonempty set of strategies or 
actions X}; for every player i E€ N, a nonempty set of states S and an outcome function 
o : Tien dt; — S which associates to every tuple of strategies of the players (strategy 
profile) an outcome state in S. q 


For notational convenience, let oc := (Ci)iec denote the strategy tuple for coalition 
C C N which consists of player i choosing strategy o; € X. Then given two strategy 
tuples oc and og (where C := N \ C), o(oc, og) denotes the outcome state associated 
with the strategy profile induced by oc and og. We shall also write —i for N \ {i}. 

Figure 1 below provides an example of a strategic game form among three players in 
the usual matrix depiction. Unless noted otherwise, we will assume that player 1 chooses 
the row, player 2 the column, and the third player chooses between the left and the right 
table. In this example, let a; be the strategy where player 1 chooses B, o2 the strategy 
where player 2 chooses M, and let a3 be the strategy of player 3 choosing the left table. 
Then we have 0(0 41,2}, 0(3}) = 0((01, 02, 03)) = 81. 

To make a strategic game form into a strategic game, we need to add preference rela- 
tions or utility functions which express the players’ preferences over the game’s outcomes. 
In the first case, given a preference relation =; C S x S for every player i € N anda 
strategic game form F = (N,{,|i € N},0, S), we call G = (F,(=i)ien) a strategic 
game. We interpret s =; t to mean that player i prefers outcome s at least as much as 
outcome t, and one usually assumes that >; is a linear order (although this assumption 
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L M R L M R 
T | sı | s2 | sı T | s3 | s2 | 81 
B | s2 | sı | 83 B | s2 | 83 | 83 


Figure 1. A strategic game form for three players. 


shall not be essential for our development later). Similarly, given a strategic game form 
F and a utility function w; : S — R for every player i € N, we can construct a strategic 
game G = (F, (ui)ien) where player i prefers outcome s at least as much as outcome 
t iff uj(s) > u,(t). Provided that >; is indeed a linear order, the two definitions are 
interchangeable, and we shall freely switch between the two formats. 

Figure 2 below shows three well-known 2-player games. The matrices list the players’ 
utilities or payoffs, e.g., the top leftmost entry of the leftmost game, (—4,—4) denotes 
the pair (ui(D, D), u2(D, D)). 


D C B F H T 
-4,4 | 0,8 B -I I|] 
F 


D 
C| -8,0 |-1,-1 Tli, -1-1,1 


=S 
N oO 
x 


Figure 2. Three strategic 2-player games: Prisoner’s Dilemma (left), Battle of the Sexes 
(middle) and Matching Pennies (right) 


In the Prisoner’s Dilemma, two prisoners are interrogated by the police. If the prisoners 
cooperate (C) and remain silent, they can only be sentenced for a minor offence and will 
receive one year in prison each. If both defect and confess (D), each will receive 4 years in 
prison. Finally, if only one prisoner defects, he will go free in order to be used as a witness 
against his fellow prisoner who will receive 8 years in prison. In the Battle of the Sexes, 
a couple needs to decide whether to go see a ballet performance (B) or a football match 
(F) in the evening. Both of them mainly want to spend the evening together, but she 
prefers the football match and he prefers the ballet performance. Lastly, in the Matching 
Pennies example, two children each have a penny, and they decide simultaneously whether 
to show heads (H) or tails (T). One child wins (payoff 1 for the winner, —1 for the loser) 
in case the sides match, the other child wins in case they differ. Matching Pennies is an 
example of a zero-sum or strictly competitive game: For every outcome state s we have 
that ui(s) + u2(s) = 0. 

A strategic game allows us to model multi-agent interaction using strategies and pref- 
erences. Game theory has developed a number of solution concepts which specify a 
“predicted” set of outcomes for such a game (views differ as to how exactly such a so- 
lution has to be interpreted). The following notion is one of the cornerstones of modern 
game theory. 


DEFINITION 2 (Nash Equilibrium). A strategy profile oy is a Nash equilibrium of a 
strategic game G = (N, {Xili E€ N},0,S,(=i)icn) iff Vie NYT; € Xi: oloi oi) zi 
OlTi,o—i) 4 

Intuitively, a strategy profile (01,02) is a Nash equilibrium in a 2-player game in case 
cı is a best response to gz and vice versa; no player can improve his payoff by unilaterally 
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changing his strategy. In the three examples given in Figure 2, the reader may wish to 
verify that (D,D) is the only Nash equilibrium in the Prisoner’s Dilemma, and that 
both (B, B) and (F, F) are Nash equilibria in the Battle of the Sexes. There is no Nash 
equilibrium in Matching Pennies. 

While for a given player 7, a Nash equilibrium only requires it’s action to be optimal 
given the other players’ actions, a dominant strategy is optimal regardless of what the 
other players do. Formally, for two strategies x,y € bi, x strictly dominates y iff Vo_; : 
o(x,o—i) >; o(y,o-;). We call a strategy strictly dominated iff it is strictly dominated 
by some other strategy. In the prisoner’s dilemma, cooperation is strictly dominated by 
defection. No dominated strategies exist in the other games mentioned so far. 

Our concern in this chapter is mainly with pure strategies which are non-probabilistic. 
In contrast, a mixed strategy allows a player to randomise over his set of strategies, 
playing each strategy with some probability p where 0 < p < 1. In the Matching Pennies 
game, each player may decide to choose Heads with probability L, This strategy profile 
((4, 4), (4, 4)) is a Nash equilibrium over mixed strategies, and Nash’s celebrated result 
states that it is no coincidence that Matching Pennies has such an equilibrium. 


THEOREM 3 ([53]). Every strategic game has a Nash equilibrium over mixed strategies. 


The computational complexity of finding a mixed strategy Nash equilibrium (from 
Theorem 3 we are ensured of its existence) for a 2-player strategic game with finite 
(pure) strategy sets is in NP, but it is presently not known whether the problem is also 
NP-hard. According to [57], this is one of the most important concrete open questions 
on the boundary of P today. 


2.2 Games in Extensive Form 


Strategic games consider strategic interaction as involving only a single choice for every 
player. There may be situations, however, where we want to model the fine structure of 
strategic interaction which involves modelling the sequential structure of decision making. 
Extensive form games provide us with this level of added detail. 


Perfect Information 


Given a finite or infinite sequence of actions h = (a1,a2,...), let h|k = (a1, a2,...,@) 
denote the initial subsequence of length k of h. 


DEFINITION 4 (Extensive Game Form of Perfect Information). An extensive game form 
of perfect information is a triple F = (N, H, P), where as before, N is the set of players. 

H is a set of sequences (finite or infinite) over a set A of actions which we shall call 
histories (or: runs, plays) of the game. We require that H satisfies three requirements: 
(1) the empty sequence () € H. (2) H is closed under initial subsequences, i.e., if h € H 
has length J, then for all k < l we have h|k € H. If h € H is infinite, h|k € H for all k. 
(3) If all finite initial subsequences of an infinite sequence h are in H, then so is h: given 
an infinite sequence h such that for all k we have h|k € H, then h € H. Let Z C H be 
the set of terminal histories, i.e. h € Z iff for all h’ € H and k such that h'|k = h we 
have h’ = h (so, infinite histories are terminal). P : H\Z — N is the player function 
which assigns to every nonterminal history the player whose turn it is to move. 4 


As with strategic games, we turn an extensive game form into an extensive game 
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by adding preference relations. Formally, let =;C Z x Z be a preference relation on 
the set of terminal histories Z. As before, we shall sometimes use utility functions u; 
instead of preference relations. Given an extensive game form F = (N, H, P), we call 
G = (F,(=i)ien) = (N, H, P, (=i)ien) an extensive game. We call an extensive game G 
finite iff its set of histories H is finite. G has a finite horizon iff all histories in H have 
finite length. 

Figure 3 shows the tree representation of an extensive game, where the branches are 
labelled by actions and the payoffs of the players are shown at the terminal nodes. 


(2,8) 2 1 2 (3,3) 2 (1,2) 
e a a b d yN 
(4,1) (9,0) (7,4) (1,2) (0,-2) (0,0) (2,1) 


Figure 3. An extensive game for two player with payoffs (left) and an extensive game 
with an implausible Nash equilibrium (right) 


Given a finite history h = (a1, ..., an) and an action x € A, let (h, xv) = (a1,...,@n,2). 
Furthermore, let A(h) = {x € A|(h, x) € H} be the set of actions possible after h. Now we 
can define a strategy for player i as a function o; : P~*[{i}] — A such that o;(h) € A(h) 
(P-t denotes the pre-image of P). As before, we let ©; denote the set of strategies of 
player i. Given a strategy profile o = (0;)ien, let o(a) E€ H be the history which results 
when the players use their respective strategies. 

In the game on the left of Figure 3, the strategy for player 1 indicated by bold arrows 
is given by o1(()) = b, o1((a)) = c and o1((b,d)) = a. Player 2’s strategy indicated in 
the game is given by a2((a,c)) = e, o2((b)) = d and o2((b,c)) = b. 

The notion of a Nash equilibrium can now be lifted easily from strategic games to 
extensive games. Given an extensive game G = (N,H,P,(>:)ien), a strategy profile o 
is a Nash equilibrium iff Vi € N Yr; E€ X; : olsi, oi) =; 0(t%;,0_;). However, it turns out 
that for extensive games, Nash equilibria often lack plausibility, as shown by the game 
on the right in Figure 3, taken from [56]. 

The Nash equilibria of the game are (l, R) and (r, L). The second equilibrium however 
does not seem reasonable. At the position where player 2 has to move, she will choose 
R since this will give her a higher payoff. Knowing this, player 1 should choose / at the 
beginning of the game, and so we would want to advocate only (l, R) as the solution of 
the game. The strategy profile (r, L) turns out to be a Nash equilibrium because of the 
threat that player 2 will choose L rather than R, but this threat is not credible since 
choosing L would hurt her own interest. To rule out such pathological equilibria, we need 
to strengthen our equilibrium notion. The problem with profile (r, L) is that it prescribes 
an unreasonable choice in a subgame of the original game, whereas we would want our 
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equilibrium strategies to be optimal in every subgame. 

To obtain a more robust equilibrium notion, we introduce the notion of a subgame more 
formally. Given two sequences h and h’, with h finite, let (h, h’) denote the concatenation 
of h and h’. Consider a history h in the extensive game G = (N,H,P,(=i)ien). To 
isolate the subgame starting after h, we define G(h) = (N, An, Pla, (=iln)ienw) where 
H|n = {h'|(h,h’) € H}, Pln(h’) = P(h,h’) for each h’ € H|a and finally h’ >; |nh” 
iff (h,h’) =; (h, h”). Similarly, strategies o; (and strategy profiles) can be restricted to 
subgames by setting o;|,(h’) = oilh, h’). 


DEFINITION 5 (Subgame-Perfect Equilibrium). A strategy profile ø is a subgame- 
perfect Nash equilibrium of a game G iff for every history h € H, the restriction o|r 
of o is a Nash equilibrium of G(h). = 


In the game of Figure 3 (right), only (l, R) is a subgame-perfect equilibrium. Note 
that all subgame-perfect equilibria are also Nash equilibria. A game is called generic if no 
player is indifferent between any two terminal histories, i.e., for alli € N and h,h’ € H, 
we have uj(h) = ui(h’) iff h = K. 


THEOREM 6 ([42]). Every finite extensive game of perfect information has a subgame- 
perfect equilibrium. Moreover, in any generic game, this equilibrium is unique. 


While the formal proof of this theorem is somewhat technical, the general method 
used to establish the result is easy to explain and is known as backward induction. We 
build up the equilibrium profile by induction on the length of a game (i.e., the length of 
its longest history). If a game has length 0, it only consists of a terminal node and there 
are no strategic decisions to be made. Consider the payoff vector of the terminal node 
as the backward induction vector (short: bi-vector) of the game. Now if the game G has 
length n+1, assume that player i has to move at the root of G. By induction hypothesis, 
all the proper subgames of G have a bi-vector and we have associated strategy profiles 
for them. To get an equilibrium profile for G, let 1 choose a successor with the highest 
bi-vector for i, and consider that payoff vector as the bi-vector of G. Starting at the 
terminal nodes, this backward induction method moves up through the game tree and 
inductively defines a strategy profile which turns out to be a subgame-perfect equilibrium 
and a bi-vector which is its associated payoff vector. 

Note that the intuitive reasoning which we used to argue against (r, L) as a solution 
of the game in Figure 3 (right) was already an example of backward induction reasoning. 
In Figure 3, the backward induction profile in the game to the left has been indicated by 
boldface arrows. The payoff vector of the backward induction profile is (7, 4). 

As a corollary to Theorem 6, we obtain the following well-known result due to Zermelo 
which (in a slightly generalised version) can be used to show, e.g., that in the game of 
chess, either black or white must have a strategy which guarantees at least a draw. We 
say that a 2-player extensive game of perfect information is a win-loss game provided 
that it is strictly competitive and for all histories h, either ui(h) = 1 or ua(h) = 1, i.e., 
win and loss are the only two possible outcomes. In such a game, a strategy is a winning 
strategy for player i provided it guarantees a history h such that u;(h) = 1. 


THEOREM 7 ([107]). Every finite 2-player win-loss game is determined, i.e., one of the 
players has a winning strategy. 


One can even show that the problem of determining whether such a game is a win for a 
specific player can be determined in polynomial time: in fact, it is a ‘canonical P-complete 
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problem’ in the sense that it is a popular candidate to be related to other computational 
problems (like AND/OR Graph Solvability) in order to show their polynomial complexity. 
See (27, Appendix 11.1]. 


Almost Perfect Information 


Extensive games of perfect information impose a strict order on the moves which take 
place in a game. As a first generalisation, we may extend the definition of an extensive 
game to allow for simultaneous moves of the players. These extensive games of almost- 
perfect information (or extensive games with simultaneous moves) will be important for 
our discussion of Coalition Logic and ATL. In these games, players are completely in- 
formed about the past, but they may be unsure about the present, i.e., about the actions 
the other players are simultaneously taking. 

Formally, an extensive game of almost-perfect information is a tuple G = (N, H, P, 
(=i)ien) just like an extensive game of perfect information, with the only difference that 
for every nonterminal history h € H, P(h) is a nonempty subset of N. Furthermore, for 
each i € P(h), we have a set A;(h) of actions possible for player i at h, and we define the 
set of actions possible after h to be A(h) = [],<pi,) Ai(h)- Histories of the game are now 
sequences of vectors, consisting of the actions chosen simultaneously by the appropriate 
players. A strategy for player i is now a function g; such that o;(h) € A;(h). The 
definitions of Nash equilibrium and subgame-perfect equilibrium can easily be adjusted 
to these extensive games with simultaneous moves. 


Imperfect Information 


So far, we have assumed that the players always know where they are in the game tree. 
This amounts to assuming that the players are always informed about the actions which 
have been taken so far, both by the other players and by themselves; in short, we have 
considered perfect information games where a player has no private information (e.g., 
cards which only she knows), nor does she ever forget which moves she has made earlier 
(this is the essence of the game “Memory”). The game model we shall introduce now is 
an extension of the extensive game model to cover situations of imperfect information. 


DEFINITION 8 (Extensive Game of Imperfect Information). An extensive game of im- 
perfect information is a tuple G = (N, H, P, (Z;)ien, (~i)ien). The only new component 
T; is a partition of the set of histories where i has to move, i.e. of P~1[{i}], with the 
property that for all h,h’ € I € Ti, A(h) = A(h’). 4 


The elements of Z; are called information sets. If player i has to make a decision in 
a game at history h € I € Ti, she does not know which of the histories in J is the real 
history, i.e. she considers all histories in J as possible alternatives to h. In order for 
this interpretation to make sense, we have to assume that the histories in J cannot be 
distinguished by what actions are possible in the various histories, a requirement which 
we enforced by demanding that for all h,h’ € I, A(h) = A(h’). Observe that if all 
information sets are singletons, we have in fact a game of perfect information. 

Since a player cannot distinguish between two histories which are in the same informa- 
tion set, her strategies have to be uniform within every information set. Hence, we define 
a strategy for an extensive game of imperfect information to be a function c; : T; —> A 
such that o;(1) € A(I). In words, a strategy picks an action for every information set; 
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since histories within one information set allow for the same actions to be taken, the 
action prescribed by the strategy can always be executed, no matter where the player 
really is in the game tree. 


(0,0) (1,2) (3,1) (0,0) 
Figure 4. Example of an extensive game of imperfect information 


Figure 4 contains an example of an imperfect information game. The information 
sets which are not singletons have been indicated by drawing a dashed box around the 
histories which are in the same information set. So in this game, player 1 makes the first 
move, and assuming she chooses to play L, player 2 moves afterwards. Player 1 however 
obtains no information about the choice made by player 2, maybe she was not present 
when the choice was made, maybe she forgot, etc. Her strategy therefore would have to 
specify either l or r for both cases, since she is unable to distinguish them. Two more 
examples of imperfect information games are given in Figure 5. The left game exhibits 


(0,0) (2,1) (0,0) (2,1) (4,1) (2,3) 
Figure 5. A game with imperfect recall (left) and one with simultaneous moves (right) 


imperfect recall: After doing l, player 1 does not know whether she has done / already or 
not. Since this notion will play a role later, we will define it more formally here. Given 
game G = (N, H, P, (Zi)ien, (i Jien) and history h € H, let X;(h) record the experience 
of player i along history h, i.e., the sequence of information sets the player encounters 
in h and the actions he takes at that information set. So with the game of Figure 4, we 
have X,(LAr) = (0,L,{LA,LB},r). Then we say that G has perfect recall iff for every 
player i we have X;(h) = X;(h’) whenever there is some I € Z; such that h,h’ € I. So 
while Figure 4 presents a game with perfect recall, the left game of Figure 5 does not, 


since Xı (0) = (Ø) but X,(l) = (0,1). 
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The right game in Figure 5 shows that the imperfect information game model can also 
be used to model games with simultaneous moves. After player 1 moves, player 2 has 
to move without any information about the choice made by the first player. Thus, since 
player 1 also does not know about the decision that player 2 will make later, we can 
interpret this game as one where the two players simultaneously choose an action. 

The concepts of Nash equilibrium and mixed strategy Nash equilibrium can easily 
be extended to imperfect information games. The story is more complicated for the 
subgame-perfect equilibrium. The game in Figure 6 demonstrates the problem that 
one can run into when wanting to apply backward induction to a game of imperfect 
information. 


(3,1) (0,2) (0,2) (1,1) 


Figure 6. An imperfect information game where backward induction runs into problems 


Player 2’s only information set contains two subgames. In the left subgame, r is the 
strategy prescribed by backward induction, whereas in the right subgame, l is optimal. 
Since both subgames lie in the same information set, the backward induction strategy 
has to be uniform for both subgames. In order to label one of the two strategies as 
optimal, player 2 would have to know where she is in the game, but this is exactly what 
she does not know. 

To deal with this problem, one can introduce a belief system which specifies at each 
information set the probability with which the player believes that a history has hap- 
pened. The strategy choice can then make use of these probabilities. This leads to the 
notion of a sequential equilibrium which we shall not define formally here. Note simply 
that for the game in Figure 6, if player 2 believes that it is more likely that player 1 will 
play M rather than R, strategy r should be preferable to player 2. We refer the reader 
to [56] for the details. 


2.8 Cooperation in Games 


So far we have assumed that agents determine individually what strategy they want to 
follow. We made no attempt to account for the possibility that agents might cooperate 
in bringing about a desirable state of affairs. Effectivity functions, the model we discuss 
in this subsection, aim at capturing explicitly the powers which agents can obtain by 
forming coalitions. 

Effectivity functions model the power distribution among individuals and groups of 
individuals. In social choice theory, they have been used in particular to model vot- 
ing procedures. The exposition we will give here focuses on providing the necessary 
background to understand the link between effectivity functions and the neighbourhood 
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models used in non-normal modal logics like the ones we will discuss in Sections 9, 10 
and 11. 

Effectivity functions have been studied extensively in game theory and social choice 
theory [52, 1, 66]. The following exposition is based on [63, 62]. 


DEFINITION 9 (Effectivity Function). Given the finite nonempty set of players N and 
a nonempty set of alternatives or states S, an effectivity function is any function E : 
P(N) — P(P(S)) which satisfies the following two conditions: (1) VC C N : 0¢ E(C), 
and (2) VC CN: Se E(C). 4 


The function E associates to every group of players the sets of outcomes for which the 
group is effective; coalition C is effective for X if it can bring about an alternative in X, 
even though it may have no control over which alternative of X is realised. The literature 
differs somewhat in the conditions placed on the function E. The conditions chosen here 
aim at Theorem 12 and the logics discussed in Sections 10 and 11. Informally, condition 
(1) of Definition 9 states that no group C can ensure that nothing is brought about, 
while condition (2) expresses that every group C can at least bring about something by 
‘choosing’ the complete set of alternatives S, putting no constraints on what the players 
outside C can achieve. 


EXAMPLE 10. Consider the following example from [24] about Angelina, Edwin and 
the judge: If Angelina does not want to remain single, she can decide either to marry 
Edwin or the judge. Edwin and the judge each can similarly decide whether they want 
to stay single or marry Angelina. If we assume that the three individuals live in a 
society where nobody can be forced to marry against his/her will, this situation can 
be modelled using effectivity functions as follows: The set of players is N = {a,e, j} 
and the set of alternatives is S = {ss,Se, Sj}, where ss denotes the situation where 
Angelina remains single, se where she marries Edwin, and s; where she marries the 
judge. Angelina (a) has the right to remain single, so {ss} € E({a}), whereas Edwin 
can only guarantee that he does not marry Angelina; whether she marries the judge or 
remains single is not up to him. Consequently, we have {ss,sj} € E({e}) and there is no 
proper subset X of {ss,s;j} such that X € E({e}). Analogously for the judge, we have 
{s5,5e} E€ E({j}). Angelina and Edwin together can achieve any situation except the 
one where Angelina marries the judge (since this alternative would require the judge’s 
consent), and hence {ss}, {se} E€ E({a,e}). Again, the situation is similar for the judge: 
{ss}, {s;} € Ela, j}. | 

In most situations, coalitional effectivity functions will satisfy some additional proper- 
ties. Among the central properties are the following: 


MONOTONICITY: Since a superset of states places fewer constraints on a coalition’s abil- 
ity, we can usually assume that effectivity functions are monotonic: For every 
coalition C C N, if X C X’ C S, X € E(C) implies X’ € E(C). 


MAXIMALITY: An effectivity function E is C-mazimal if for all X, if X ¢ E(C) then 
X € E(C). E is maximal iff for all coalitions C it is C-maximal. Instantiating this 
condition for 2 players over S = {win , wing}, {1}-maximality expresses that the 
game is determined: if one player does not have a winning strategy, then the other 
player does. 
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SUPERADDITIVITY: The most interesting principle governs the formation of coalitions. 
It states that coalitions can combine their strategies to (possibly) achieve more: Æ 
is superadditive if for all X1, X2, C1, C2 such that C1 N Co = 0, Xı € E(C,) and 
Xə € E(C2) imply that XN Xo € E(Cı U C2). 


Given utility functions (u;)ien for the players, effectivity functions also allow us to 
define solution concepts. Given an effectivity function E : P(N) —> P(P(S)), call an 
alternative s € S dominated if there is a set X C S and a coalition C such that X € E(C) 
and for alli € C and z € X we have u;(x) > u;(s). 


DEFINITION 11 (Core). Given an effectivity function E : P(N) — P(P(S)) and utility 
functions (u;)ien, the core of (E, (uiJien) is the set of undominated alternatives. 4 


In connection with the core, it is usually also assumed that for all sets X 4 Ø, we 
have X € E(N), so in particular, any state can be achieved by the grand coalition of all 
players. 

An effectivity function E is stable if for any set of utility functions (u;)ien, the core of 
(E, (ui)ien) is nonempty. Given E and (ui)ien, one can determine in polynomial time 
whether the core of (E, (ui)ien) is nonempty. Determining whether E is stable, however, 
is an NP-complete problem [50]. 


From Strategic Games to Effectivity Functions 


Effectivity functions can be derived from a strategic game form in a number of different 
ways. Given a strategic game form G, a coalition C C N will be a-effective for a set 
X C S iff the coalition has a joint strategy which will result in an outcome in X no 
matter what strategies the other players choose. Formally, for a strategic game form 
G = (N,(Xi)ien, 0,5), its a-effectivity function E& : P(N) — P(P(S)) is defined as 
follows: 

X € EG(C) iff dooVogq olac, og) € X. 


We say that an effectivity function E : P(N) — P(P(S)) a-corresponds to a strategic 
game G iff E = E&. 

Analogously, a coalition C C N will be 8-effective for a set X C S iff for every joint 
strategy of the other players, the coalition has a joint strategy which will result in an 
outcome in X. Hence, in contrast to a-effectivity, the coalition’s strategy may depend 
on the strategy of the other players. Formally, the G-effectivity function Be : P(N) > 
P(P(S)) of a game form G is defined as follows 


XE EŽ(C) iff Vogdoc o(oc, og) € X. 


It is easy to see that HA C es i.e. a-effectivity implies (-effectivity, but the converse 
does not hold, as the example in Figure 7 illustrates. In that game G, player 1 chooses 
the row, player 2 the column, and the third player chooses between the left and the right 
table. For every joint strategy of players 1 and 3, player 2 has a strategy which yields 
outcome s2. Note, however, that this strategy depends on the strategies chosen by players 
l and 3, i.e., player 2 has no strategy which will guarantee outcome s2 independent of the 
strategies of players 1 and 3. In terms of a- and (-effectivity, we have {s2} € ES({2}), 
but {so} g E&({2}). The coalition consisting of players 1 and 2 on the other hand does 
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l m r l m r 
S$, | S2 | $1 l S3 | 81 | S2 
r | SQ | S1 | 83 r | 89 | 83 | 83 


Figure 7. A strategic game where a- and (-effectivity differ 


have a joint strategy (r,l) which guarantees s2 independent of player 3’s strategy, i.e. 
{s2} € B2({1,2}). 

While this discussion shows that every strategic game form can be linked to an effectiv- 
ity function via a-correspondence, not every effectivity function will be the a-effectivity 
function of a strategic game form. The properties required to obtain a precise character- 
isation result are the following. 


THEOREM 12 ((63]). An effectivity function P(N) — P(P(S)) a-corresponds to a 


strategic game form if and only if it is monotonic, N-mazximal and superadditive. 


3 GAME FORMS AND KRIPKE MODELS 


Figure 3 invites the modal logician to apply his tools and analysis as provided in especially 
Chapter 1 of this handbook in a natural way: games in extensive form are just models 
over time or processes in disguise [85]. In other words, if one is interested in the moves 
and their outcomes, extensive games can be conceived of as Kripke models for dynamic 
logic: see also Section 9. We take this perspective in this section, swiftly moving the 
focus of our analysis from the area of games to that of logic. To start with, we abstract 
from the specific actions, and reason about what specific agents can achieve. We do this 
in an example driven, and semantic way, in Section 3.1. When combining the players’ 
powers with their preferences, modal logic can help to shed light on solution concepts, an 
exercise we will undertake in Section 3.2. In these two subsections, it is not the extensive 
form of the game that matters for the modal analysis so much, but more which end-nodes 
can be reached. We make some remarks concerning equivalence and expressivity taking 
the full structure of the extensive game into account, in Section 3.3. Yet another point of 
view takes the strategies, or, rather, the paths in an extensive game as first class citizens: 
see Section 11. 


Games in Strategic Form 


However, before exploiting the modal structure of games in extensive form, let us follow 
the structure of Section 2.1 and point out that the applicability of modal logic also 
extends to games in strategic form. The contribution [13] introduces a dynamic relation 
R; for every player i, with intended meaning that sR;t holds iff from state s, player i can 
unilaterally bring about state t. States are states of the game, and ø assigns to every 
state the strategy profile that is being played in any state: e.g., o;(s) = s; denotes that 
i plays strategy s; in s. Regarding the atomic propositions, [13] assumes to have atoms 
q < p for any natural numbers p and q (with straightforward interpretation), and, for 
every player i and number p, an atom u; = p denoting it’s utility (or pay-off) at any 
state: such an atom is true at s iff u;(o(s)) = p, where u; assigns a utility p € N to 
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every strategy profile ø. We assume to only need finitely many values Val = {p,q,...}. 
Finally, the atom Nash is true at all the profiles at which this equilibrium is played. 

For instance, using a suggestive name for states, in our representation of the Prisoner’s 
Dilemma (see Figure 2), in state (D, D) it is true that uy = —4Au2 = —4 and, everywhere 
in the game, we have 


201( V (um =a) A(g>-4)) ^ 201 A (a =p) > (p < -4)) (1) 
qEVal pEVal 


Equation (1) expresses that, no matter what player 2 does, player one can guarantee 
himself a payoff of -4, but at the same time, he can do not better than that: 2 can play 
a move such that the best that 1 can achieve is -4. Note that we do have, in the game of 
Figure 2, that O1O2((u1 > —4) A (u2 > —4)) (if the players were to cooperate, they could 
achieve more than -4 each). Let pi1,...,Pn be a set of n payoff values. The following is 
valid in every strategic game G: 


\ (ui = pi) A AN (wi = q > (q < pi)) = (Acu =p) a Nash) (2) 


iEN qEVal iEN 


This formula is equivalent to saying that, given that every player i’s outcome is pj, 
the strategy played is a Nash-outcome if and only if no player i can unilaterily deviate 
and achieve something (q) that is better than p;. 


3.1 Players and Outcomes 


Given an extensive game form F = (N,H,P), we straightforwardly associate with it 
a game frame FEN = (W, Rien) with the obvious addition that H = W and R;st iff 
P(s) = i & t = (s,a) for some action a, i.e., if player i is to move in s and he can 
choose a move that leads to t. Such a frame is generated from a root and, moreover, 
turn-based: if Rist then for no other j and for no u also Rjsu. Basic propositions like 
turn; (player i is to move) and end (we are in a leaf) can easily be defined, as O; T and 
Nien Fit, respectively. We can also start from an extensive game G and then obtain EN 
by augmenting the frame with a preference relation. Moreover, we can assume to have 
atoms u; = p; or win; in the language, and interpret them in an appropriate manner in 
a model MẸ or MÄ. For instance, in the game on the right of Figure 3, we have in the 
root that ©)(Oe(ue < 2) A 2T) AO O21: player 1 can enforce a state such that player 
2 can move but is unable to obtain more than 2 units, but player 1 can also move to a 
state in which player 2 cannot make any move anymore. 

The paper [13] argues that modal logic not only is a useful tool to describe the 
rational behaviour of players (see Section 3.2), but also when it comes to prescribing the 
players how to act. To do so, [13] adds a relation R, to a game frame F” representing 
(paths according to) a recommendation that the players are given, i.e., Rẹ C RN, where 
RN is the transitive closure of NT = (U;-y Ri) with the following properties: (1) Rs 
is transitive, (if it is recommended to reach w2 from w; and w3 from we, then it is 
recommended to reach w3, in w1); (2) if for some wT, N’ ww”? (i.e., w is a decision 
node € T = H \ Z), then also R,ww, for some w, (if a player is to move at w, then 
a recommendation must be made); and, finally (3) if R,w,w3 and at the same time 
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RN wiw and RN wwz, then we have both R,w,w2 and R,wews (if it is recommended 
in w to reach w3, then any path to do that is a recommended path). 

Moreover, [13] allows for atomic propositions (q < p) and u; = p;, the latter only being 
true in a state s iff s is a leaf, with u;(s) = p;i. Now consider the following scheme: 


©. (ui = pi) > O; (((ui = qi) V On (ui = G)) > qi < Di) (3) 


[13] refers to (3) as internal consistency of a recommendation, “in the sense that no 
player can increase his payoff by deviating from the recommendation, using the recom- 
mendation itself to predict his future payoff after the deviation” ([13, page 17]). 

Of course, it is up to the game theoretician to come up with the ‘right recommenda- 
tion’, but an obvious choice would be that they play a Nash equilibrium. In a generic 
game (cf Theorem 13), the backward induction algorithm determines for every decision 
node a unique immediate successor: let us call this the backward induction relation BI. 
We say that a recommendation relation R, is the backward induction recommendation 
if it is the transitive closure of BI. The next Proposition tells us that scheme (3) can be 
understood as characterising backward induction. 


THEOREM 13. /13, Proposition 4.8] Let G be a generic perfect information game and 
FR its associated Kripke model, with a recommendation relation Rx. Then the following 
are equivalent: 


(1) R., is the backward induction recommendation 


(2) scheme (3) is valid in FX 


3.2 Formalising Solution Concepts in Modal Languages 


The aim of [35] is also to formalise solution concepts in a modal logic. We again start 
with frames Fg based on a game G with preference relations =;,.,. It assumes that 
every >; is reflexive, transitive and connected (i.e., for all u,v, u >=; v or v =; u). Every 
>; gives rise to an operator [i], with intuitive reading of []y: “p holds in all states at 
least as preferable to the present one”. 

The other first class citizens in [35] are strategy profiles in the game G. For any such 
profile g, let Rost iff following o in s would eventually lead to the end state t. Thus, 
[oly reads “if from here all players adhere to ø, the play will eventually end in a state 
in which ọ holds”. Finally, for every player i and strategy profile ø, recall that (Ti, o—i) 
is the profile where all players stick to ø, except for i who deviates and plays 7;. We 
use this to define a third accessibility relation: Ry;,,)st iff for some 7;, R(7i,0_;)st. 
Hence, the meaning of [i,a]y in s becomes that “p holds in all the states that will be 
reached if all the players except possibly i play the strategy o”. Given an extensive game 
G = (N, H, P,(=i)ien) we now define Fg as (H, (=i), (Ro), Rü,o)), where i € N ranges 
over the players, and øg over the strategy profiles. Note that the binary relations Ro, and 
Rio) on such a frame have the leaves as their co-domain (cf. Figure 8). By decorating 
such a frame with a valuation 7: H — 24 for some set of atoms A, we obtain a game 
model Mg for G. 

Now, before stating a result about these relations, we first recall a result from corre- 
spondence theory (see Chapter 5). 
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Figure 8. Transformation of an extensive game (left) to a game-frame (right) with respect 
to two strategy profiles ø and g’ and their corresponding accessibility relations Rọ and 
Rao) (dashed). Reflexive arrows at the leaves are omitted. 


THEOREM 14. Suppose we have three accessibility relations Ry, Ry and Rm with cor- 
responding modalities. Then the scheme (kilp — [m]y characterises frames satisfying 
(k,l, m)-Euclidicity, i.e., frames in which Vs,t,u((Rest & Rysu) > Ritu). 


Remember that a Nash-equilibrium in an extensive game is a strategic profile ø such 
that for all players i and profiles r, we have o(0;,0_;) =; o(Ti,o—i), ie. no player can 
improve his situation by unilaterally deviating from ø. The profile ø is said to be a 
best response for player i iff for all profiles 7, we have o(0;,0_;) =; o(Ti,o—;). This is an 
individual pendant of Nash-equilibrium: clearly, a strategy profile ø is a Nash-equilibrium 
iff it is a best response for all players. 


THEOREM 15 ([35], Theorem 3.1). Let Fa be obtained from the extensive game G as 
indicated above, and let vo be its root-node. Let ‘s.p.’ stand for ‘sub-game perfect’. 


(2) a is a best response fori in G iff Fa,vo E (i, o)[i]y > [oly 

(ii) o is an s.p. best response for i in G iff Fe E (i, o)[i]e > [oly 
(iii) o is a Nash equilibrium in G iff Fa,vo E Nien ((i, 0) Lie > lole) 
(iv) o is an s.p. (Nash) equilibrium in G iff Fa E Nien (i, o) [ile > lole) 


Note that the first item, together with Theorem 14 says that ø is a best strategy for 
i in vo iff when o leads us to a leaf z, and any deviation by 7 from ø leads to a leaf 2’, 
then in z’ player 7 is not better off. Also note that the sub-game perfect notions are the 
global variants of the notions that hold in the root. 


Taut any classical tautology Dig [ole a- (op 
K [Bp > ¥) > (Ble B) | FL [c,d > (oly 
T; ily > p F2 — [o i(li] © p) 
4, e> lili F3 [Ne > 4) V PIBE > 9) 
MP Fo>y, Fo Sku Nec Fo>}F [Bly 
Table 1. Axioms for Extensive Game Logic. The variables G, 3’... range over the 


modalities [i], [o] and [2,0] 


The logic that comes with the semantics described here is dubbed Extensive Game 
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Logic in [35] (see Table 1). The axioms Taut and K and the rules MP and Nec denote 
that we have a normal modal logic; T; and 4; reflect that the preference relation >; 
is reflexive and transitive. Axiom D!, says that R, is functional: any strategy profile 
o prescribes a unique outcome. F1 expresses that if any deviation by i from ø leads 
to a result y, then this is in particular the case if i sticks to oj, i.e., does not deviate. 
Property F2 reflects that any strategy (7;,0_;) takes us to a leaf. And from any leaf, 
any further moves are void, i.e., |o’, i']p © ọ holds in it. Finally, F3 denotes a kind 
of connectivity. Correspondence theory (cf. Chapter 5) tells us that the modal scheme 
1(O3y —> Y) VO2(O3~ — p) corresponds to the property that all Rı and Ro-successors 
are R3-connected: Vw,u,v : ((Riwu&Rowv) > (Rguv or Rgvu)). Hence F3 expresses 
that all Rg o Rg and Rø o Rg-successors are =;-connected. By connectivity of =;, this 
axiom is sound; the fact that we are in the realm of game frames makes F3 also ensure 
this connectivity. 


THEOREM 16. (/35, Theorem 4.1]) Extensive Game Logic as presented in Table 1 is 
strongly complete with respect to the semantics based on game models as defined on 
page 1092. 


3.38 Games as Process Models 


Although [35] takes games in extensive form as its starting point, a little reflection on 
Figure 8 should convince the reader that the language only allows to reason about the 
outcomes of the game, not about intermediate states. Modal logic provides a wide range 
of languages, allowing to discriminate graphs, and hence games, on many levels of ab- 
straction. This section discusses ideas from [85], by which also the following games Gy 
and Gp are inspired. 


ee Pe 
NK hh RR 


Figure 9. Two ‘similar’ games G and G2. H is an imperfect information game: see 
Section 6 


Figure 9 represents two extensive game forms G, and Gs for two players E and A, to 
which some propositional information has been added to the leaves. The question put 
forward in [85] is when two games are the same. When looking at the power of players, 
encoded in a-effectivity functions (cf. Section 2), the games G; and G» of Figure 9 are 
the same: the powers of E are {{p, q}, {p, u}} while A is effective for {{p}, {q, u}}. Also, 
the two games represent evaluation games (cf. [37]) for two formulas that are equivalent, 
viz., p A (q V u) and (pA gq) V (pA u): verifier has a winning strategy for both formulas 
in exactly the same models. Hence, if we are interested in the outcomes of games only, 
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the games G; and G2 can be coined the same. (We come back to the ‘power level’ for 
describing games in Section 10.) 

On the other hand, there is admittedly a difference between the two games, if alone 
for the feeling that A can hand over control to E to achieve u in the left hand figure, 
whereas in the right hand side the converse looks more an appropriate description. Also, 
the two games differ by the mere fact that different players start in each. A property 
true in Gi but not in Gə for instance is that, if E is ever to move, he can guarantee u. 
Following [85], we see that when the turns and the moves of the players are at stake, the 
two extensive game models above are not equivalent. 

When notions relating to the process of a game are important, formalisms, mainly 
arising from computer science, like process algebra, the Hoare-Dijkstra-Floyd calculus, 
dynamic modal logic and temporal logics naturally come to surface, each with its own 
semantic notions concerning equality of structures, like (finite) trace equivalence, ob- 
servational equivalence or bisimulation. Although also the more recent BDJ-logics (log- 
ics addressing Beliefs, Desires and Intentions, see also Chapter 18) for reasoning about 
multi-agent systems have similar concerns, at this moment there is not yet a dominant 
framework in which actions of agents (or moves of players), the powers of coalitions and 
the informational and motivational attitudes of the players are all treated on a par. We 
restrict ourselves to some semantical observations here. 

Taking moves as atomic actions in a PDL-like logic (see also Chapter 12) a property 
true in the root of Gz would be (JUr)[LU R] (pV q): indicating that there is an execution 
of the choice | Ur so that every execution of the choice LU R leads to either p or q. 
Apart from the choice operator U, one usually also has the constructs ; and * between 
programs, denoting sequential and iterative composition, respectively, and the test ? for 
propositions. To stay close to the previous section, where there are no labels for the 
player’s choices, let us first mention that [35] assumes the following atomic actions (in 
our notation). For every player i € N we add an action mo;, where Rmo, st is true iff 
if 2 is to move at s, he has a choice that leads to t. Next, for every strategy profile ø, 
relation Rstep(c) denotes the one-step transitions of ø, that is, Rstep(c)st iff o(s) = t. 

We now can distinguish the two models Gi and Gə with for instance the formula 
[mog]|mo4 U mog|t which is only true in G1, expressing that there are no moves 
possible after Æ has played. Following and specialising for instance [12], we can even 
identify formulas ®; and ®2 such that ®; is true in a model M; if M; is bisimular to 
G; above. The idea is simple, constructing a formula yg, for every state s in a finite 
G inductively as follows. If s is a leaf, let yg, be the finite conjunction of literals over 
atoms true in s, together with the property that there are no moves to be made, i.e., 
96,8 = Na,sHp P ^ Na,sep 7P ^ Niewlmoill. Next, let t be a node such that for all its 
successors $1, ... Sk in the tree, ya,s, (h < k) is already defined, and suppose that i is to 
move in t. Then 


PG, t =def \ p^ \ ap ^ N[mo;] L A \ (moj) PG,5;, ^ [mo;]( \/ PG,sn) 


Gtp Gtp jżi h<k h<k 


It will be clear from this construction, that for any extensive finite game G with root 
ro we have that for any model M and state s, M, s | ya,r, iff M, s is bisimular to G, ro. 
On game models, bisimulation boils down to isomorphism, but the notion is useful when 
reasoning about games as graph automata (see also Chapter 12 and [44]). 
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Observing that 4(step(c))T characterises the leaves in the game tree, and using while 
p do m as shorthand for (p? ; 7)*;-y? (‘as long as p, perform x’), we can define, for 
every coalition M = {%,...,im} C N a program that, given o, N \ M adheres to it, but 
M is allowed to deviate: 


Il(o, M) =af while(step(a))T do (step(a) U mo(i1) U---U mo(im)) 


The operator |o] of the previous section can now be defined as [II(c,9)|, whereas 
|o, i] becomes [II(o, {t})], enabling us to express the characterisations of (s.p.) Nash 
equilibrium and best response, as in the previous section. 

But one does not have to reason about just one strategy. Let us define end as being 
in a leaf: end =gef Ajenylmoi]l. We can then express that, when every player i 
adheres to his strategy o;, the game will terminate in a state satisfying y, using the 
formula [(Uj;ey (mo;)?; step(o;))*|(end — y). Every player i playing strategy o; of 
course induces a strategy profile g, and as such, 7 can also be expressed in the framework 
of [35], but we can now also express properties of intermediate states. Let us define 
plays(i,o;) as (mo;)?; step(o;), and, for a set of strategies © m, one o; for each i € M C 
N, Plays(M, £m) as Ujeq¢((mo;)?; step(oj)), meaning that every agent i in M will 
play his strategy o;. Let us denote each agent j’s atomic actions (or choices) with Ac;. 
Also, let any(j) mean (mo;)?; Ua cac, whereas Any(M) =qef Ujem any (j). Then, 


[(Plays(M, 5m) U Any(N \ M))"|yp (4) 


expresses that coalition M can, by choosing the strategies Xm, ensure that, no matter 
what the other players j € N \ M will do, ọ will invariantly be true. This implies that 
M has a strategy to ensure y, which, as we will see in Section 11, is the basic expression 
of ATL. When abbreviating (4) as (M,¥az)y, that basic expression of ATL can be 
expressed as Vy, (M, =m), where Em ranges over sets of strategies for players in M. 
It is interesting to note that every strategy in a finite game model is definable in PDL, 
using the characteristic formulae yg, for G,s: simply observe that every transition 
labelled with choice a; from s to t can be denoted by (ye,s)?; ai(pa,+)?. However, since 
in general there will be exponentially many strategies, this is arguably more of technical 
interest than of practical value. 


3.4 Other Issues 


Until now we have focused mainly on (Nash) equilibria and best response strategies. 
Recall from Zermelo’s theorem (Theorem 7) that in every finite win-loss game for two 
players, exactly one player has a winning strategy. Let us denote player’s i win by win. 
Following [85] once more, we can define predicates Win;, meaning that, at the current 
node, į has a winning strategy (let i Æ j): 


Win, = (end A win;) V (turn; A (any(i))Win;) V (turn, A [any(j)| Win;) 


This hints at an inductive definition for Win; using a least fixed-point schema 


Wini =de HP: (end ^ win;) V (turn; A (any (i)) P) V (turn, A [any(j)|P) 
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The reader immediately recognises the above as a formula in the pi-calculus, which 
is the topic of Chapter 12 of this handbook. As another example, the expression uP - 
(end ^ vy) V (turn; A (any(i))P) V (turn, A^ [any(j)]P) says that i has a strategy for 
guaranteeing a set of outcomes in which y is true. Note that this is already expressible 
in a PDL-like logic: just choose N = M = {i,j} in equation (4). In Section 11 we will 
discuss the logic ATL which is specifically designed to reason about what agents, and 
indeed, coalitions can guarantee to hold. 

Still, the relation between the 4—calculus and games is an interesting one. The calculus 
provides a very natural way, using its fixed point definitions, to reflect the equilibrium 
character of game-theoretic notions. Specifically the connections between the i-calculus 
and games of possibly infinite duration are appealing: going back to an idea of [16], we 
know that any formula of the -calculus expresses the existence of a strategy in a certain 
game. 

As seen above, if the goal of a player is to reach some desirable position in finite 
time, the set of positions that guarantee the win can be computed as a least fixed point. 
However, when the aim is to stay forever within a set of some safe positions, the winning 
set can be presented as a greatest fixed point. (This is very reminiscent of the distinction 
between liveness and safety properties used in computer science, as first introduced in [43]. 
See also [40] for a survey and Chapter 12 of this handbook.) More sophisticated winning 
conditions arise naturally in games modelling potentially infinite behavior of reactive 
systems. In general, mutually dependent least and greatest fixed point operators are 
necessary. [55] (from which the current two paragraphs borrow heavily), suggests that 
this interplay between least and greatest fixed points may well be the secret of the success 
of the p-calculus: “...in contrast to first-order or temporal logic, the p-calculus did not 
emerge by a formalization of the natural language”. The p-calculus also can benefit from 
game theory, since the game semantics reduces -calculus model checking to solving 
(parity) games: for more on this, see Chapter 12 of this handbook. A first impression of 
the complexity of such problems is given in Section 11. Another example of using games 
to settle complexity issues is provided in [12], where a two person corridor tiling game is 
used to prove the EXPTIME-hardness of PDL. 


4 EPISTEMIC LOGIC 


We saw in Section 2 that it makes sense to be explicit about the amount of information 
that each player has, at a given state of the game. Epistemic logic studies the notion of 
knowledge, and since [36], a mainstream in formal approaches to knowledge and belief 
is grounded in a possible world semantics. In the 1990’s, these approaches were further 
developed in areas like computer science, cf. [21] — originally motivated by the need to 
reason about communication protocols — and artificial intelligence, cf. [49] and [51] — to 
reason about epistemic preconditions of actions. From the early days of game theory (cf. 
[4]) it has been recognised that the amount of knowledge that agents have is crucial in 
many solution concepts. But the formalisation of knowledge in game theory only took 
off since the late nineties, partially due to the TARK and LOFT events ([77, 45]). 

The monograph [11] distinguishes between the notions of perfect /imperfect informa- 
tion on the one hand, and those of complete/incomplete information on the other. A 
game is of perfect information if the rules specify that the players always know ‘where 
they are’: for games in extensive form this means that each player is free in every node 
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axioms and rules for S5m, where i < m multi-agent notions 
Al any axiomatisation for propositional logic || A6 Ey (Kip A-A Kmy) 
A2 (Kip A Kil > )) > Kip AT (CeAC(y => 4)) > CY 
A3 Kigp>ọ A8 Cy > p 
A4 Kip Kikiy A9 Cy ECy 
A5 7Kip > Ki “Kip A10 Cly => Ey) > (Y > Cy) 
Rl Fekypoposty 
R Fy >F Kip R3 Fy >F Cy 

Table 2. 


to make a decision independent of that in other nodes. A game is of complete informa- 
tion if everything is known about the circumstances under which the game is played, 
like the probability that nature chooses a certain outcome, and who the opponent is and 
how risk-averse he is. In a game with incomplete information, players do not necessarily 
know which game they are playing, or who the other players are. Such games, although 
realistic, are up to now mainly the domain of a research area called evolutionary game 
theory, utilising theories of learning and evolutionary computation (see for an overview, 
[79]). Epistemic logic is nowadays widely used to express various degrees of imperfect 
information in a game; assumptions about the completeness of information are still often 
made on a meta-level. 

Modal epistemic logic, the logic of knowledge, provides a very natural interpretation 
to the accessibility relation in Kripke models. For an agent i, two worlds w and v are 
connected (written R;wv), if the agent cannot (epistemically) distinguish them. In other 
words, we have R;wv if, according to it’s information at w, the world might as well be 
in state v, or that v is compatible with 7’s information at w. Using this interpretation 
of access, R; is obviously an equivalence relation. Readers familiar with game theory 
may be best acquainted with epistemic notions in this field as summarised in [5]. In 
that terminology, our set of states S is a space Q of states of the world, our equiva- 
lence relation R; is [5]’s partition F; of Q, and our formulas correspond to [5]’s events. 
Also, our equivalence relations connect in an obvious way to the partitions mentioned in 
Definition 8. 

The epistemic modal language for m agents is obtained by allowing a modal operator 
K; for every agent i < m, with Kip meaning: agent i knows y. The corresponding 
Kripke models are M = (W, Ri, Ro,...Rm,7), with each R; being an equivalence rela- 
tion. Thus, we are in the realm of the multi-modal logic S5m, of which the axioms are 
summarised in Table 2. They express that knowledge is closed under consequences (A2), 
it is veridical (A3) and agents are both positively and negatively introspective (A4 and 
A5, respectively). Moreover, all agents know the S5m-theorems. Clearly, these properties 
represent logically omniscient agents (see also Chapter 18), and hence adopting this par- 
ticular logic for the knowledge of players assumes an ideal case of perfect reasoners. For 
an overview of weakening the axioms to tackle logical omniscience, we refer the reader 
to [21, 49]. 


THEOREM 17. We have the following facts for Sim, which is the logic summarised in 
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the left hand side of Table 2. 


1. The system S5m is sound and complete with respect to Kripke models in which 
every Ri is an equivalence relation. The complexity of the satisfiability problem for 
S5m ifm > 1 is PSPACE-complete (cf. [21]). 


2. Taking m = 1, the logic $51 is also sound and complete for the semantics where R 
is the universal relation. The complexity of the satisfiability problem for S51 is the 
same as for propositional logic: it is NP-complete. Moreover, every formula ọ is 
equivalent in S5, to a formula without any nesting of modal operators (cf. [49]]). 


EXAMPLE 18. Let us, as an example, consider the $53 model hexa, taken from [98], 
which focuses on the knowledge and ignorance of players in games with imperfect infor- 
mation, by introducing the notion of knowledge games, games in which the knowledge of 
the players, and the effect of their moves upon this knowledge, is described. In hexa, we 
have three players (1,2 and 3) and three cards, each with a neutral side and a coloured 
face: r (red), w (white) or b (blue). If a player holds a card, he is the (initially only) 
player that knows its colour. See Figure 10 for the Kripke model hexa representing the 
knowledge of the players after the three cards have been dealt. The state rwb represents 
the deal where player 1 holds r, 2 holds w, and 3 holds b; this distribution is denoted in 
the object language as 6,5 = rı A W2 A 63. From now on, we will underline the ‘actual’ 
state of the model: hexa thus represents the knowledge of the players given that the 
actual deal is rwb. Reflexive access is not represented, thus it is understood that both 
rwb and rbw are l-accessible from rwb: given that 1 has the red card, he does not know 
whether the deal is rwb or rbw. 


rwb- 1 -rbw rwb- 1 -rbw rwb 
7 \ 
3 2 
/ \ 
wrb ca —whr \ 

2 3 2 3 3 2 2 
\/ \zZ / \ \ 
brw- 1 -bwr brw- 1 -bwr bwr 

hexa hexaı hexag 


Figure 10. The initial model hexa; hexa; and hexag are obtained using updates (cf. 
Section 7) 


Interestingly, hexa not only tells us that every agent knows its own card (we have for 
instance hexa,rwb = Kırı, and, more generally, hexa, c1c2¢3 = Kici (ci E€ {r,w,b},i < 
3), but also that everybody knows this. So, for instance, we have, and this is independent 
of the actual deal, hexa = Kı Aas ,cse{r,w,b} ((€2 > K2c2) A (c3 > Ksc3)). And again, it 
is also the case that player 3 knows this. The aim of the game initiated by hexa is to 
find out the distribution of the cards, and we will return to the model when studying the 
dynamics of epistemics, in Section 7. 4 
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Indeed, the description of the situation that we gave is common knowledge, which is 
an intriguing multi-agent epistemic notion. Let us define ‘everybody knows’ (Fy) as is 
done in axiom A6 in Table 2 then the remaining axioms and rule on the right side of this 
table capture the intuition that common knowledge of p models EpA EEA EEE A..... 
Indeed, if we denote the axiom system represented in Table 2 by S5C,,,, then one easily 
checks that Fssc„ Cp —> E”y, for arbitrary n € N, and, conversely, that {E”y | 
n € N} H Cy: Semantically, the accessibility relation for Rg, with respect to which E- 
knowledge is the necessity, is UJ R;, and then Ro (the relation for common knowledge) 


i<m 
is the transitive closure Ry of Rg. We will denote any dual operator —X— of X with Xx. 
EXAMPLE 19 (The muddy children). In this example the principal players are a father 
and k children, of whom m (with m < k) have mud on their foreheads. The father calls 
all the children together. None of them knows whether it is muddy or not, but they can 
all accurately perceive the other children and judge whether they are muddy. This all is 
common knowledge. Now the father has a very simple announcement (5) to make: 


At least one of you is muddy. If you know that you are muddy, step forward. (5) 


After this, nothing happens (except in case m = 1). When the father notices this, 
he literally repeats the announcement (5). Once again, nothing happens (except in case 
m = 2). The announcement and subsequent silence are repeated until the father’s m-th 
announcement. Suddenly all m muddy children step forward! 

Let us analyse the muddy children problem semantically, where we have 3 children. In 
Figure 11, the initial situation is modelled in twomud (we come back to a formal analysis 
of the story in Section 7). Worlds are denoted as triples xyz. The world 110 for instance 
denotes that child a and b are muddy, and c is not. Given the fact that every child sees 
the others but not itself, we can understand that agent a ‘owns the horizontal lines’ in the 
figure, since a can never distinguish between two states Oyz and lyz. Similar arguments 
apply to agents b and c. 


O11 a 111 O11 a 111 O11 a 111 
2 oe a am 67 
€ | - ae | a“ - 
010 | a — 110 010 | a —110 110 
b b b b b 
b b b 
001 — a — 101 001 — a — 101 101 
Oa 1 - 
c c c 
a 2 Pa 
000 a 100 100 
twomud twomud, twomud2 


Figure 11. Muddy Children: initial situation twomud and after two updates (twomud, 
and twomud2) 


Let us see what epistemic truths we have in the state (twomud, s), with s = 110. The 
only propositional atoms we use are m; (i = a,b,c) with meaning ‘child i is muddy’. In 
state s, we then have for instance =~(KaMa V Kamma) (agent a does not know whether it 
is muddy), and also Ka (Mme A ~Kymy) A Ka(>m. A 7K.7m,) ( a knows that b is muddy 
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without knowing it, and also that c is mudless without knowing that). Regarding group 
notions, we observe the following, in s. Let / denote that at least one child is muddy 
(L= Ma Vm V Me). 


1. E€AnEm,g A\nEm, ^AnEme.; everybody knows that there is at least one muddy 
child, but nobody is known by everybody to be muddy 


2. K-ELN aK El, c knows that everybody knows that there is at least one muddy 
child, but b does not know that everybody knows at least one child to be muddy. To 
see the second conjunct, note that twomud, 100 = ~E£, hence twomud, s = ~K EZ. 


3. =C; Itis not common knowledge that there is at least one muddy child! This 
follows immediately from the previous item, but also directly from the model: one 
can find a path from s = 110 via 010 to 000, the latter state being one at which no 
child is muddy. One easily verifies that we have even twomud — —C¢?. 4 


THEOREM 20 ([21]). Let the logic S5Cm be summarised in Table 2. Then, S5Cm is 
sound and complete with respect to Kripke models in which every R; is an equivalence, 
Re (the relation for ‘everybody knows’) is U;<, Ri and Ro (the relation for common 
knowledge) is Riz, i.e., the reflexive transitive closure of Re. The complexity of the 
satisfiability problem for S5Cm if m = 1 is PSPACE-complete, and the complexity for 
S5Cm with m > 1 is EXPTIME-complete. 


As observed in [12, Chapter 6.8], the presence of a pair of modalities, one for a relation 
and the other for its reflexive transitive closure (in our case: E and C, respectively) is 
often —not always- an indication for entering the realm of EXPTIME-complexity results, 
since it enables one to force exponentially deep models, and to code the corridor tiling 
problem. 


5 INTERPRETED SYSTEMS 


Whereas the properties of knowledge as summarised in Table 2, especially that of negative 
introspection, have been under continuous debate and critique, the Interpreted Systems 
approach to knowledge as advocated by [21] in fact gives a computationally grounded 
semantics to the S5,, properties of knowledge. Rather than assuming the equivalence 
relation to be somehow given, in an interpreted system they naturally arise from the way 
a system is modeled. The idea is simple: in an interpreted system Z we have m agents, 
or processors, each with its own local state s;. A processor is aware of its own local state: 
two global states s and s’ are the same for i if its local states in both coincide. And this 
notion of ‘sameness’ is an equivalence relation, yielding the S5,, properties in a natural 
way. 

To formally define an interpreted system for m agents Zm we first give the notion of 
a global state. Let us assume that every agent i can be in a number of states L;. Apart 
from the agents’ local states, there is also a set of environment states Le, which keeps 
track of, e.g., whether a communication line is up or down, or what the actual deal of 
cards is. A global state s is then a tuple (se, $1, $2,...8m) E Le X Ly X Lo x +++ X Lm. 
The set of global states of interest will be denoted G C Le x Ly x La x +--+ X Lm. Local 
states, both that of the agents and that of the environment, may change over time. A 
priori, there are no constraints on how the system may evolve: a run over G is a sequence 
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of states, or, rather, a function r from time N to global states. The pair (r,n) of a run 
and a time point is also referred to as a point. Let r(n) = (se, $1, 82,... 5m) be the global 
state at time n in run r, then with r;(n) we mean sj, where j ranges over e,1,...,m. 
Now, a system R over G is a set of runs over G. 

In general, formulas are now going to be interpreted in a point (r,) in an interpreted 
system Z. To do so, we need to take care of atomic formulas and the epistemic operators. 
An Interpreted System T = (R,T) over G is a system R over G with an interpretation 
m which decides for each point (r,n) and atom p E€ At, whether p is true in (r,n) or 
not. Moreover, two points (r,n) and (r’,n’) are indistinguishable for i, written (r,n) ~i 
(r’,n’), if ri(n) = ri(n’), or, in other words, if ts local states in both points are the same. 
Definition (6) expresses that agent i knows ọ in a point in Z if ọ is true given agent it’s 
local information: 


(Z,r,n) = Kig iff (Z,r’,n') = ¢ for all (r’,n’) ~i (r,n) (6) 


We assume here that the interpretation function m only depends on the global state 
r(n), and not the history of the point (r,n). This is in line with [21], but deviates from 
[30]. In the context of knowledge and linear time, the valid formulas are the same with 
and without this assumption: see [31] for an explanation of this. In practice, m will 
depend on just local information of a global state, denoting, e.g., whether a variable of 
processor 7 has a certain value, or whether player j holds the ace of hearts in a card 


game. 
Of course, one may want to study epistemic logic for multi-agent systems in a static 
model Mg = (G, ~1,..., ~m, T} based on a set of global states G, and interpret formulas 


in global states themselves, rather than in a point in a run. If G equals the full Cartesian 
product Le x Lı x Lo X- -X Lm, such models are called hypercubes in [47]. If we ignore the 
environment and only require that every combination of individual local states occurs 
we have a full system. Note that hexa of Figure 10 is a full system, whereas hexa; is 
obviously neither full nor a hypercube. 

Full systems are appropriate classes of models to specify initial configurations of multi- 
agent systems, in which no agent has any information about any other agent, or about 
the environment. They are obviously S5,,-systems, but interestingly enough they satisfy 
an additional property. It is not hard to see that the operator E for everybody knows 
from Section 4 semantically corresponds to interpreting E as the necessity operator of 
the relation that is the union of all the individual relations R;: everybody knowns ¢ if 
nobody thinks it possible that ~y is true. Note that Ey means that some agent considers 
it possible that y: for some state that is Re = Uj=1,..m Ri-accessible, vy is true. Axiom 7 
then, on top of the axioms of S5m, is needed to axiomatise hypercubes and full systems 
(cf. [47]): 


VAN Ey, > EE VAN Yi (7) 
i=1...m i=l1...m 

In this scheme, y; is an ?-local formula, to which we will come back shortly. Roughly, 
an i-local formula y; characterises i’s knowledge: its truth value is constant within 2’s 
reachable states. The scheme then says that if we can reach, using Rg, a knowledge state 

for every agent, we can reach the ‘combined knowledge state’ in two steps. 
When having more involved group notions of knowledge, full systems and hypercubes 
share some other specific properties. For instance, consider distributed knowledge Dy, in 
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which D is the necessity operator for the intersection of the individual relations R;. This 
notion of knowledge arises when all agents would communicate with each other: if one 
agent rules out that s is a possible state, after communication nobody would consider 
s anymore. Obviously, in S5m, nobody rules out the current state, so that distributed 
knowledge in S5m satisfies Dy — y. But in a full system with an empty environment, 
we also have the converse: y — Dy. This is easy to see: the only global state that is 
i-similar to s = (0, 51, 52, .. . Sm) is s itself! 

Regarding common knowledge, in hypercubes and full systems it is either absent or 
else globally present: common knowledge is the same in all local states! This is easy 
also: if Cy would hold in s = (se, 81, 52,...Sm) but not in s’ = (s/s, 55,...8/,), since 
the system is full, we find a state t = (-,51,85,...,-). Recalling that Ro is the tran- 
sitive closure of the R,’s, and that Rist and Rots’, we see that (se, $1, $2,...5m) and 
(sL, 84, 85,---S;,,) must agree on Cy. 

The logic of local propositions introduced in [20] connects the notion of accessibility in 
a system Mg, in fact, in any epistemic model M = (W, Rı,..., Rm, 7}, with a syntactic 
one. Let a proposition U in M just be a subset of W. It is an i-local proposition if for 
all u,w € W with R;uw, we have u € U iff w € U. In words: an i-local proposition is 
determined by 7’s local state, as is his knowledge. (In hexa for instance, rı, denoting that 
1 holds a red card, is 1-local.) For an atom p, say that M ~p M’ if the only difference 
between M and M’ can be z(p) and z’(p). Define M, w H :p(y) iff for some M’ with 
M' ~p M, we have M,w = 9, where p is an i-local propositional atom, i.e., m(p) is an 
i-local proposition in M. Let O be the universal operator, denoting what is true globally. 
Let q not occur in y. Then: 


M,w = kiy iff M, w H 


iqq ^ O(q > ¢)) (8) 


(A similar ‘reduction’ can be given for distributed and common knowledge, see [20].) 
We have seen above in (7) that local propositions play a role in axiomatising hypercubes 
and full systems. But they have greater use: note that (8) implies that if the object 
language is rich enough to describe the local state of the agents, we can replace epistemic 
operators by occurrences of O and local propositions. This idea is applied in [38] to ‘re- 
duce’ model-checking of epistemic temporal properties to properties that can be handled 
by a ‘conventional’ model-checker SPIN that does not address knowledge explicitly: for a 
knowledge property K;y to be checked in s, the user provides a local proposition q; and 
the problem is then reduced to (1) checking whether q; is indeed i-local, (2) whether it is 
true in s, and (3) whether the implication q; —> y globally holds. To illustrate this, in hexa 
for instance, rather than saying, that hexa, rwb = Kı(w2 V w3) (1 knows that the white 
card is owned by either player 2 or 3) we can stipulate: hexa, rwb = r1A0(r1 > (w2Vws3)) 
(currently, player 1’s local state reads ‘red card’, and globally, in such a situation either 
2 or 3 holds the white card). 

Let us now return to interpreted systems, where the dynamics is modelled through the 
notion of runs. Runs may look rather abstract, but following [21] one can think about 
them as being brought about by the agents while following a protocol, in which agents 
take certain actions. This is reminiscent of our notion of strategies in an extensive game: 
they restrict the space of all possible evolutions of the system. Having a language with 
operators for individual, distributed and common knowledge is still too poor to reason 
about interpreted systems: one easily shows that any two points (r,n) and (r’,n’) with 
the same global states r(n) = r’(n’) verify the same epistemic properties. Indeed, it is 
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natural to add temporal operators © (next time), [ (always), > (eventually) and U 
(until), with truth conditions like (for the formal interpretation of the other temporal 
operators, and a more extensive treatment of temporal logic, we refer to Chapters 11 and 
17 of this Handbook): 


(Z,7r,n) E Og if (Z,r,n +1) Fe (9) 


With these operators, one can in general distinguish different points with the same 
global state: given a specific deal of cards for instance, it is perfectly well possible 
that in one play of the game player 1 will win, when in another play he will not: we 
can have r(n) = r/(n’), and Z,r,n H win, but Z,r’,n’ Æ Qwiny. In the temporal 
language, one can express that a certain property y will occur infinitely often ( O04) 
or almost always ( ly). But the full character of the language of course comes to 
the fore in temporal-epistemic properties. Examples include not_crossU K;safe, and 
Ki A((-Kyp A OKjp) > OOK,K;p) expressing that i will not cross the street until 
he knows it is safe, and that i knows that as soon as j learns that p, this will immediately 
be communicated to h. 

Axioms for Linear Temporal Logic are given in Table 3: the operators and can 
be defined in terms of O and U. Regarding the soundness of the inference rule RU, 
assume that Z = y — (~y A Ov). Since every occurrence of y guarantees its truth in 
the next time, it is easy to see that we have Z } y — | lọ. And, since y comes with 
aw we also have Z H| yw — [J-w. Now, for an arbitrary x, note that xU being true 
would imply that Yy becomes true some time. But given y, we just saw that w is always 
false, so we cannot have xU y when we have y, hence T EF y > 7(yU y). 


Tl (O~AO(e>%))7 Ov | T2 O7 -Op 
T3 =plpoypVv(eAO(ely)) 
| Nec Fy >F Og RU Fepre(AWA Og) =F erry) 


Table 3. Axioms for Linear Temporal Logic LTL. 


Note that in definition (6) in general we do not require that n = n’, so agents are 
not assumed to know what time it is. More generally, our definition allows the environ- 
ment to change without any agent noticing this: two global states (se, $1, $2,...Sm) and 
(sL, $1, 82,---,;8m) look the same for all agents, but still may have a different environ- 
ment. In fact, the definition of an interpreted system is so general that some agents i 
may sense changes in the environment (e.g., when Le C Li), while other agents 7 may 
not (when their local state L; has ‘nothing to do’ with Le). 

Although in the general case no agent knows the time, in games it is usually assumed 
that all players at least know how many moves have been played. Indeed, this is, more 
often than not, assumed to be common knowledge. Games, and many other forms of 
competition and cooperation in multi-agent systems often assume that such a system is 
synchronous. To capture this, since the agents’ knowledge is determined by their local 
state, we must encode a clock, or the number of passed ‘rounds’, in such local states. A 
system R is synchronous if each agent can distinguish different time points: if n 4 n’ 
then (r,n) £; (r’,n’), for any run r and r’. In other words, the local state of any agent 
must be different at different time points. 
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If we think of a run r as a sequence of global states in which each agent 7 is aware 
of its own local state r(n) at time n, the question arises how much an agent memorises 
when going from r;(n) to r;(n+ 1). In the ideal case, ¢ would ’remember’ all local states 
ri(k) with k < n when the time is currently n. In principle, this is the situation in 
games like chess and many other board and card games: each player has perfect recall of 
what he experienced during the game (although in practice, of course, humans and even 
machines may not have ‘enough memory’ for this). In a similar way as the requirement 
that 7 knows how many rounds have passed made us add this information to his local 
state, if we want the agent to remember exactly what has happened, from his perspective 
up to time n, we have to encode his previous local states r;(k) (k < n) in his current 
local state at time n. Let therefore agent i’s local-state sequence at the point (r, n) be his 
stutter-free local past sflpi(r,n) = (r;(0), tri(1),...,4ri(n — 1)), where +r;(x) means 
that r;(x) appears in the sequence iff it is different from its immediate predecessor in 
the sequence. Then, we say that i has perfect recall in the system R if (r,n) ~i (r’,n’) 
implies that sflp;(r,n) = sflp;(r’,n’), that is, if the agent remembers his local-state 
sequence, he has no uncertainty about what happened. We abstract from stuttering, 
since if the agent does not notice a change in his local state, he does not know ‘how 
much is happening’— except in the synchronous case, when sflp;(r,n) is the complete 
sequence (r;(0), ri(1),...,ri(n — 1)). 

Does perfect recall for agent i mean that Kip > [)kiy is valid? Not in general, 
and mainly not because y might refer to the current time. Knowing that ‘today is 
Wednesday’ does and should not imply that you always know that ‘today is Wednesday’. 
Likewise, ignorance need not persist over time, and hence neither should the knowledge 
about it: even with perfect recall, K;7K;p —> K;7K;,p should not hold: it would 
be equivalent to ~K;p > []J—K;p (note that in S5m, Kig is equivalent to K;7K;y). 
Indeed, Z,r,n | K;7K;y ‘only’ means that i knows to be ignorant in r at time n, this 
need not persist over time. Perfect recall would only require that at every point (r,n+k), 
the agent knows that he did not know p ‘when the time was n’. A modal logic for belief 
revision in which one distinguishes operators Bọ for ‘initial’ belief (holding before the 
revision) and Bı for ‘new’ beliefs (kept after the revision) is explored in [15]. The modal 
formulation of perfect recall of ignorance then becomes ~Boy — Bi=Boy. When we 
cannot distinguish between what was known and what is known, one might want to 
characterise the stable formulas for which Kip — [| ky holds in systems with perfect 
recall (see [21] and also discussions of ‘only knowing’ [91] and of (Un-)Successful Updates 
in Section 7). We will return to the property of perfect recall in Section 6: to capture 
perfect recall in synchronous systems we need the following property: 


PR K:Oy > OKip (i=1...m) 


We now give some technical results concerning the classes of systems discussed, in 
Theorem 21. To do so, let S5m 6 LTL be the axioms for individual knowledge from 
Table 2, together with those for linear time from Table 3. This system assumes no 
interaction between knowledge and time. Also, let S5¢ @ LTL add the axioms for 
common knowledge (r.h.s. of Table 2) to this. Let Cm be the class of all interpreted 
systems for m agents, CS¥"° those that are synchronous, C2" those that satisfy perfect 
recall, and let C5¥"%?" be those synchronous interpreted systems that satisfy perfect 
recall. 
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THEOREM 21. All the following results are from [21, Chapter 8], except for the first 
part of item 3, which is from [93]. Unless stated otherwise, assume m > 2. 


1. Cm has $5, @LTL as a sound and complete axiomatisation. The complexity of the 
validity problem for this class is PSPACE-complete. Adding common knowledge, 
S5° LTL completely axiomatises Cm, but the validity moves to being EXPTIME- 
complete. 


2. CYC: synchrony does not add anything in terms of axiomatisation or the validity 
problem: they are exactly as for Cm. 


3. Chr is completely axiomatised by S5m @ LTL + {KT}, where KT is defined as 
(Rigid O(KipeA7Kigs)) > Ki[Kig. U (Kip2U 73) (for a discussion, we refer 
to [93]). For m = 1, validity in CP’ is doubly-exponential time complete, otherwise 
non-elementary time complete. Adding common knowledge to the language makes 
the validity problem I1}-complete. Hence, when common knowledge is present there 
is no finite axiomatisation for CP"; indeed, in this case there is not even a recursively 
enumerable set of axioms that is complete for validity in CP. 


4. CYP is completely axiomatised by S5m @ LTL + {PR}. The complexity of 
validity is non-elementary time complete. Adding common knowledge, we again get 
a complexity of TI} for the validity problem, and a negative result concerning finite 
axiomatisability for CYP" 


Our discussion of interpreted systems can only be limited. Rather than linear time, one 
may consider branching time logic, and apart from synchrony and perfect recall, one may 
consider properties with or without assuming a unique initial state, and with or without 
the principle of no learning- the ‘converse of perfect recall’. Only these parameters all 
together yield 96 different logics: for a comprehensive overview of the linear case we 
refer to [31], and for the branching time case, to [97]. Moreover, where this section’s 
exposition is mainly organised along the ideas in [21], there have been several other but 
related approaches to knowledge and time, or even knowledge and computation, of which 
we here only mention the distrtibuted processes approach of [60]. The recent paper [89] 
provides a general picture of different logics for knowledge and time, by giving a survey 
of decidability and undecidability results for several logics. 

Although in general, the model checking problem is computationally easier than that 
of validity checking, for logics of knowledge and time, in particular those with perfect 
recall, the complexity of both tasks is often the same (see [94]). Work still progresses, 
both in the theoretical and the practical realm. We already mentioned an approach that 
‘reduces’ epistemic temporal properties to temporal ones in order to use a ‘standard’ 
model checker. But model checkers that explicitly deal with an epistemic language are 
now rapidly emerging. Systems to model-check knowledge and time include the system 
MCK ([22]), DEMO ((104]) and the system MCMAS ((46]). 

Recently, there has been a broad interest in model checking dynamics of knowledge 
in specific scenarios, like in [95] (‘the dining philosophers’), and in [100] (‘the sum and 
product problem’). Apart from model checking epistemic properties, it is also interesting 
to address the realisability problem (does there exist a protocol such that a given pro- 
perty is satisfied) and the synthesis problem (generate a protocol that satisfies a given 
constraint, if it exists). Space prohibits us to go into the details, we refer to [96]. 
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6 GAMES WITH IMPERFECT INFORMATION 


Now that we have seen how Kripke models are perfectly fit to represent games (Section 3) 
and imperfect information (Sections 4 and 5), let us spend some words on representing 
and reasoning about the combination of the two. In games with imperfect information, 
on which we will focus in this section, players do know what the rules of the games 
are, and who they play against, but they do not necessarily know ‘where they are in the 
game’. In the game models of Section 3, this can be conveniently represented by using an 
indistinguishability relation for every player, as explained in Section 4. Game theorists 
call the members of each partition of such an S5-equivalence relation usually information 
sets. A game of perfect information would then just be the special case in which every 
information set contains exactly one node. 

As a simple example of an imperfect information game, let us consider game H of 
Figure 9. We assume that we have the standard knowledge assumptions of $5, which 
semantically mean that the indistinguishability relation in that figure is an equivalence 
relation: however, we do not represent reflexive arrows, so that the only uncertainty in the 
game is represented by the dotted line labelled with player A. So, what is modelled in H is 
that player E makes a first move (l or r), and after that, A has to move, without knowing 
E’s decision. In particular, we have H,x = Ka((R)pV (L)p) A7aK 4(R)p A aK 4(L)p, 
in words: A knows he can guarantee p, but he does not know how! Recall that since 
a player is supposed to base his decision on the information at hand, we only consider 
uniform strategies, i.e., strategies ø which satisfy the following condition: 


Vs,t € P~"[{i}](Rist > o(s) = a(t) (10) 


Without this constraint on strategies, we would have that player A can enforce the 
outcome p in game H of Figure 9: H,p E [l,r] (LU R)p, which is counterintuitive: in 
order to achieve p, player A must play a different move in two situations that he cannot 
distinguish. Concluding: A has a strategy to ensure p in H, although we cannot expect 
him to play it, because the strategy is not uniform. But there is more to say about 
this. Suppose that in game H player E makes his move, and then we ask ourselves 
whether A has a uniform strategy to win. Surprisingly, he has! If Æ would play l, then 
A can use the uniform strategy o1, with o1(x) = oi(y) = R, and were E to play r, 
player A can fall back on the uniform strategy c2(x) = o2(y) = L. So, rather than 
just requiring uniform strategies for players to be used, we need an additional feature 
to distinguish winning situations from others. The notion that we are after seems to 
be closely related to the notions of knowing-de dicto and knowing-de re. The former 
expresses that player i knows that he has a winning strategy (if Ac; represents 7’s set of 
actions, this would mean K; Vacac; (a)wini), whereas the latter expresses he knows how 
to achieve it: Vac ac; Ki(a)winj. For a further discussion on knowing-de re and knowing- 
de dicto in the context of extensive games (applying this to full strategies, rather than 
actions), see also [39]. 

The important difference between these two notions of knowledge, and its consequences 
for a theory of action, was already made in 1990 in [51] (and it goes back to the question 
what it means that ‘A knows who B is’, [36] and the general problem of ‘quantifying in’ 
into a knowledge formula, [69]). In the context of reasoning about knowledge and action 
[51] has been very influential, as it is still in the area of decision making in multi-agent 
systems. In order to cope with examples like ‘in order to open a safe, you have to know 
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its key’, [51] demonstrates the value of a possible world semantics, under the assumptions 
that terms are rigid designators. Although the language used in [51] is that of first order 
logic, one easily recognises properties like perfect recall and no learning (see Section 5 
and 6.1) in [51]’s noninformative action. 

[51] argues that the assumption of perfect information has been the prominent one 
in planning in Artificial Intelligence up to the nineties. What is missing, in the first 
place, is an analysis of epistemic pre-conditions before executing a plan: does the agent 
have the information necessary to carry out (the next step of) the plan? This question 
has been taken up by computer scientists by coming up with the notion of knowledge 
programs, (cf. [21, Chapter 7]) in which objective test conditions in a program are replaced 
by epistemic conditions. Apart from specifying epistemic pre-conditions, [51] argues to 
include epistemic post-conditions, in order to facilitate the agent to reason about how 
to acquire the information that is lacking to execute a sequential plan successfully. All 
these notions are crucial in the context of game playing, as well. 

Where we thus far ‘only’ imposed the $5 principles on imperfect information games, 
[83] mentions several properties that one could require ’on top’ of this, some even related 
to incomplete information games, like turn; > Cturn, (it is common knowledge whose 
turn it is) and (a)T — C(a)T (it is common knowledge which moves can be played, in 
any node). 

If information sets were only used to impose players to stick to uniform strategies (10) 
one only needs to specify knowledge-accessibility for player 7 at i’s decision nodes. But, 
although this seems indeed to be common practice in game theory, the full machinery 
of S5 allows for much finer structure. And there are many more assumptions in game 
theory that seem dominant (but maybe easily relaxed), like the one that made us draw a 
horizontal line as indistinguishability in Figure 9, suggesting that players know how long 
the game has been played for. In general, we can require that agents don’t know what 
has happened, or whose turn it is. Rather than systematically describe all the options, 
in the next section we focus on one specific property, and show how a modal analysis 
may be of help. 


6.1 Case study: Perfect Recall 


The principle of perfect recall in a game captures that players have some memory about 
what happened. Formally, in a dynamic logic setting, it is expressed as (see [83] for 
further details): 


(i) (turn; A K;[aly) > [a] K; and 
(ii) (sturn; A Ki[Usen]y) > [oes] Ki (11) 


where a is any action of player i, and B is the union of all actions of the other players. 
In words: if player i knows that doing a will lead to y, then after having done a, he 
knows y. Note that clause (i) of (11) is not realistic for specific moves of the opponent: 
in game H of Figure 9 for instance, we have H, p | Ka|[l](R)p, but not H, p = [l|K4(R)p. 
Also, it assumes that players are aware when others make their move (cf. synchrony in 
Section 5). 

Semantically, the subformula K;[a]y — [a] Kip of (11) corresponds to the following 
(which is even more apparent from the dual of (11), i.e. (a) Kip = Klao): 
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Figure 12. The commuting condition pictured. The arrow stands for implication 


Vaey2z((Racy & Riyz) > Ju(Rixu & Rauz)) (12) 


This ‘commutation property’ is also depicted in Figure 12, and guarantees that ig- 
norance, or better indistinguishability, cannot be generated spontaneously: if a player i 
cannot distinguish, after doing action a, between state z and y, then both states must 
be the result of performing a in indistinguishable states. 

For illustrative purposes, let us now look how [14] generalises these notions (over more 
than just actions), to characterise von Neumann games. Let s < t in a game tree denote 
that there is a path (labelled with choices) from s to t. Next, let L(x) denote the number 
of predecessors of node x according to <. Then, an extensive game is called von Neumann 
if 


Vay(Rivy & x,y € P~'[{i}] > L(x) = Ly) (13) 


This implies that in a von Neumann game, a player who has to move knows how many 
moves have already been played. A game satisfies Memory of Past Knowledge (MPK) if 


Vayz((a < y & Riyz) > Ju(Rixu & u < z)) (14) 


Note that MPK is weaker than perfect recall in that it abstracts from the specific 
action taken. In [14] it is shown that perfect recall is equivalent to the conjunction of 
Memory of Past Knowledge and Memory of Past Actions (in which a player remembers 
which actions he has taken in the past, not necessarily in which order). 


THEOREM 22. Let G be an extensive form game. Then, the following are equivalent: 
1. G satisfies MPK 
2. Vi, Vz, y(Rizy => L(x) = ey) 


Note that condition 2 says that it is in fact common knowledge that G is a von 
Neumann game. The direction (1) = 2 is proven in [14], the other direction in [9]. The 
modal characterisation of MPK is given in [14] by using temporal operators. The Past 
operator P is for instance interpreted as follows: G, s = Py iff for all t for which t < s, we 
have G,t — y. Similarly, the operator O refers to the future (for more on temporal modal 
logic, we refer the reader to Chapter 11 of this handbook). Then, MPK is characterised 
by 


Pip > Ki PKip (15) 
As a scheme, (15) is equivalent to Kjp > OK;PKiy. 
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6.2 Outlook 


The upshot of the exercise in the previous section is not so much the specific corre- 
spondence results, but rather to demonstrate the elegance and suitability of the modal 
machinery to reason about notions such as perfect recall. The latter notion also has 
received considerable attention in the computer science literature, where, in the context 
of synchronous systems, it is defined as K; O y —> OKiy, see Section 5. (Perfect recall 
is called ‘no-forgetting’ in the seminal paper [29]). The other direction of non-forgetting, 
ie, OKip > K; O ¢ is called ‘no learning’, and comes with a similar commutation 
diagram as that in Figure 12. 

Unfortunately, such commuting diagrams that enforce regularities on the underlying 
models have in general an adverse effect on the complexity of checking satisfiability for 
such logics. Having a grid-like structure in models for a logic enables one to encode 
Tiling Problems in them, which then can be used to demonstrate that in the worst 
case satisfiability becomes undecidable (see also Chapters 3 on complexity and 7 on 
decision problems). In fact, [29] shows that only assuming no-learning (in a context of 
at least two knowers and allowing common knowledge), the validity problem is highly 
undecidable. In words of [89]: “Trees are safe” and “Grids are Dangerous”. We refer to 
that paper for a survey of several (un-)decidability results for temporal epistemic logics. 
For a restricted set of related results, we refer to Theorem 21 in this Chapter and its 
succeeding paragraphs. 


7 DYNAMIC EPISTEMIC LOGIC 


The framework for epistemic logic as presented in Section 4 elegantly allows for reasoning 
about knowledge (and, in particular, higher order knowledge: knowledge about (other’s) 
knowledge), but as such it does not allow to deal with the dynamics of epistemics, in 
which one can express how certain knowledge changes due to the performance of certain 
actions, which by itself can be known or not. The notion of run in an interpreted system 
(Section 5) explicitly allows for such dynamics. In this section, we look at dynamic 
epistemic logic where the actions themselves are epistemic, like a revision due to a public 
announcement or a secret message. The famous paper [2] put the change of information, 
or belief revision, as a topic on the philosophical and logical agenda (cf. Chapter 18). 
This AGM tradition typically studies how a belief or knowledge set should be modified, 
given some new evidence. Well-studied examples of such modification are expansion, 
contraction and revision, which are of type 2“ x L— 2°, i.e., they transform a belief set 
K given new evidence » into a new belief set K’, where the belief sets are subsets of the 
propositional language. The publication of [2] generated a large stream of publications in 
belief revision, investigating the notion of epistemic entrenchment, the revision of (finite) 
belief bases, the differences between belief revision and belief updates, and the problem of 
iterated belief change (for more on belief revision, refer to Chapter 18 in this handbook). 

However, in all these approaches the dynamics are studied on a level above the in- 
formational level: the operators for modification are not part of the object language, 
and they are defined on (sets of) propositional formulas in £. Hence, it is impossible to 
reason about change of agents’ knowledge and ignorance within the framework, let alone 
about the change of other agents’ information. This section describes approaches where 
the changing epistemic attitudes find their way into the object language. 
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The notion of a run in an interpreted system, together with the availability of temporal 
operators in the language (Section 5) facilitates reasoning about the dynamics of an 
agent’s knowledge. A run is typically generated by a protocol, which usually represents 
a standard computer program. The pioneering work in [51] also studies the relation 
between actions and knowledge: there the emphasis is on epistemic preconditions that 
are needed to perform certain actions in the world, such as knowing a key-combination 
in order to open a safe. From the point of view of expressivity, one can say that the work 
on interpreted systems enables one to reason about the (change of) knowledge over time, 
and adding actions to the language, one can also reason about the change of knowledge 
brought about by performing certain plans. This enables one to express properties like 
perfect recall and no learning discussed in previous sections. 

This section sketches approaches that not only “dynamise the epistemics”, but also 
“epistemise the dynamics”: the actions that (groups of) agents perform are epistemic 
actions. Different agents may have different information about which action is taking 
place, including higher-order information. Perfect recall would then rather look like 
Kilaly > [K;a] Kip: “if player i knows that when j chooses ‘right’ this offers i a possible 
win, only after i knows that j does move ‘right’, i is aware of his profitable situation”! 
The rather recent tradition often referred to as Dynamic Epistemic Logic, treats all 
of knowledge, higher-order knowledge, and its dynamics on the same level. Following 
a contribution of 1997 [23], a stream of publications appeared around the year 2000 
([48, 98, 84]) and a general theory only now and partially emerges. In retrospect, it 
appeared that an original contribution of [68] from 1989 was an unnoticed ancestor of 
this stream of publications. This section is too short to discuss all those approaches, we 
will, for homogeneity, mainly follow [102, 101], and [7]. We start by considering a special 
case of updates. 


7.1 Public Announcements 


Public announcements are a simple and straightforward, but still interesting epistemic 
action: the idea behind a public announcement of ọ is that all players are updated on 
y, and they all know this, and they all know that they know this, etc. Given a group 
of players N, the language £4" for public announcements adds a modality [x] on top 
of the epistemic language with operators K;(¢ € N). If the common knowledge operator 
C is also allowed, we refer to the language as Liy (C). The interpretation of [x] reads: 
“after truthful public announcement of x, it holds that w”. Note that both x and w are 
typical members of Li" or Ly (C): announcements can be nested. 

The semantics of [x]w is rather straightforward: it is true in (M, s) if, given that x 
is true in (M,s), % is true in s if we ‘throw away’ all the states in which y is false. 
To achieve this, we define My as that submodel of M that consists of all points in 
which y is true. More formally, given M = (W, R1, Ro,...Rm,7), the model Mj, = 
(W’, Ri, R5,... Ri, 7’) has as its domain all the x states: W’ = {w € W | (M, w) E x}, 
and the primed relations and valuation in M’ are the restrictions of the corresponding 
relations and valuation in M to W’. Then, we define 


M,s H |x}p iff (M, s =| x > My,s Fy). (16) 


EXAMPLE 23. (Example 18 ctd.) In the miniature card game hexa (Example 18), sup- 
pose that in (hexa,rwb), player 1 publicly announces that he does not possess card w, i.e., 
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p = ~w. Then, the resulting model is hexa),, = hexa; of Figure 10: all the deals in which 
1 does have the white card are removed. Note that we have: hexa,rwb = [7wi]K3ri, 
and even hexa, rwb = [>w1|K3(ri A we A ba), saying that after 1’s announcement, player 
3 knows the exact deal. Note that this is not true for player 2: hexa, rwb = [7=w,|7Koari, 
since, after the announcement ~w, player 2 still considers it possible that 1 has b. Player 
2 knew already the truth of the announcement. Still, he ‘learns’ from it: 


hexa, rwb = Ko7K3(r1 A Ww A bs) TAN [w] K2(K3(rı A Ww ^ b3) V K3(by A we A r3)) 


This expresses that initially, in rwb, 2 knows that 3 does not know the current deal 
(described by rı A we A b3), but after 1’s announcement ~w, 2 knows that 3 knows the 
deal. Note that 1 does not learn the same as 2: player 1 cannot be sure that 3 learns 
the deal from the announcement ~w:, since, according to 1, it might be the case that 3 
holds w, in which case 3 would not learn the deal from the announcement. 

Public announcements can be made iteratively: the model hexaz is obtained from 
hexaı, by letting 3 make the public announcement “I know the deal!”. More formally, let 
knowsdeal(?) be Vo a ec{r,w,b} Miler A d2 ^es). Then, 1 learns the deal after 3 announces 
that he learned, but 2 does not (let ô be the actual deal (rı A we A b3)): 


hexa, rwb — [7w ][knowsdeal(3)](A 1d A 720) 


This can be formally verified by inspecting Figure 10, but is also intuitively correct: 
if 1, holding r, announces that he does not possess w, then he knows that this is either 
informative for 2 (in case 3 has w, i.e., in rbw) or for 3 (in rwb). Since 3 subsequently 
announces he learned the deal, 1 finds out the real situation is rwb. Similarly, 2 does 
not learn the deal from this “dialogue”, he conceives it still possible that the real deal 
is bwr. However, as we saw above, 2 still learns something (i.e., about the knowledge of 
others: after the first announcement 2 learns that 3 knows the deal and after the second 
2 learns that also 1 knows the deal). 4 


As for an axiomatisation of public announcements, the logic S547" is obtained by adding 
the left-hand side of Table 4 to S5m. The logic S54¥'(C), which also incorporates common 
knowledge, is axiomatised by the union of Tables 2 and 4. 


axioms and rules for S54" additional rule for S5% (C) 
All ([xleAlxl(y > 4) > [xl 
A12 [x]po (x> p) R5 Fromt ọ > [x] 
413 hJ = (x > =hxly) and F pAx > Ey 
A14 [xX]Kib > (x> Kilx]) infer F y > [x|Cy 
RA Fy SF iyly 


Table 4. Public announcements without (left) and with common knowledge 


Axiom A11 and rule R4 characterise [x] as a normal modal operator. The other axioms 
have the general form [x]y +> (x — y’); the second appearance of x indicates that only 
behaviour of successful updates is specified. Note that the general form is equivalent to 
(x A (xlo e ¥’)) v (Ax A [x]y), which, by the fact that F =x — [y]y, is equivalent to 


(x (Ixle e 9") V nx. 
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Keeping this in mind, axiom A12 (also called atomic persistence) assures that atomic 
facts (and, hence, objective properties, not involving any knowledge) are not affected 
by public announcement: they do not change the world. According to A13, public 
announcements are partial functions: under the condition that the announced formula is 
true, its announcement induces a unique outcome. Finally, axiom A14 relates individual 
knowledge to public announcements: from right to left it is a variant of the earlier 
mentioned perfect recall, the other direction is a conditionalised no learning property. 


The straightforward generalisation of A14 to a logic with common knowledge would 
read [x]Cw +> (x —> Cly]). However, such a principle is not valid. Consider the models 
M and M’ of Figure 13 (taken from [101]). First of all, let 10 denote a world in which 
p is true, and q is false, and similarly for 11 and 01. Then, in model M of Figure 13, 
we have M,11 H [p]Cq, since in the updated model M’ = Mp, we have M’,11 = Cq 
(in M’, world 11 is only a— and b— accessible to itself). At the same time, we have 
M,11 K (p — C[plgq), in particular M,11 þÆ C[p]q. This is so since in 11 there is a 
world Re-accessible (to wit, 10), in which a public announcement of p would lead us to 
the disconnected part 10 of M’, where we have M’,10 jÆ q, so that M,10  [plq, which 
justifies the claim M,11 4A C[plq. 


M: 11 1 =b > ym: 11 10 


a 


01 


b 


Figure 13. A counter model for [p]Cq > (p — C|p]q) 


In order to obtain common knowledge through a public announcement, rule R5 from 
Table 4 must be used. The soundness of this rule is typically proven using induction on 
the Ro-path to w in an updated model My- 


THEOREM 24 ([68, 8]). The logics S5 (without common knowledge) and S5% (C) 
(with common knowledge) as defined in Table 4 are sound and complete with respect 
to the semantics with key condition (16) on top of the epistemic semantics as given in 
Section 4. 


In fact, dynamic epistemic logic S547 can be reduced to its static counterpart S5\n, 
by employing the following translation T: 


T([xlp) T(x) > p 
Txilen) = Tide) ^ Tix) 
T([x]=4) = T(x) > -T([xl¥) 
T([x| iv) T(x) > KiT([xlv) 


The equivalence between y and Ty) follows immediately from the axioms of Table 4, 
and it is also easy to see that T(y) has no occurrences of the [x] operator: they are all 
replaced by implications x — p for certain atoms p. This feature can be used to obtain 
completeness of S54" ([68]), but for the case of S547 (C'), the completeness proof is much 
more involved ([8]). 
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Unsuccessful Updates 


The intuition of a public announcement [x] is that it produces common knowledge of 

the announced fact x. Remarkably enough, it is not always the case that [y]Cy. As an 

example, take the model M of Figure 13, where in 11 the atom p holds, but a is ignorant 

about it. The public announcement of this very fact (i.e., p A —Kap, which could be 

uttered by player b, since he knows it) however, leaves a with a difficult, if not impossible 

task to update his knowledge; it is hard to see how to simultaneously incorporate p and 
ap into his knowledge. 


DEFINITION 25 ((Un-)successful Formulas and Updates). A formula x is successful 


if E [x]v. Otherwise, it is unsuccessful. Moreover, x is a successful update in M,s if 
M,s = (x^ [y]y), it is an unsuccessful update if M, s — (x A [x]7x). An update with x 
is publicly successful in M, s if M,s H x A [y]Cy. 4 


Which formulas are unsuccessful, and which are successful? This question was raised in 
[82], and some first answers are given in [86] and [99]. Typically, only formulas involving 
ignorance can be unsuccessful. Hence, propositional formulas, involving no epistemic 
operators are always successful. Secondly common knowledge formulas are successful, by 
merits of the validity  [Cy]Cy. The paper [99] identifies a fragment of the language, 
L% that is preserved under ‘deleting states’: 


yely:=p|-p|eAdl|evy| Kig | Ce | Rely 


The fragment CL‘? is preserved under submodels, from which it follows that for any 
p € LY and any Y, F y > [v]y. As a consequence, the language £4? is successful. After 
presenting these partial results, and before giving an example of (un-)successful updates, 
we mention the following fact about updates: 


THEOREM 26 ([86]). In every model, every public announcement is equivalent to a 
successful one. 


EXAMPLE 27. (Example 19 ctd., [99]) Consider model twomud from Figure 11. Let 
us abbreviate (Ma V mp V Mme) to muddy. Then model (twomud;,110) is the model 
that one obtains when publicly announcing muddy in (twomud, 110), i.e., after (5) is 
announced. One easily checks that muddy is a publicly successful update in this state: 
twomud, 110 = [muddy Omnucey (note that, since muddy is a member of the submodel- 
preserving language £4”, it is even a successful formula). 

Note that twomud, 100 E [muddy] Kama: if a is the only muddy child, he knows about 
his muddiness after the announcement (5) that there is at least one muddy child. Let 
knowmuddy = Vieta p,e} (Kimi V Kimmi) (at least one child knows about its muddy 
state). Now, although we have twomud,, 110 = —=knowmuddy, we have twomud;, 110 |= 
[=knowmuddy|knowmuddy. In other words, when the father makes his announcement (5) 
for the second time, we interpret this as an announcement of ~knowmuddy (since father 
makes his remark for the second time, this is a public announcement that no child stepped 
forward after the first utterance of (5), or, in other words, no child knows yet about its 
muddiness). Since knowmuddy is true in twomud, in the states 001,010 and 100, these 
states are removed after the announcement —knowmuddy, giving us model twomudg of 
Figure 11. 

To further explain the story, one easily verifies Dorna 110 E Catleasttwomuddy, 


with atleasttwomuddy having its obvious interpretation ya  je{a,b,c} (mi ^ m;). But if this 
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is common knowledge in twomud2, 110, in particular children a and b know this: since 
they only see one other muddy child, they conclude that they are muddy themselves and 
hence step forward. We have seen that twomud, 110 = muddy A [muddy]Cmuddy, and also 
that twomud, 110 — [muddy] [~knowmuddy|Cknowmuddy. In other words, ~knowmuddy 
is an unsuccessful update in twomud,,110. Note that this is indeed a local notion: the 
same announcement sknowmuddy would have been successful in (twomud;, 111). =| 


7.2 General Updates 


Public announcements play an important role in games: putting a card on the table, 
rolling a die, and moving a pawn on the chess board can all be considered as examples. 
However, in many situations much more subtle communication takes place than a public 
announcement. Consider the card game hexa in which player 1 shows player 2 his card. 
Obviously, this is informative for 2: he even learns the actual deal. But, although 3 does 
not see 1’s card, he certainly obtains new information, viz. that 2 learns the deal. And 
1 and 2 also get to know that 3 learns this! 

The following — possibly simplest — example in the setting of multi-agent systems (two 
agents or players, one atom) attempts to demonstrate that the notions of higher-order 
information and epistemic actions are indeed non-trivial and may be subtle. 


Anne and Bert are in a bar, sitting at a table. A messenger comes in and 
delivers a letter that is addressed to Anne. The letter contains either an 
invitation for a night out in Amsterdam, or an obligation to give a lecture 
instead. Anne and Bert commonly know that these are the only alternatives. 


This situation can be modelled as follows: There is one atom p, describing ‘the letter 
invites Anne for a night out in Amsterdam’, so that —p stands for her lecture obligation. 
There are two agents 1 (Anne) and 2 (Bert). Whatever happens in each of the following 
action scenarios, is publicly known (to Anne and Bert). Also, assume that in fact p is 
true. 


SCENARIO 28 (tell). Anne reads the letter aloud. 
SCENARIO 29 (read). Bert sees that Anne reads the letter. 


SCENARIO 30 (mayread). Bert orders a drink at the bar so that Anne may have read 
the letter. 


SCENARIO 31 (bothmayread). Bert orders a drink at the bar while Anne goes to the 
bathroom. Both may have read the letter. 


After execution of the first scenario (which is in fact a public announcement), it is 
common knowledge that p: in the resulting epistemic state Cp holds. This is not the 
case in the second scenario, but still, some common knowledge is obtained there: C'(Ay pV 
Kı~p): it is commonly known that Anne knows the content of the letter, irrespective 
of it being p or ~p. Does this higher-order information change in Scenario 30? Yes, in 
this case Bert does not even know if Anne knows p or knows ap: 7~Ko(KipV Kı~p). In 
Scenario 31 something similar is happening, that may best be described by saying that 
the agents concurrently learn that the other may have learnt p or ~p. Note that in this 
case, both agents may have learnt p, so that p is generally known: Ep, but they are in 
that case unaware of each other’s knowledge, 3Cj2p, and that is commonly known. 
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Scenarios 30 and 31 are interesting, since semantically, they indicate that one cannot 
simply rely on the strategy of deleting states. The scenarios not only provide the agents 
with certainty, but also some doubts arise. After Scenario 30 for example, Bert must 
find an alternative state possible, in which Anne knows the contents of the letter, but 
also one in which Anne does not know. This is in a nutshell the main challenge in the 
semantics of these general updates. 


Language 


To a standard multi-agent epistemic language with common knowledge for a set N of 
agents and a set P of atoms, we add dynamic modal operators for programs that are 
called knowledge actions or just actions. Actions may change the knowledge of the agents 
involved. The formulas £y, the actions £$, and the group gr of an action are defined 
by simultaneous induction: 


DEFINITION 32 (Formulas and actions). The formulas LẸ (P) are defined by 


Y :=p | =y | (pA) | Kno | Cay | lal 


where p € P, n€ N, B C N, a € LẸ (P), and Y € LI") (P). The actions LẸ'(P) are 
defined by 


a ::= 7p | LpB| (a !a) | (aia) | (a; 8’) | (aUa) | (ana) 


where o € Ly (P), B C N, 6 € LE (P), and fp’ € LA) (P), and where the group gr(a) 
of an action a € L3 (P) is defined as: gr(?y) := 0, gr(Lga) := B, and gr(a è a’) := 
gr(a) Ngr(a’) for e =! ,9,U, ;. 4 

The program constructor Lp is called learning. Action ?y is a test, (a; a’) is sequential 
execution, (aU a’) is nondeterministic choice, (a ! a’) is called (left) local choice and 
(a į a’) is called (right) local choice, and (aM a’) is concurrent execution. The construct 
Lg?¢ is pronounced as ‘B learn that p’. Local choice a ! a’ may, somewhat inaccurately, 
be seen as ‘from a and a’, choose the first.’ Local choice a į a’ may be seen as ‘from 
a and a’, choose the second.’ The interpretation of local choice ‘!’ and ‘j’ depends on 
the context of learning that binds it: in Lp(a! a’), everybody in B but not in learning 
operators occurring in a,a’, is unaware of the specific choice for a. That choice is 
therefore ‘local’. 


EXAMPLE 33. The description in £35'({p}) of the actions in the introduction are: 


tell Li2?p U Li2? mp 
read Ly2(L1?p U L,?7p) 
mayread Ly9(L1?pU Lı?~p U ?T) 
bothmayread L42( (L1?p A L2?p) U (L1?-p N L2?~p) 
ULı?p U Lı? ~p U Lo? p U L2? ~p U ?T) 


For example, the description of read (Anne reads the letter) reads as follows: ‘Anne and 
Bert learn that either Anne learns that she is invited for a night out in Amsterdam or 
that Anne learns that she has to give a lecture instead.’ = 


ri 


By replacing all occurrences of ‘!’ and ‘j’ in an action a by ‘U’, except when under 
the scope of ?, we get the type t(a) of that action. By replacing all occurrences of ‘U’ 
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bothmayread 


mayread 


tell 


p 


read 


Figure 14. Epistemic states resulting from the execution of actions described in the four 
action scenarios. The top left figure represents (Let, u), in which it is common knowledge 
that both 1 and 2 are ignorant about p. For mayread and bothmayread only one of more 
executions is shown: namely the one in which actually nothing happens, and the one in 
which both 1 and 2 find out that p, respectively. 
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in an action a by either ‘!’ or ‘j’, except when under the scope of ?, we get the set of 


instances I(a) of that action. Informally we write: I(a) := {a[U/!, il} If t(a) = t(8) 
we say that a and ĝ are the same type of action. Furthermore, if œ and ĝ are identical 
modulo swapping of occurrences of ‘l for ‘j’ or vice versa, we say that a, 8 are comparable 
actions. The idea here is that in the scope of an Lg operator, the agents of B know which 
action is executed, but the agents not in B consider all actions of the same type possible. 
Instead of a ! a’ we also write !a Ua’. This expresses more clearly that given choice 
between a and a’, the agents involved in those actions choose a, whereas that choice 
remains invisible to the agents that learn about these alternatives but are not involved. 
Similarly, instead of a į a’ we write aU la’. 


EXAMPLE 34. The action read where Bert sees that Anne reads the letter is different 
from the instance of that action where Anne is actually invited for a night out and Bert 
sees that Anne reads the letter. The latter is described as L12(!L1?p U L1?~—p): of the 
two alternatives Lı?p and L,?-p, the first is chosen, but agent 2 is unaware of that 
choice. The description read is its type. The other instance of read is Dy2(L1?pU !£1?-p). 
Actions Li2(!L1?p U Lı?—p) and Ly2(L1?pU !Lı?—p) are comparable to each other. 4 


Semantics and Axioms 


Concerning the semantics of L% (P) (on epistemic models), we refer to Chapter 12 for the 
treatment of the dynamic operators, and focus here on the learning operator. Although 
our object language is that of [102], we focus on the semantics as explained in [7], which 
we coin action model semantics. The appealing idea in the action model semantics is 
that both the uncertainty about the state of the world, and that of the action taking 
place, are represented in two independent Kripke models. The result of performing an 
epistemic action in an epistemic state is then computed as a ‘cross-product’. We give 
some more explanation by way of an example: see also Figure 15. 

Model N in this figure is the model Let, but now we have given names s and t to 
the states in it. The triangular shaped model N is the action model that represents 
the knowledge and ignorance when the instance Ly42(L1?p U Ly?7p U !T) of mayread is 
carried out. The points a,b,c of the model N are also called actions, and the formulas 
accompanying the name of the actions are called pre-conditions: the condition that has 
to be fulfilled in order for the action to take place. Since we are in the realm of truthful 
information transfer, in order to perform an action that reveals p, the pre-condition p 
must be satisfied, and we write pre(b) = p. For the case of nothing happening, only the 
precondition T need be true. Summarising, action b represents the action that agent 1 
reads p in the letter, action c is the action when ~p is read, and a is for nothing happening. 
As with ‘static’ epistemic models, we omit reflexive arrows, so that N indeed represents 
that p or 7p is learned by 1, or that nothing happens: moreover, it is commonly known 
between 1 and 2 that 1 knows which action takes place, while for 2 they all look the 
same. 

Now let M,w = (W, Ri, Ro,...Rm,7),w be an epistemic static state, and M,w an 
action in a finite action model. We want to describe what M, w ®M,w = (W’, Rj, R5, 
... Ri, T}, w’, looks like — the result of ‘performing’ the action represented by M, w in 
M,w. Every action from M, w that is executable in any state v € W gives rise to a new 
state in W’: we let W’ = {(v,v) |v € W,M,v |} pre(v)}. Since epistemic actions do not 
change any objective fact in the world, we stipulate z’(v,v) = (v). Finally, when are 
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Figure 15. Multiplying the epistemic state Let, s with the action model (N, a) represent- 
ing the action instance Dy2(L1?p U L1?ap U !T) of mayread 


two states (v,v) and (u, u) indistinguishable for agent i? Well, he should be both unable 
to distinguish the originating states (R;uv), and unable to know what is happening 
(Rjuv). Finally, the new state w’ is of course (w,w). Note that this construction indeed 
gives N,s ®N,a = N’,(s,a), in our example of Figure 15. Finally, let the action a be 
represented by the action model state M,w. Then the truth definition under the action 
model semantics reads that M, w — [aly iff M, w — pre(w) implies (M, w) @(M, w) E ¢. 
In our example: N, s H [Li2(Li?p U L1?~p U !T)]y iff N’, (s,a) E ¢. 
Note that the accessibility relation in the resulting model is defined as 


Ri(u,u)(v,v) & Rw & Riuv (17) 


As a consequence, perfect recall does not hold for [a]: Let a be Ly2(L1?pUL,?7p U!T). 
We then have N, s H K2[a]-(Kip V Ki7p) (2 knows that if nothing happens, 1 will not 
find out whether p), but not N,s H [a]Kk27(Kip V K,7p). We do have in general the 
following weaker form of perfect recall, however. Let M,w be a static epistemic state, 
and a an action, represented by some action state M,w. Let A be the set of actions that 
agent 7 cannot distinguish from M,w. Then we have 


Mwk N Kill > (ol Ki (18) 


In words, in order for agent i to ‘remember’ what holds after performance of an action 
a, he should already now in advance that it will hold after every epistemically possible 
execution of that action. In the card example of hexa: if player 1 shows player 2 his 
card (which is red), than player 3 ‘only’ knows that 2 learned that 1 holds red or white, 
because he cannot distinguish the action in which 1 shows red from the action in which 
1 shows white. The perfect recall version (18) is a consequence of the ‘=’-direction of 
(17), the other direction gives the following generalized and conditionalised version of 
‘no learning’: [a] Kip — (pre(a) > Age, KilG]y). This implies that, everything that 
is known after a specific execution of an action, was already known to hold after any 
indistinguishable execution of that action. t 

Concerning axiomatisations for dynamic epistemic logic, we provide some axioms in 
Table 5. These have to be added on top of S5m and the usual axioms for the dynamic 
operators. Let us call the resulting system DEL(S5)m 


1We have oversimplified the treatment of [7], in particular we have not discussed what it means that 
an action a is represented by an action state M,w. For further discussion, see [7], or [101], where both 
semantics discussed here are dealt with. 
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some axioms of DEL(S5),, some rules of DEL(S5),,, 
A15 (Lga)T © pre(Lga) RE Fer-vsF- aly -> laly 
A16 [a!l] e [aly R7 If: forall 8 with a ~g p 
A17  [alp © (pre(a) > p) there is a yg such that 
A18 [aly > AgeralAly (1) F xe > [B]y, and 
A19 Maxia Kilby > lal Kip (2) 8 ~n a’ implies 
A20 [a]Kiy > F (xg A pre()) > EBXa' 
(prefa) > Agr ia Kille) Then: Xa > [a|Cay 


Table 5. Epistemic axioms and rules: i < m 


We elaborate shortly on the axioms: for further details we refer to [7, 102]. For any 
action a, a formula pre(@) can be defined which is true exactly when a can be executed. 
Axiom A15, also called ‘Learning’, says that this is well-defined for learning actions, 
and A17 (‘Atomic permanence’) says that, like public announcement, general updates 
do not change the objective statements, given that the update is executable. Axiom 
A16 (‘Local choice’) determines the meaning of !. Axiom A18 (‘Action instances’) 
formalises that the effect of an action is a combined effect of all its instances. One might 
have expected a distribution axiom for [a], but this is not sound. Such an axiom is 
unsound in any dynamic logic with concurrency (see Chapter 12), for the same reason: 
the interpretation of actions are relations between epistemic states and sets of epistemic 
states. The modality [a] corresponds to a V4 quantifier for which distribution does not 
hold. We do have a weaker form of distribution in the form of the action facilitation rule 
R7. This is all we need in the completeness proof. 

Note that axioms A19 and A20 are variants of the earlier discussed principles of ‘recall’ 
and ‘no learning’, respectively. They give what one could call a ‘compositional analysis’ 
of pre- and post-conditions of epistemic events. Axiom A19 expresses that, in order to 
know, after a has happened, that y, one has to know in advance that, no matter which 
action happens that looks like a, property y will result. In a simple card game example: 
if I know after you show Ann a card that she has to know the full deal of cards among us, 
I should know in advance that Ann knows the deal after every card that I imagine you 
showing Ann. Often a contrapositive of such an axiom is appealing, in this case it reads 
la) Rip > Vo~ia Ki (Jg: if there is an execution of a after which I still consider y a 
possibility, then for some action that looks the same to me as a, I imagine it possible that 
there is an execution which leads to y. If you only have two cards, and you show them in 
a sequence to her (a), but I only see you show her a card twice, I still think it conceivable 
that she does not know both of your cards (vy), since I take into the consideration that 
you showed her twice the same card (3), after which she would not know both your cards. 
We leave elaboration about A20 to the reader. 

Even the soundness of inference rule R7 is not easy to grasp. It mimics an induction 
rule where the x formulas are used as induction hypotheses. It uses a notion of indis- 
tinguishability of actions: a ~g 3 means that group B cannot distinguish the execution 
of a from that of G. Also, the completeness proof of this logic is not easy, since in the 
canonical model one has to prove that [y|Cgy is in a maximal consistent set I iff for 
every path that runs from T along steps from one of the agents in B and in which ¢ is 
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true, also [y]w holds, and the right hand side of this iff has no counterpart in the ob- 
ject language. This motivated [90] to introduce a relativised common knowledge operator 
Cp(y,wv) which exactly captures the right hand side of the mentioned equation. Both 
the inference rule R7 and the completeness proof of the logic based on this notion of 
common knowledge has a much more natural appearance. 


8 EPISTEMIC FOUNDATIONS OF SOLUTION CONCEPTS 


We now turn to the characterisation of solution concepts in games, formalised using 
epistemic constructs. To set the scene, let us consider the game in extensive form, 
depicted on the left hand side of Figure 16. It supposes we have two players, A and B, 
and A has to decide in the nodes labelled a,e,i and u, whereas B decides in b and d. 
The leaves of the tree are labelled with payofts, the one in the left-most leaf for instance 
denoting that A would receive 1, and B would get 6. 

A natural question now is: “suppose you are agent A. What would your decision be 
in the top node a?” The obvious backward induction procedure determines A’s ‘best’ 
move starting from the leaves. Suppose the game would end up in node u. Since A is 
rational, he prefers an outcome of 4 over 1, and hence he would move ‘left’ in u; this is 
illustrated using the thick lines in the game on the right hand side of Figure 16. Now, 
B is rational as well, and he moreover knows that A is rational, so, when reaching node 
d, player B knows he has in fact a choice between a payoff of 4 (going ‘left’ in d) and 3 
(going right, and knowing what A will do in u). We do the same reasoning over nodes e 
and 7, and end up with the choices with a thick line in the figure: A would go ‘right’ and 
‘left’, respectively. Again, since B is rational and knows that A is rational, his payoffs 
in node b are 4 and 3, respectively, and he will choose ‘left’. Continuing in this fashion, 
note that A’s choice for going left in a is based on (i) the fact that he is rational; (ii) the 
fact that he knows that B is rational and (iii) the fact that he knows that B knows that 
he (A) is rational. In short, knowledge of each other’s rationality, and indeed, common 
knowledge thereof, seems to play a crucial role in rational strategic decision making. 


Figure 16. A Game in Extensive Form 


The fact that epistemic notions are important in order to analyse certain solution 
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concepts in games, like common knowledge of rationality being crucial for backward 
induction, has been recognised for a long time, even though for certain game-theoretic 
solution concepts, the epistemic foundations are not always easy to determine. It seems 
most progress has been made in the case of strategic game forms. 


8.1 Enpistemic Foundations for Strategic Games 


In ([18]) it is argued that a general form of epistemic characterisation results comes in a 
format in which one predicts the decision of each agent, given certain assumptions about 
each player’s utility and rationality, and (iterated) knowledge thereof. The following 
provides an example, taken from [88]: we will mainly restrict ourselves to two player 
games in this section. 

The proof of Theorem 7, and the backward induction algorithm applied above to 
recursively determine a subgame-perfect equilibrium in an extensive form game has its 
counterpart in strategic games. The left hand side of Table 6 represents a strategic game 
for two players r (choosing a row) and c (selecting a column). The entries x, y represent 
payoffs for player r and c, respectively. In this game, the (unique) Nash equilibrium can 
be achieved by iteratively removing strictly dominated strategies (see Section 2.1): since 
c’s strategy c3 is strictly dominated, by rationality he will not play it, so that we can 
remove its corresponding column from the game. Player r is rational and knows about 
c’s rationality, and in the new game with only 2 columns that he needs to consider he 
has a dominated strategy r3 that can be removed. Using rat; to express that player 7 is 
rational, removal of r3 is granted by the fact that rat, \ Krrate. Continuing in this matter, 
column cg and row rg can subsequently be removed, leaving us with the unique Nash 
equilibrium (r;,c1). It seems that in our reasoning the last two steps are motivated by 
the fact that 


rate A Kerat, A Ke K-rat. and rat, A K rate A K-Kerat, A K-KeK; rate (19) 


respectively. Before relating such a condition to [18]’s general format of characterisation 
results and his syntactic approach, we make a little detour. 


br,, bre — r — o — r — o 


recla & 63 r\c Cy C2 C3 | 
m |23 22 lil m || brn, bre —  — 
ry |02 40 10 ra bre br, — 
rz |01 14 20 r3 -bre bry 


Table 6. A strategic game H for players r and c, distribution of best responses and the 
model My 


A Semantic Approach 


A semantic approach to clarify the nature of epistemic characterisation of solution con- 
cepts is given in [74], but here we follow a more recent approach ([88]). We do this since 
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the latter is closer to the Kripke models as used in this chapter, and it moreover gives a 
nice example of how dynamic epistemic logic (Section 7) can clarify the subtleties that are 
at stake here (for instance, is iterated knowledge as in (19) indeed needed’). Endowing 
finite two-player games in strategic form with an epistemic flavour uses the observation 
that each player knows his strategy, but not the other’s. Hence, if we take the strategy 
profiles o in a game G as the possible worlds, the epistemic indistinguishability relation 
that presents itself is then defined by Rioð iff o; = 6;. This is in fact the definition that 
is used in the prominent distributed or interpreted systems approach to epistemic logic 
(see Section 5), in which global states in the overall system have a local component for 
each agent, each exactly knowing this local state. Thus, the full model over the game H 
of Table 6 is the left model in Figure 17; where the global states (or, oc) are represented 
by their unique payoff for that profile. 

As we have seen above, an algorithm to find a solution concept in a game G may 
transfer a model into a smaller one. Let us coin submodels of full models general game 
models. Doing so, we stay in the realm of S52, since as [81] observes, every S52-model 
is bisimular to a general game model. Now, is common knowledge of rationality needed 
to justify the elimination of dominated strategies algorithm? First of all, referring to 
common knowledge in full games seems to be some overkill: in every full model for two 
players, every pair of strategy profiles o = (or, oe) and T = (Tr, Te) is connected through 
a third 6 = (o,,7¢) (and, indeed, a fourth y = (7,,¢¢)), which immediately gives us 
K,Kep — K-K,y as a valid scheme on such models. This is reminiscent of the property 
that in interpreted systems, common knowledge in every run (roughly, every sequence of 
global states in the full model) is constant (see Section 5). In full models for two agents, 
we have K,K.p — Cy (its contra-positive follows quickly from the semantic insight 
above: if =C% holds at ø then ¢ is false at some 7, which is in two steps connected 
through 6, giving K.K cmp —recall that K is the dual of K ) so that there is a natural 
bound on the needed nesting of epistemic operators, and the notion of common knowledge 
is not really needed. 

Secondly, we have to become a bit more precise of what rationality exactly amounts to 
in the current setting. The notion of a best response for agent i in a model M at state øo 
can be formalised as follows, where A; is the set of actions available in the current game 
G to agent i. Let M be the (full or general) game model generated by G and, given a 
profile o, M,o = x(-) =; m(i— a) means that the payoff, given profile ø is at least as 
big for i as for the profile that is like ø, but in which 7 plays a instead. 


M,o Ebr: iff M,a = N (ai a) kint) (20) 
acA; 


Note that a profile o being in a Nash Equilibrium (NE) in a model M, can be described 
as follows: M,o = NE > Aien bri. In the general model My in the right hand side of 
Table 6, NE is true in the profile (r1, c1). Note that we have My H (~K,br, A 7K -br-.): 
neither player knows that he plays a best response, let alone that such a property is 
common knowledge. 

Once a property br; is true in ø in a full model M, it remains true in o and any smaller 
general model M’: this is because of the universal nature of br. One could alternatively 
define a relative notion of best response br; as in (20), but with quantification restricted 
to all actions A;(M) in the model M. Doing so, a profile ø can become a best response 
for a player i, just because a better option for i has just been eliminated, when moving 
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to M’. 

According to [88], a static analysis of strategic games using epistemics does not seem 
the right way to go: a general model for a game has players with common knowledge of 
rationality (CRat), iff Rat is true in all worlds, i.e., profiles, and such games seem not 
so interesting, under plausible notions of rationality. For instance, if we take rationality 
to mean that everybody plays a best response, then we would have that CRat holds iff 
the model consists only of Nash equilibria. And, giving a modal logic argument, from 
the validity of C(Rat — NE) one derives CRat — CNE, so that, assuming common 
knowledge of rationality, there is no need for an algorithm to eliminate worlds, since we 
already have CNE: it is already common knowledge that a Nash equilibrium is played. 
Moreover, CRat is not a plausible assumption as was illustrated in the game H of Table 6: 
not even any individual player knows that he is rational! The dynamic epistemic logic 
of Section 7 seems more appropriate to deal with assumptions about rationality. 

Rationality should have an epistemic component. Rather than saying that all players 
play their best response, it should cover something like ’every player plays the best, given 
his knowledge’. We take the following notion of weak rationality wr from [88], using our 
notation K;y for Jr(Rjor &y is true at 7). 


M,o=wrif Moe N KiC) =i tia) (21) 
ac Aci, afo; 


In words: a player i is weakly rational at ø, if for every alternative action for o;, he can 
imagine a profile ø’, for which g; (which is, by the definition of the accessibility relation, 
d!) would be at least as good for i as playing a. Alternatively: ø is a weakly rational 
profile for i, if for any alternative action, i does not know that o; is worse. It may be 
instructive to consider the dual reading of wr, which is = Vae 4c,(),a¢o; Milt) < mit 
a): ø is weakly rational for i if there is no action a for į for which 7 knows that it would 
give him a better payoff. Yet phrased differently: o is not weakly rational for a player, 
if it represents a dominated strategy. Going back to the model My of Figure 17, wre 
fails exactly in the third column, since there, player c does know to have a strictly better 


move than playing c3. 
THEOREM 35 ([88]). Every finite general model has worlds where wr; holds for both 
players i. 


Being defined as lack of knowledge, and given the fact that we are in the realm of S5m, 
we have wr; — K;wr; as a validity, giving rationality its desired epistemic component. 
Moreover, we can expect players to announce that they are weakly rational, since they 
would know it. The next theorem uses the public announcements of Section 7. 


THEOREM 36 ([88]). Leto be a strategy profile, G a game in strategic form, and M(G) 
its associated full game model. Then the following are equivalent: 


(i) Profile o survives when doing iterated removal of dominated strategies; 


(ii) Repeated announcement of wr; stabilises at a substate (N,o), for which the do- 
main of N is exactly the set of states that survive when doing iterated removal of 
dominated strategies. 


In Figure 17, the left-most model is the model My from Table 6. The other models 
are obtained by public announcements of wre, wrr, wre and wr,, respectively. As a local 
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Figure 17. Epistemic model My for the game H (left), and after announcements of 
rationality. 


update, this sequence can be executed in ø = (r1,c1), but one can also conceive it as 
an operation on the whole model, cf. the interpretation of the learning operators in 
Section 7.2. Thus, in our model My, we have My, (r1, c1) H [wre][wrr] [wre] [wr,|C Nash: 
if the players iteratively announce that they are weakly rational, the process of dominated 
strategy elimination leads them to a solution that is commonly known to be Nash. 

One can give a similar analysis of strong rationality. A profile o satisfies this property 
for a player i if i considers it possible that o; is as good as any other of it’s actions. 


M,o Esr if Moe K N ((-) =i (ira) (22) 
ac€A;, afc; 


If we abbreviate SR to be sr, A Sre, we can again perform announcements of SR. In 
general, such announcements of wr, sr and SR give rise to different behaviour. 


THEOREM 37 ([88]). On full models, repeated announcements of SR lead to its common 
knowledge. 


We have assumed that games are finite. For infinite games, the reasoning put forward 
in this section would be naturally dealt with in some kind of fixed-point logic. We have 
for instance the following theorem: 


THEOREM 38 ([88]). The stable set of worlds for repeated announcement of SR is defined 
in the full game model by the greatest fixed point formula 


Vp : (Relbre ^p) A K, (br, ^ p)) 


A Syntactic Approach 


One of the main contributions of [18] is that it gives a unifying modal framework to 
present and relate several epistemic characterisation results of solution concepts. The 
claim is that such results, for a two-player strategic form game, are usually expressed 
in a form ọ(ratı, rata, u1, u2) — actions. This is demonstrated by (19), albeit that there 
the assumptions about the utilities (the u-propositions) are kept implicit in the model. 
It goes without saying that for instance player c can only apply his knowledge about r’s 
rationality if he also knows r’s utilities. A syntactic approach forces us to make such 
assumptions explicit. 

Let us here briefly explain how [18] formalises a characterisation result for strategic 
form games. First of all, we need a language with knowledge operators K; and prob- 
abilistic belief operators P;, where the intended interpretation of P;(y) = r (with ra 
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rational number) is obvious. Basic propositions are i,,i2,... expressing that player i 
plays his first, second,...strategy. The expression u;(k,l) = ri, ı denotes that the utility 
for player i, when the strategy profile (k,l) is played, equals the number r. 

The axioms needed are then Al, A2 and A3 for knowledge (see Table 2), axioms 
for dealing with inequalities of terms referring to probabilities of events, like c > 0 > 
(do, dePi(y) > r & YO, ca,P ily), = cr). Add the Kolmogorov axioms for P;, which 
say that P;(T) = 1, Pi(L) = 0, Pi(y) > 0, Pi(y) = Pily Av) + Pily A 7) and 
P;(y) = P;(w) whenever p © y is a propositional tautology. The connection axioms 
relate knowledge and probabilistic belief: P;(y) = 1 is the same as Kj, and for every 
i-probability sentence ¢ (i.e., a Boolean combination of statements of the form P;(-) = -), 
we have y — K,y. The inference rules are R1 and R2 of Table 2. 

Then there are axioms specifically for strategic game forms, called axioms for game 
playing situations. These are, respectively, that every player plays at least one strategy 
(Ai Vm im; Where m ranges over the strategies available to player i), and not any other 
(Ai Amzn (im ^in)). Moreover, every player knows his chosen strategy (A; Am Kiim > 
im), and likewise for his utilities (u;(k,1) = r > K;u;(k,l) = r). The scheme that captures 
rationality of player i is called meu;, which is defined as the following implication: 


aA i(k, 1) = fik vaN ii = P1)) ^im) Ade "omi Z DP i,k 


expressing that each player i aims at his Maximal Expected Utility: if ¿ knows all his 
possible utilities in the game, and the probabilities with which his opponent j chooses 
his strategies, and 2 opts for his strategy m, then, for every alternative choice k for i, the 
expected utility for 7, using it’s expectations of j’s behaviour, will never be bigger. 


THEOREM 39 ([18]). Let T be a 2-person normal form game. Assume that the following 
three conditions hold (where player 1 plays m and 2 plays n). 

(i) All players are rational N; meu; 

(ii) All players know their own utility function N: Ki Nka ui(k, l) = fik 

(iii) All players know each player’s actual choice Kı2n A Kolm 
Then, the played action profile constitutes a Nash equilibrium, i.e., we have Ny t1,m,n = 
rl k,n A AN 2 m,n = l2.m,l- 

Note that the theorem above does not refer to common knowledge at all. As [18] 
points out, Theorem 39 is in fact well known in game theory (since 1995 [6], and even 
1982, [73]). But once again, the added value of [18]’s analysis is that it can relate those 
approaches, and that framework for instance enables to point at weak spots in proofs of 
theorems similar to the one discussed here. 


8.2 Epistemic Foundations for Extensive Games 


The analysis in [18] is particularly interesting in the realm of extensive games, espe- 
cially by pinpointing the difference between two interpretations of them: the one-shot 
interpretation on the one hand, and the many-moment interpretation on the other. The 
first interpretation is the one propagated by the key publication in game theory ([54]) 
and renders extensive games ‘the same’ as games in normal form: players act only once. 
Metaphorically speaking, under the one-shot interpretation, players can be thought of 
as making up their mind before the game really starts, and then all submit their chosen 


Modal Logic for Games and Information 1127 


strategy in a closed envelope to a referee. The outcome of the game is then completely 
determined, even without any player really ‘performing’ a move. In the many moment 
interpretation, a player only has to make a decision for the decision node he thinks he is 
at (and he thinks is his). 


Let us briefly revisit the game on the left hand side of Figure 16. In the one-shot 
interpretation, as part of player 2’s strategy, 2 makes a decision in node d, and rationality 
imposes him to choose ‘left’, and the decision (d,left) is part of the strategy that he will 
put in his envelop. (And the fact that 1 can predict this, makes the whole idea of 
backward induction work). In the many-moment interpretation however, if player 2 ever 
finds himself making a choice in node d, he obviously has to re-think his assumptions 
about the situation, and in particular, about player 1’s rationality. It need not come as a 
surprise that this second interpretation has led several researchers to analyse this using 
belief revision or counterfactuals (see also Chapters 18 and 21 of this handbook), most 
notably by [75, 76]. 


Especially the analysis of common knowledge (or, for that matter, belief) is much 
harder under the second analysis, because “... (i) at one single decision moment only the 
beliefs of one player are relevant ... and (ii) because we have to decide whether common 
beliefs involve past beliefs, or future beliefs, or both” ([18, Chapter 4]). For a more 
philosophical view regarding the two interpretations, we refer to [18], here we indicate 
only how a formal analysis clarifies the difference. 


For a proof system, we now take the axioms Al, A2 and A6 — A10 for K;,, E and C 
(note that since A3 is not assumed, we will call the attitude ‘belief’ but still write K;), 
and the axioms for games from Section 8.1. On top of this, we add the following atoms 
to the language. Let if mean that player 7 chooses according to his k-th strategy in the 
subgame generated by node x, and u7 (k,l) = r denotes that the utility for i, when the 
strategies k and l are played in the subgame generated by x, is r. An axiom KnUtSub 
says that these utilities are known by player i. 


The principles of rationality now needed are nrat; (“on-path rationality”) and frat; 
(“oft-path rationality”), with the following axioms: 


NRatyas nrat? > nsd;( Ai, A;) 
NRating (nrat? A KiXi A K;X;) = nsdi(Xi, X;) 


FRat frati > A, 2, nat? 


The last axiom says that off-path rationality means on-path rationality at every sub- 
game (generated by an arbitrary node x reachable form p, the root of the game). The 
statement nsd;(X;,Y;) means that i plays a strategy that is not strictly dominated in 
the game generated by it’s strategies X; C A; (the latter being 7’s set of actions) and 
j’s strategies Yj C A;. On-path rationality is expected to model that “a player chooses 
a (full) strategy that given his beliefs prescribes optimal actions along the path that he 
expects will ensue” ([18, Chapter 4]). The base case for nrat; then expresses that a full 
strategy that is optimal in a subgame, is not dominated. Similarly, the induction axiom 
says that a strategy that is optimal given the expectations of player i about how the game 
is played, is not strictly dominated in the game in which all other paths are eliminated. 


THEOREM 40 ({18]). Let T be a finite two-person extensive form game, with given 
utilities Nika ui(k,l) = ri xı, for which the following hold 
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(i) The players are rational /\; frati 
(ii) (i) is common belief C(f\; frati) 
(iii) the utilities are commonly believed C(N; pı ui(k, l) = rik) 
Then the players play the strategy profile that is generated using backward induction. 


What about the many-moment interpretation? First of all, [18] adds some specific 
axioms, saying that every player knows always (that is, everywhere in the game) all 
payoffs, for any strategy profile, and that a player knows where he is in the game (Kn- 
Where: K? N; Vye jepje where D collects all full strategies that are consistent with 
reaching x). The axiom KnStratM (iz  /\,~, Křik) is rather pushing the limits of the 
many-moment interpretation: it says that player i, when playing strategy i,, knows this 
wherever he ends up in the game. 

The rationality principles RRat are a bit more involved, now: 


raty © (KP A, ui (k,l) = tae A Ag PP (ig) = pr AA, PF OT) = Pi A im(2)) 
— A, EUi(m, x, PẸ) > EU;(k, x, P?)) 

The property RRat above states that it holds for player ¿i at node «x iff the following 
implication holds. The antecedent states that i knows at x the utilities for every strategy 
profile, and he has some probabilistic beliefs about the strategies that both he and his 
opponent j will choose at x. Moreover, i in fact chooses the action prescribed by his 
m-th strategy at x. If this is fulfilled, then the chosen strategy m should give at least the 
utility obtained using any other option k. Here, EU;(m, x, P7) is the expected utility for 
i in the node y that he reaches immediately from x when using strategy m. 

We now show how a negative result can be proven ‘during progress in a game’, using 
the two-player centepede example. In [70]’s variant of centepede, (see Figure 18), there 
are three decision nodes p, y and z. Of the two players, player 2 only moves in y. The 
payoffs for the players are represented as pairs (u1, u2) in the leaves of the tree, where u; 
represents player it’s payoff. We leave it to the reader to check that backward induction 
leads player 1 to play down D; at the root p. [18] formalises [70]’s claim about this game 
that says that in node y, there cannot be common knowledge of rationality. 

To make the proof work, we need two persistence properties. The first applies to 
strategies, and says that {ts prediction about j’s choices should not change if nothing 
unexpected happens: if the nodes x,y and z appear in a path on the tree (in that order), 
then P?(j7) and P/(j%) should coincide. The other preservation property applies to 
rationality, and says that 7 will not change his rationality assumptions about j during a 
period that j did not make a move: Kj rat? > KF rraty if x,y and z appear in a path 
on a tree (in that order, possibly x = y), and z is the first node from y where j moves. 

The proof in [18] of the claim C¥rrat¥ — L runs as follows. First of all, we show 
(a)O¥%rratY + KY K?d, (if the principle of rrat at y is common knowledge at y, then 2 
knows at y that 1 knows at p that 2 plays dı). To prove it, we prove (i)C¥rrat¥ — K?dı 
and then apply necessitation for K7. Using the preservation of strategies principle, it 
is sufficient to prove (ii)C”rrat” > Ki/d,. Applying K{-necessitation to the rationality 
axiom gives us K/rrat} A Ki K5 D2 — Kid, so that, to prove (ii), we are done if we 
show (iii)C¥rratY — (Kýrratł A K/K%D2). The first conjunct is immediate, for the 
second, use the persistence of rationality (for KY) and necessitation (for KY) to show 
Kľ KSrratt > KľKžłrratł. Applying rationality to this gives the second conjunct. 

Furthermore, from the persistence of rationality, it is easy to show (b)C¥rratY — 
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Figure 18. Centepede (left) and a one-person game with perfect recall (right) 


KSrrat{. Also, rationality and necessitation give (c)(KJK(di A KSrrat{) > KJ5A,. 
Combining (a),(b) and (c) immediately gives us C¥rratY — KA). However, the D 
axiom (~K3 1) together with the derivability of KSA; from the KnWhere axiom (see 
above) then establishes our claim C¥rrat¥ > L. 

Which would again emphasise the intuition uttered by many game theorists that in 
the analysis with which we started this section, backward induction must be based on 
some form of counterfactual reasoning. 


8.3 On the Representation of Games with Imperfect Information 


The manuscript [28] gives a neat discussion on issues that arise when modelling a game 
with imperfect information. We already argued that the extensive form of a game gives 
a more natural account of the temporal aspects of a game than its strategic form. For 
imperfect information games, we can add equivalence relations to denote the player’s 
information sets. However, such information sets can for instance not capture knowledge 
or beliefs that a player has over the strategies of the other players, or about their ra- 
tionality. There are of course other ways of representing uncertainty in games, like for 
instance what [28] calls a state space representation, in which one for instance associates 
a strategy profile to every state (cf. the representation used in Section 8.1 and Figure 17). 
But in those representations, one loses the ability again to represent the temporal infor- 
mation. In fact, [28]’s main point is a plea to use interpreted systems (see Section 5) to 
model games of imperfect information, because they make explicit where the knowledge 
comes from. 

Let us present [28]’s argument representing games as systems using the game that 
it borrows from [67], represented as the game on the right of Figure 18. In zo, nature 
choses randomly either x; or z2, and then the only player can chose either S or B. He 
cannot distinguish x3 from x4, where he has the option L or R. Using uniform strategies 
only, let the strategy o = (B, S, R} denote that our player plays B in x21, S in z2 and R 
in the information set {3,74}. Similarly, let o’ be (B, S, L}. One easily verifies that the 
payoff 3 when playing ø is the maximal expected utility: no other strategy is as good. 
One could easily implement such a strategy using an interpreted system where the local 
state l of the player would indicate whether he is in {x1}, in {x2} or in {x3, 24}. 
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Now [67] argues that if node x, is reached, the agent is better off by changing from 
strategy o to o’. And, as [28] argues, this is right, if the agent is able to remember 
that he switched strategies. Since the agent cannot distinguish x3 from x4, he should 
use a uniform strategy and do the same in both. However, if the agent would have 
perfect recall, he would distinguish the nodes, and by allowing him to remember that 
he switched strategies he can simulate perfect recall: if he ends up in {23,24}, he must 
realize that he came through xı and is now playing o’. Under this assumption it is not 
clear anymore what it means to have a dotted line between x3 and £4, since the states 
become distinguishable. Using interpreted systems it is very natural to encode in the 
local state of the agent that he switched strategies, by recording the strategies he has 
been playing until now, for instance. 


9 GAME LOGIC 


Computer science has developed many different logics for reasoning about the behaviour 
of computer programs or algorithms. Propositional Dynamic Logic (PDL) (see [33, 34] 
and also Chapter 12 of this handbook) is a well-studied example which contains ex- 
pressions [7]y stating that all terminating executions of program m will end in a state 
satisfying y. What distinguishes PDL from simple multi-modal logic is that m can be a 
complex program such as pj; p2, the sequential execution of first pı and then p2. PDL 
formalises properties of programs in its axioms such as [p1; poly © [p1|[p2]y which com- 
pletely characterises the sequential composition operator. 

Nondeterministic programs may be viewed as particularly simple games, namely 1- 
player games. Examples of algorithms involving more than one player or agent are 
cake-cutting algorithms, voting procedures and auctions. Also structurally, games are 
very similar to programs. One game may be played after another, a player may choose 
to play a game repeatedly, and so on. Hence, one may expect reasoning about games to 
be similar to reasoning about programs, and consequently game logics should resemble 
program logics. 

Game Logic (GL), introduced in [58, 59], is a generalisation of PDL for reasoning 
about determined 2-player games, allowing us to describe algorithms like the cake-cutting 
algorithm and to reason about their correctness. GL extends PDL by generalising its 
semantics and adding a new operator to the language. The meta-theoretic study of PDL 
has given us valuable insights, e.g., into the complexity of reasoning about programs 
and the expressive power of various programming constructs. By comparing GL to 
PDL, we can get an idea of how reasoning about games differs from reasoning about 
programs. In this section, we can only introduce the syntax and semantics of Game Logic 
(Subsection 9.1) and discuss some of its central meta-theoretic properties (Section 9.2). 
Further topics of research are briefly mentioned in Section 9.3. The interested reader is 
referred to a recent survey article on the subject [65] with more detailed references. 


9.1 Syntax and Semantics 


The games of Game Logic involve two players, player 1 (Angel) and player 2 (Demon). 
Just like PDL, the language of GL consists of two sorts, propositions and (in the case of 
GL) games. Given a set of atomic games Ip and a set of atomic propositions ®o, games 7 
and propositions y can have the following syntactic forms, yielding the set of GL-games 
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T and the set of GL-propositions/formulas ®: 


y= 9/9? | nie |n Uy ly 177 
g:= Ll|pl|-~| giv eel ye 


where p € ® 9 and g € To. As usual, we define [y]y := 7(7)>y. The formula (y)y 
expresses that Angel has a strategy in game y which ensures that the game ends in a 
state satisfying y. [y|y expresses that Angel does not have a —y-strategy, which by 
determinacy is equivalent to saying that Demon has a y-strategy. To provide some first 
intuition regarding the game operations, y1 U y2 denotes the game where Angel chooses 
which of the two subgames to continue playing, and the sequential composition 71; y2 
of two games consists of first playing 7; and then y2. In the iterated game 7*, Angel 
can choose how often to play y (possibly not at all); each time she has played y, she 
can decide whether to play it again or not. Playing the dual game 7? is the same as 
playing y with the players’ roles reversed, i.e., any choice made by Angel in y will be 
made by Demon in 7% and vice versa. The test game y? consists of checking whether a 
proposition vy holds at that position. This construction can be used to define conditional 
games such as (p?; y1) U (=p?; y2): Suppose for instance that p holds at the present state 
of the game, then Angel will naturally choose the left side (if she chooses the right side, 
she loses at once), and 7 will be played. Otherwise Angel will choose right and y2 will 
be played. 

Thanks to the dual operator, demonic analogues of these game operations can be 
defined. Demonic choice between yı and y2 is denoted as %1 N y2 which abbreviates 
(y$ U7%)4. Demonic iteration of y is denoted as y* which abbreviates ((y“)*)¢. 

A further note on iteration: In y*, it is essential that Angel can decide as the game 
proceeds whether to continue playing another round of y or not. The game where Angel 
has to decide up front how often to play y is a different game and in general more difficult 
for Angel to win than y*. For programs (i.e., in PDL), these two notions of iteration 
coincide, but for games (i.e., in GL), they do not. 

The formal semantics of Game Logic utilises the following game models which gener- 
alise the neighbourhood models or minimal models used in the semantics of non-normal 
modal logics [17]. A game model M = ((S,{Eg|g € To}), V), consists of a set of states S, 
a valuation V : Po — P(S) for the propositional letters and a collection of neighbourhood 
functions Eg : S — P(P(S)) which are monotonic, i.e. X € E,(s) and X C X’ imply 
X' € E,(s). 

The intuitive idea is that X € E,(s) (alternative notation: sE,X) holds whenever 
Angel has a strategy in game g to achieve X. Intuitively, neighbourhood functions are 
reduced monotonic effectivity functions (see Section 2.3) in that they only represent the 
effectivity of a single player. Since we are dealing with determined games only, it is 
sufficient to represent Angel’s effectivity. Then Demon is effective for X if and only if 
Angel is not effective for its complement X. Furthermore, neighbourhood functions do 
not satisfy the two conditions we put on effectivity functions, i.e., due to the presence of 
the test operator ?, we allow that Ø € E,(s) and S ¢ E,(s). For Angel, these conditions 
correspond to heaven (a game where Angel can achieve anything at all) and hell (a game 
where Angel can achieve nothing whatsoever). 

By simultaneous induction, we define truth in a game model on the one hand and 
the neighbourhood functions for non-atomic games on the other hand. The function 
E, : S — P(P(S)) is defined inductively for non-atomic games y (where E,(Y) = {s € 
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S|sE,Y}), and the truth of a formula y in a model M = ((S,{E;|g € To}), V) at a state 
s (denoted as M, s — y) is defined by induction on y. We define 


M,s EL Eap(Y) = Ea(Ea(Y)) 

M,s Ep iff p € ®o and s E V(p) Eaug(Y) = Ea(Y) U Eg(Y) 

M, s E ~g if M,s E y Daly) =pMAY 

M,sHovy if M,sHypo M,sHy ExlY) = EalY) 

M,s E (yy if sE“ Eæ(Y) =(\{X C S|Y U Ea(X) C X} 


where y™ = {s € S|M,s H p}. For iteration, our definition yields a least fixpoint, i.e., 
the smallest set X C S such that Y U Ea(X) = X. 


9.2 Metatheory 
Axiomatisation and Expressiveness 


PDL has a very natural complete axiomatisation, and given the similarity between pro- 
grams and games, one can hope that adding an axiom for the dual operator is all that is 
needed to obtain a complete axiomatisation of GL. A small problem is presented by the 
induction principle 

(Aab > hile) > ble 


which is valid in PDL but invalid in GL. While this induction principle usually forms 
part of the axiomatic basis of PDL, alternative axiomatisations exist which instead of 
the induction axiom use a fixpoint inference rule (given below). It turns out that this 
rule is indeed sound, yielding the following axiomatic system. 

Let GL be the smallest set of formulas which contains all propositional tautologies 
together with all instances of the axiom schemas of Figure 19, and which is closed under 
the rules of Modus Ponens, Monotonicity and Fixpoint, also presented in Figure 19. 


Axioms: (aU Bop > (a)y V (B)yp 
(a; B)p > (a) Ble 
(p?2)p = WAY) 
(pV (ae) > ae 
(7%) > nae 

Inference Rules: 
p er yy (pv (yb) >Y 
Yp (ye => (yw (Yer wv 


Figure 19. The axioms and inference rules (Modus Ponens, Monotonicity and Fixpoint 
Rule) of Game Logic. 


Intuitively, the axiom for iteration (our fourth axiom) states that (y*)y is a pre-fixpoint 
of the operation y V (y)X. Conversely, the fixpoint rule states that (y*)y is the least 
such pre-fixpoint. 
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THEOREM 41. GL is sound with respect to the class of all game models. 

At the time of writing, completeness of GL is still open, but some weaker results exist. 
If x is an operator of Game Logic such as d or *, let GL” denote Game Logic without 
the operator x, i.e., restricted to formulas without the operator and without the axioms 
involving it. 
THEOREM 42 ([59, 62]). Dual-free Game Logic GLT? and iteration-free Game Logic 
GL™ are both sound and complete with respect to the class of all game models. 


Hence, we have axiomatic completeness for GLT? as well as GL~*, but iteration 
together with duality remains a problem for axiomatisation. It may then not come as 
a surprise that it is precisely this combination which gives Game Logic its expressive 
power. This is most easily demonstrated when considering GL interpreted over Kripke 
models. 

Kripke models can be viewed as special kinds of game models, namely game mod- 
els where neighbourhood functions have a special property called disjunctivity: for every 
g € To and V C P(S) we have Uy ey Ey(X) = Eg(Uxey X). Hence, one may also inves- 
tigate Game Logic when interpreted over Kripke models (i.e., disjunctive game models) 
only. Dual-free Game Logic over Kripke models is nothing but Propositional Dynamic 
Logic. Since the absence of infinite g-branches is not expressible in PDL but can be 
expressed by the GL-formula ((g%)*)_1, Game Logic over Kripke models is strictly more 
expressive than PDL. 

Over Kripke models, full Game Logic can be embedded into the modal -calculus (see 
Chapter 12 and [41]). In fact, the 2-variable fragment of the p-calculus suffices for the 
embedding, and since it has been shown that the variable hierarchy of the p-calculus is 
strict [10], Game Logic is a proper fragment of the p-calculus. 


Complexity 


The two central complexity measures associated with a logic are the complexity of model 
checking and the complexity of the satisfiability problem. For the latter, we are interested 
to know the difficulty of determining whether a formula ¢ is satisfiable, measured in the 
length of the formula |y]. 

Using a translation of Game Logic formulas into modal p-calculus formulas, we can 
reduce Game Logic satisfiability to u-calculus satisfiability. Since Game Logic and the 
standard modal -calculus are interpreted over different models, the models have to be 
translated as well. The result obtained via this procedure is the following: 

THEOREM 43 ((59, 62]). The complexity of the satisfiability problem for Game Logic is 
in EXPTIME. 

Turning now toward model checking, given a game model M and a Game Logic formula 
p, we want to determine the set of states s for which M,s = y holds. The complexity 


of model checking is usually measured in terms of the size of the formula and the size of 
the model. Given a game model M = (S,{E,|g € To}, V), we define its size |M| as 


IMj=lsl¢ 5 D > X 


{slseS} {gļlg€ro} {X|sE3X} 


Note that in practice one will want to represent game models more succinctly by only rep- 
resenting the non-monotonic core of E,, i.e., we will disregard all those triples (s, g, X) for 
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which there is some Y C X such that sE,Y. While in some cases (e.g., in case the game 
model corresponds to a Kripke model) such a representation can yield a dramatically 
more efficient representation, in general this is not the case, and hence the complexity 
result below cannot be essentially improved by disregarding supersets. 

In the modal p-calculus, the complexity of current model-checking algorithms depends 
on the alternation depth of a formula, i.e., on the nestings of least and greatest fixpoint 
operators in the formula. For GL, the situation is similar, since angelic iteration cor- 
responds to a least fixpoint and demonic iteration to a greatest fixpoint. Hence, the 
maximal number of nested demonic and angelic iterations will determine the model- 
checking complexity of the formula. As an example, the alternation depth of a formula 
p, denoted as ad(y) will be higher for ((g*)*)p than for ((g*)*)p. 


THEOREM 44 ([62]). Given a Game Logic formula y and a finite game model M, model 
checking can be done in time O(|M|249)+! x |p|). 


9.8 Other Topics 


The notion of bisimulation has been the central notion of process equivalence for modal 
and dynamic logic (see Chapter 1, 5 and [12]). As for modal logic, modal formulas are 
invariant for bisimulation, i.e., bisimular states satisfy the same modal formulas, and 
for finite models, the converse holds as well. Furthermore, it has been shown that the 
bisimular fragment of first-order logic is precisely modal logic [80]. 

Bisimulation can be generalised from Kripke models to game models. Two states s 
and s’ are bisimular in case (i) they satisfy the same atomic properties, (ii) if player 1 has 
an X-strategy in game g from s, she also has an X’-strategy in g from s’, where every 
state in X’ must have a bisimular state in X, and (iii) analogously for strategies from 
s’. Intuitively, bisimular states cannot be distinguished by either their atomic properties 
or by playing atomic games. It can be shown that this notion of bisimulation gener- 
alises bisimulation as it is normally defined for Kripke models. Similarly, one can show 
that bisimular game models satisfy the same GL formulas, and one can even partially 
characterise the game operations of Game Logic in terms of bisimulation [61]. 

The operations of Game Logic have also been studied from an algebraic perspective 
[87]. We call two game expressions yı and 72 equivalent provided that E,, = Ey, holds 
for all game models. Put differently, yı and y2 are equivalent iff (y1)p > (y2)p is valid 
for a p which occurs neither in 7 nor in y2. When 7 and q2 are equivalent, we say that 
yı = %2 is a valid game identity. 

As an example, if a choice of a player between x and y is followed by game z in any case, 
then the player might as well choose between x; z and y; z directly. Hence, (x U y); z = 
x; zUy;z is a valid game identity. The right-distributive law x; (yU z) = 2; yU z; z on the 
other hand is not valid. In the first game, player 1 can postpone her choice until after 
game x has been played. She may have a winning strategy which depends on how z is 
played, and hence such a strategy will not necessarily be winning in the second game, 
where she has to choose before x is played. 

Game algebra further illustrates the link between games and processes that we already 
discussed in section 3.3. Basic game algebra studies the game operations of sequential 
composition, choice (demonic and angelic) and duality. The test-operator is excluded 
since it would take us out of the purely algebraic framework. The central result obtained 
for basic game algebra is a complete axiomatisation of the set of valid game identities 
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(25, 105]. So far, the complete axiomatisation has not been extended to a version of game 
algebra which includes iteration. 


10 COALITION LOGIC 


Modal logic describes transition systems at a very abstract level. The transition relation 
does not specify what or who is involved in making the transition, it only models all the 
possible evolutions of the system. Game forms on the other hand explicitly represent 
how different agents can contribute to the system’s evolution by modeling the agents’ 
strategic powers. 

The semantic models of Coalition Logic [63, 64] make use of strategic games to describe 
the agents’ abilities to influence system transitions. Using a-effectivity functions (see 
Section 2.3), we can formalise an agent’s ability to bring about y. More generally, the 
expression [C]y states that the coalition C, a subset of agents/players, can bring about 
p. After presenting the syntax and semantics of Coalition Logic, Section 10.2 presents 
an axiomatisation of coalitional ability in extensive games of almost perfect information. 
Complexity results concerning the satisfiability problem will be discussed in Section 10.3. 


10.1 Syntax and Semantics 


Assuming a finite nonempty set of agents or players N, we define the syntax of Coalition 
Logic as follows. Given a set of atomic propositions ®ọ, a formula vy can have the following 
syntactic form: 

p:= 1|pl-el viv p2] [C]Y 


where p € o and C C N. We define T, A, > and & as usual. In case C = {i}, we 
write [i]y instead of [{i}]y. 

A coalition frame is a pair F = (S,G) where S is a nonempty set of states (the universe) 
and G assigns to every state s € S a strategic game form G(s) = (N, (Xijien, 0, S). At 
state s, the game form G(s) represents the possible transitions based on the strategic 
choices of the players. A coalition model is a pair M = (F,V) where F is a coalition 
frame and V : Po — P(S) is the usual valuation function for the propositional letters. 
Given such a model, truth of a formula in a model at a state is defined as follows: 


M,s 

M,sEp iff p € Po and s € V(p) 
M, s E 79 if M,s Fy 
M,s 
M,s 


Kevy iff M,s=ọ or Mise y 
= [Cle iff pe EG s)(C) 


where y™ = {s € S|M, s H y}. Hence, a formula [C]y holds at a state s iff coalition C 
is a-effective for p™ in G(s). 

Coalition frames are essentially extensive game forms of almost perfect information. 
The only source of imperfect information is that players make choices simultaneously. 
After the choices are made at state s, a new state t results and the choices become 
common knowledge, before new (and possibly different) choices can be made. Note that 
coalition frames are game graphs rather than trees (though they can be unravelled into 
trees), and they contain no terminal states since every state is associated to a game. 
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It is possible to isolate (semantically and axiomatically) the class of coalition frames 
corresponding to extensive game forms of perfect information, see [63] for details. 

Note that by Theorem 12, we can equivalently view a coalition frame F as a pair( S, E), 
where 


E : S — (P(N) > P(P(S))) 


assigns to every state s € S a monotonic, N-maximal and superadditive effectivity 
function E(s) (see Section 2.3). Using this formulation, we can then simply define 
M,s H [Cly iff pe e€ E(s)(C). From a logical point of view, this second formula- 
tion directly in terms of effectivity functions is preferable. It simplifies meta-theoretic 
reasoning, e.g. by immediately suggesting certain axioms of coalitional power, and it also 
demonstrates that coalition models are essentially neighbourhood models, providing a 
neighbourhood relation for every coalition of players. Neighbourhood models have been 
the standard semantic tool to investigate non-normal modal logics (see, e.g. [17]), and 
techniques used to provide complete axiomatisations for such logics can also be adapted 
to Coalition Logic. 

The two extreme coalitions Ý and N are of special interest. [N]p expresses that some 
possible next state satisfies p, whereas [Ø]p holds if no agent needs to do anything for p to 
hold in the next state. Hence, [N]p corresponds to ©p in standard modal logic whereas 
[Ø]p corresponds to Op. If |N| = 1, e.g. N = {1}, coalition models are just serial Kripke 
models, i.e., Kripke models where every state has at least one successor. In this case, 
[Ø]y coincides with Oy and [1]y with Oy. 


10.2 Aziomatics 


Let CLy denote the smallest set of formulas which contains all propositional tautologies 
together with all instances of the axiom schemas listed in Figure 20, and which is closed 
under the rules of Modus Ponens and Equivalence given below: 


eee poy 
Y ICly -> [Cle 


Note that axioms (L) and (T) correspond to the two basic assumptions we made for 
effectivity functions in Definition 9. The remaining three axioms express the conditions 
of Theorem 12, N-maximality, monotonicity and superadditivity. 


L) 7A[CjL 

T) [C]T 

[0-9 > [Ne 

M) [Cl(pAwv) > [Cly 

S) ([Cilvi A [C2]p2) > [Ci U C2] (y1 A p2) 
where C1 N C2 = 0 


2 
— 


Figure 20. The axiom schemas of Coalition Logic 


THEOREM 45 ((63]). CLy is sound and complete with respect to the class of all coalition 
models. 
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KD is the normal modal logic for reasoning about serial Kripke models. In the formu- 
lation closest to Coalition Logic, KD is the set of formulas containing all propositional 
tautologies, closed under the rules of Modus Ponens and Equivalence (for O only), and 
containing the axioms of Figure 21. 


Op = -0ng | Olp Ay) = (Oy A Dy) 
OT 


Figure 21. Axioms of KD 


The following result states that KD is precisely single-agent Coalition Logic. The result 
is the axiomatic analogue to our earlier observation that if |N| = 1, coalition models are 
simply serial Kripke models. 


THEOREM 46 ([63]). Identifying [Ø]p with Oy and [1]p with Oy, we have KD = CLiyyy. 


The logic CLy is the most general and hence weakest coalition logic which has been 
investigated. The only assumption made is that at every state, the coalitional power 
distribution arises from a situation which can be modeled as a strategic game. Additional 
axioms can be added for characterising special kinds of strategic interaction. For example, 
in order to characterise extensive game forms of perfect information, one adds the axiom 


We > V lle, 


iEN 


expressing that everything which can be achieved at all can be achieved already by 
some individual. This axiom will enforce that at every state there is a single agent who 
can determine the next state independent of the other agents. Note that the converse 
implication can be derived in CLy. 

Nash-consistent Coalition Logic [32] is another example of a logic stronger than CLy. 
By adding a further axiom to CLy, one can characterise the class of Nash-consistent 
coalition models, i.e., coalition models where the strategic game form associated to ev- 
ery state must have a Nash equilibrium under every possible preference profile. Nash- 
consistent models can be viewed as stable systems, in the sense that no matter what the 
agents’ preferences are, there is a stable strategy profile, a profile for which individual 
deviation is irrational. 


10.8 Complexity 


We assume in our discussion of complexity that |N| > 1. As was mentioned, the two 
extreme coalitions and N allow one to capture necessity and possibility. For this reason, 
the normal modal logic KD forms a fragment of Coalition Logic, thereby establishing a 
PSPACE lower bound for the basic Coalition Logic over general coalition models. As it 
turns out, this bound is tight, i.e., we have the following result. 


THEOREM 47 ([63]). The complexity of the satisfiability problem for Coalition Logic is 
PSPACE-complete. 


Via the satisfiability problem, we can compare the complexity of reasoning about 
games of various different kinds. For instance, it turns out that restricting the class 
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of coalition models to perfect information models, the satisfiability problem remains 
PSPACE-complete. Hence, given a coalitional specification, finding an extensive game 
(form) of almost perfect information satisfying the specification is not harder nor simpler 
than finding an extensive game of perfect information. 

Besides comparing reasoning over different classes of games, we can compare reasoning 
about groups to reasoning about individuals. Let the individual fragment of Coalition 
Logic be the set of formulas of Coalition Logic where all modalities only involve singleton 
coalitions, i.e. 


g:= L|pl|-~|¢iV | lily 


where p € ®) andi € N. The individual fragment is strictly less expressive than 
full Coalition Logic, since the formula [C]p is in general not equivalent to any formula 
involving only singleton coalitions. More precisely, there is no formula of the individual 
fragment such that y™ = [C]p™ for every coalition model M. 


THEOREM 48 ([64]). The complexity of the satisfiability problem for the individual frag- 
ment of Coalition Logic is NP-complete. 


Hence, reasoning about individuals is simpler than reasoning about coalitions if and 
only if NP 4 PSPACE. For perfect information models, the complexity of the satisfiability 
problem for the individual fragment is not simpler, it remains PSPACE-complete. 


11 ALTERNATING-TIME TEMPORAL LOGIC 


Coalition Logic allows one to express strategic properties of multi-agent systems, where 
these systems are essentially modeled as extensive games of almost perfect information. 
The basic modal expression [C]y states that coalition C has a joint strategy for ensuring 
y in the next state. What is lacking are more expressive temporal operators which allow 
us to describe, e.g., that coalition C has a strategy for achieving y some time in the 
future. In other words, we are looking for the strategic coalitional analogue of a rich 
temporal logic like CTL (see Chapter 11 and [19]). Alternating-time temporal logic 
(ATL) [3] is precisely this temporal extension of Coalition Logic. 

As usual, we start by presenting the syntax and semantics of ATL in Section 11.1. 
After discussing a modelling example in Subsection 11.2, we discuss axiomatisation and 
complexity (Subsection 11.3) and end with some extensions of ATL in Subsection 11.4. 


11.1 Syntax and Semantics 


Given a set of atomic propositions II, an ATL formula y can have the following syntactic 
form: 


g:= 1LlplvleiVv 21 (C)Ov | 4C) Oye | KC) ei 4 p2 


where p € II and C C N = {1,...,k}, the set of all agents. We define T, A, — and + as 
usual. The formula (C)) Oy expresses that coalition C has a joint strategy for achieving 
y at the next state. Thus, (C))Ovy corresponds to [C]y in Coalition Logic. (C)) Oy 
expresses that coalition C can cooperate to maintain y forever (always in the future), 
and ((C’))y1 U p2 expresses that C can maintain y until p2 holds. In the standard way, 
we use y to abbreviate TU vy. 
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In the same way in which CTL can be extended to CTL*, the language of ATL can 
be generalised to ATL*. We simultaneously define the set of ATL* state formulas p and 
the set of ATL* path formulas p as follows: 


L |p| vy |y V ve | (Cho 
o |a | di Vyp | Ov | YU y2 


p 
Y: 


where p € II and C CN. Note that in ATL*, ((C)) Oy is expressible as {C}—=(T U ww) 
which is not an ATL formula. In general, ATL is a proper fragment of ATL*, containing 
only formulas where every temporal operator is immediately preceded by a cooperation 
modality. For |N| = 1, ATL=CTL and ATL*=CTL*. Given that CTL is less expressive 
than CTL*, it also follows that ATL is less expressive than ATL*. 


The semantics of Alternating-time Temporal Logic uses concurrent game structures, 
essentially the coalition models we discussed for Coalition Logic. A concurrent game 
structure is a tuple S = (k,Q,II,z,d,6), where k is the number of players (N = 
{1,...,k}),? Q is the set of states (usually assumed to be finite), IT is the set of atomic 
propositions, and m : Q — P(II) is the valuation function. For every agent i € N 
and every state q E€ Q, di(q) > 1 gives the number of actions available to player i at 
state q. Hence, at state q, a move vector (j1,... jk) € D(q) = {1,...,di(@} x... x 
{1,...,d%(q)} corresponds to a joint action at state q. Finally, for each such move vector, 
6(q,J1,---;Jk) E€ Q is the transition function. 


Like coalition models in Coalition Logic, different types of concurrent game structures 
correspond to natural classes of games. Turn-based synchronous game structures are 
extensive game forms of perfect information where only a single player can choose at 
each state. In synchronous game structures, the state space is the Cartesian product 
of the players’ local state spaces. Turn-based asynchronous game structures involve a 
scheduler who determines the player who can choose the next state. Furthermore, fairness 
constraints can be added to these structures. 


For two states q,q' € Q and an agent i € X, we say that state q’ is a successor of 
q if there exists a move vector (j1,..., jk) E D(q) such that d(q,j1,.--,jn) = qd’. A 
computation of S is an infinite sequence of states A = qo,qi,... such that for all u > 0, 
the state qu is a successor of qy_1. A computation A starting in state q is referred to as a 
q-computation; if u > 0, then we denote by Afu] the wth state in A; similarly, we denote 
by A[0, u] and A[u, co] the finite prefix qo, ...,qu and the infinite suffix qu, qu+1,... of À 
respectively. 

A strategy fi for an agent i € N is a total function f; mapping every finite nonempty 
sequence of states À to a natural number such that if the last state of A is q, 1 < fi(A) < 
d;(q). Given a set C C N of agents, and an indexed set of strategies Fo = {fili € C}, 
one for each agent i € C, we define out(q, Fc) to be the set of possible computations 
that may occur if every agent a € C follows the corresponding strategy fa, starting when 
the system is in state q E€ Q. Formally, A = qo,m,... € out(q, Fc) iff q = qo and for all 
m > 0, there exists a move vector (j1,..-, jk) E€ D(qm) such that 0(g@m,j1,---,;Jk) = Gm41 
and for all i € C, ji = fi(A[0, m]). The semantics of ATL* can now be defined as follows. 


2given |N| =k, we will sometimes use the equivalent representation S = (N, Q, I, 7, d, 6) 
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For state formulas we define 


S, qL 
S,qEp iff p €I and p €E a(q) 
S,qF 79 iff Sq E p 


S,qEyivyo iff S,qH yı or S,q HE Ye 
S, q = UC) if IFoYA € out(q, Fo): SAF Y, 


and for path formulas we define 
SAE iff S, [0] | y, where y is a state formula 

S, A = ay iff S, A E yY 

SAF YiV y2 iff S,A H yi or S, à H p2 

S,A 

S,A 


= p U ypo iff Im > 0: (S,A[m, oo] = Y2 and VI(0 < l < m = S, All, co] = v1)) 


11.2 An Example 


The following example from [3] presents a turn-based synchronous game structure mod- 
eling a simple train system involving a train and a controller. 


train ctr 


out—of—gate 
out—of—gate 8 


request 


in—gate 


ctr train 


Formally, the concurrent game structure S = (k, Q, II, r, d, ô) consists of II = {out—of- 
—gate, in—gate, request, grant}, N = {train,ctr} and Q = {qo,q1, 42,93}, with valua- 
tion function as given (e.g. m(qo) = {out—of—gate}). The concurrent game structure is 
turn-based synchronous, so if we take the train as player 1 and the controller as player 
2, we have, e.g., di(qo) = 2 and do(qo) = 1. The transition function at state go is then 
described by (qo, 1,1) = go and 6(qo, 2,1) = qı- 

ATL can be utilised to describe properties of this model. For instance, the formula 
((0)) Liin—gate — ((ctr)) OQ out—of—gate) expresses that whenever the train is in the 
gate, the controller can force it out immediately. Similarly, «0Y J(out—of—gate —> 
(ctr, train))in—gate) states that whenever the train is out of the gate, it can cooperate 
with the controller to enter eventually. As a final example, 


(OY (i (out—of —gate — ((train))> (request A ((ctr)) grant A (ctr)) -grant)) 


expresses that whenever the train is out of the gate, it can eventually send a request to 
enter, and the controller can then either grant it eventually or not. All these formulas 
are valid in the given game structure. 


Modal Logic for Games and Information 1141 


11.38 Axiomatics and Complexity 


The axiomatisation of ATL given below is an extension of the axiomatisation given for 
Coalition Logic. The next-time © operator is characterised by the axioms of Coalition 
Logic, and the long-term temporal operators [] and 4 are captured using two fixpoint 
axioms each. 

Formally, ATL is the smallest set of formulas which contains all propositional tautolo- 
gies together with all instances of the axiom schemas listed in Figure 22, and which is 
closed under the inference rules of Modus Ponens, Monotonicity and Necessitation given 
below: 


ep yy eo 2 
Y (CHOY > (CHOW (0) Lg 


For the case of [J], FP] states that (C)) Ll is a fixpoint of the operator F(X) = 
pA (C)OX, and GFP [] states that it is the greatest fixpoint of F(X). Analogously 
for the least fixpoint with U. 


(L) (CHOL 

(T) (C)OT 

(N) (70) O7e > (N)) Ov) 

(S) ((C1)) O91 A (C2) O¢2) > (C1 U C2) O(¢1 A p2) where C1 N C2 = 0 
(FPO) («C) Oye eA KCO) Oe 

(GFPO) (0) OW > (PA KC) OY)) > (0) AW > (C) Oe) 

(FPU) (C)) pi p2 = p2 V (p1 A KC) OCC) 91 U p2) 

(LFPU) (0) Oll V (91 A (CHOY) = Y) = (0) D(C) gi p2 = Y) 


Figure 22. The axiom schemas of ATL 


THEOREM 49 ([26]). ATL is sound and complete with respect to the class of all con- 
current game structures. 


The complexity of model checking ATL formulas has been investigated in [3]. As with 
Game Logic, given a formula ọ and a finite model S, we are interested in the complexity 
of determining the states of S where y holds. The results are for general concurrent 
game structures. 


THEOREM 50 ([3]). Given an ATL formula y and a concurrent game structure S with 
m transitions, model checking can be done in time O(m x |p|). For ATL* formulas, 
model checking is 2EXPTIME-complete. 


The complexity of the satisfiability problem has been investigated only more recently. 
At the time of writing, only the complexity of ATL has been determined. Let us say that 
an ATL-formula y is over a set of agents N if all coalitions mentioned in ¢ are subsets 
of N. Moreover, we say that a concurrent game structure S = (M,Q,II,7,d,6) is over 
N if M = N (see Footnote 2) 
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THEOREM 51 ([103, 26]). Let N be a finite set of players. Then, the complexity of the 
satisfiability problem for ATL-formulas over N with respect to concurrent game structures 
over N is EXPTIME-complete. 


To demonstrate that Theorem 51 marks ongoing work in a lively research area, note 
that the decision procedure of [103, 26] is 2EXPTIME if the set of agents N in not fixed 
in advance. This gives rise to the following two related questions: 


1. Is the following problem in EXPTIME: Given an ATL-formula y, is ọ satisfiable in 
an ATL-model over a set of agents containing at least the agents occurring in y? 


2. Is the following problem in EXPTIME: Given a set of agents N and an ATL-formula 
y over N, is ọ satisfiable in an ATL-model over N? 


Positive answers to both questions are given in [106]. 


11.4 Extensions: u-calculus and imperfect information 


CTL and CTL* are both subsumed by the very expressive ji-calculus. Similarly for ATL 
and ATL*, one can develop an analogous alternating p-calculus with general fixpoint 
expressions. Formally, we have a set of propositional variables V, and formulas 


g:= L|p|-v| gi V g2|X | (C)Oe | uX.~ 


where X € V and in wX.y, X occurs free only under an even number of negations in 
y. The semantics of the fixpoint operator is defined as (uX.y)° = N{Qo © Qly[X := 
Qo] C Qo}. Corresponding to the least fixpoint 4X there is also a greatest fixpoint vX 
defined as vX.p = au.X.7y. The alternating -calculus subsumes both ATL and ATL*. 
For ATL, note that (C)) Oy = vX.pA(C))OX and (C)) yup = uX.yv (pa {C} OX). 
In fact, it can be shown that the alternating p-calculus is strictly more expressive than 
ATL*. As in the standard modal p-calculus and in Game Logic, the complexity of 
model checking depends on the alternation depth of a formula, i.e., the nesting depth of 
alternating least and greatest fixpoints. 

Various attempts have been made to introduce imperfect information into concurrent 
game structures. Since at the time of writing this problem is still under discussion, we 
restrict ourselves here to a rough sketch of some of the difficulties. In [3], a set of ob- 
servable propositions is associated with every player. This extension of ATL introduces 
quite a few new complexities, syntactically as well as semantically, and this is witnessed 
by the result that model-checking becomes undecidable. Syntactically, not all ATL ex- 
pressions make sense anymore, since, e.g., (C Clp presupposes that the cooperative 
goal p is actually observable by the members of C. Semantically, a player’s strategy has 
to be restricted in such a way that it can only influence propositions observable by that 
player. The difficulties which arise when trying to extend ATL to incomplete information 
also become visible in an alternative approach explored in [92]. Here, concurrent game 
structures are augmented with an epistemic accessibility relation ~; for each player i. In 
contrast to the previous approach, the language of ATL is also extended with an epis- 
temic K; knowledge operator with its standard definition. The resulting Alternating-time 
Temporal Epistemic Logic (ATEL) can express properties from a variety of domains, e.g. 
confidentiality properties like (({1,2}))(-K3pU Kop). The semantics of ATL, however, 
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cannot simply be left unchanged. At a state q, player 1 may have some strategy sı 
to eventually achieve y. But if he cannot distinguish q from q’ where only a different 
strategy s2 achieves y, player 1 does not have a strategy at q (as defined for imperfect 
information games) for achieving y. More precisely, player 1 has a strategy only de dicto, 
but not de re, and it is the de re strategies which game theory is interested in [39]. A 
further approached is presented in [72]. 


12 CONCLUSION 


What can modal logic contribute to the study of strategic interaction? Four answers, 
not mutually exclusive, suggest themselves to us. First, logic contributes a more abstract 
and hence more general perspective on games. As we have seen in Sections 3 and 6, 
games can essentially be viewed as special kinds of Kripke models, with move relations 
and possibly epistemic uncertainty relations to model players’ knowledge. In this way, 
certain game-theoretic notions such as perfect recall turn out to be special cases of general 
logical axioms (cf. 6.1) which have been investigated in more generality in modal logic. 
Similarly, game logic (Section 9) presents games as generalisations of programs, providing 
a semantics which is general enough to study the difference between 2-player games and 
1-player games (i.e., programs). This more general perspective provided by logic also 
raises new questions. In the case of game logic, for instance, we may ask what operations 
on games suffice to build all games in a particular class of games. More generally, to the 
best of our knowledge, operations on games are rarely investigated in game theory, while 
a computational logic perspective naturally suggests such an investigation. 

Second, there is the analysis of players’ knowledge and beliefs in games. While much 
of the game-theoretic analysis of interactive epistemics has been independent of devel- 
opments in epistemic logic (Section 4), the models employed are essentially the same 
(information partitions or Kripke models satisfying the S5 axioms), as is the notion of 
common knowledge. Developments in update logics (Section 7) and belief revision (see 
Chapter 21 of this handbook) have shifted the logical focus from an analysis of static 
epistemic situations to epistemic dynamics, without a doubt important in the analysis 
of games of imperfect information. Furthermore, the epistemic foundation of solution 
concepts (Section 8) translates solution concepts into the language of the epistemic logi- 
cian, while the language itself remains hidden from view. More precisely, while epistemic 
logic rests on the link between the semantic model of knowledge and the formal language 
used to describe it, game theory has mainly focused on the semantic model exclusively. 
Only more recently have syntactic approaches to the epistemic foundations of solution 
concepts been advanced. 

The issue of syntax or formal language is, in fact, a third way in which logic can raise 
new issues in strategic interaction. While many game theorists may find the logician’s 
insistence on syntax cumbersome and unnecessary, it is precisely the interplay between 
syntax and semantics that the logician is interested in. In general, decision makers use a 
certain language and conceptual apparatus to reason about the situation at hand. As a 
consequence, one would suspect that game theoretic models and solution concepts would 
be language dependent (see also [71]). More specifically, we may be interested whether 
a particular logical language is rich enough to define a particular solution concept such 
as the Nash equilibrium (see, e.g., Theorem 15 in Section 3). As mentioned above, we 
may wonder whether a certain set of game operations suffices to construct all games of a 
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particular class. Or we may be interested in the computational complexity of reasoning 
about information update in games. For all these questions, a syntactic approach may 
help. 

Fourth, due to its formal language, logic becomes important when it comes to the 
specification and verification of multi-agent systems. Logics like Alternating-time Tem- 
poral Logic (Section 11) have been devised as a way to specify properties of systems 
of interacting agents. By analysing the complexity of model checking, we find out how 
complex certain game-theoretic properties are to verify for a given game or game form. 
Hence, logic is also useful when applying game theory to complex games played by arti- 
ficial agents, and hence modal logic can serve as a tool of computation for difficult real 
or artificial life games. 

While we hope to have given some insights into how modal logic may enrich game 
theory, we should point out again that there are many cases where game theory can be 
useful for modal logic. Maybe the most interesting example is Independence-Friendly 
Modal Logic (IFML) [78]. In IFML, we consider formulas like 00*p, where the modal 
diamond ©* is independent of the box. Such a formula will be true just in case the dia- 
mond successor satisfying p can be chosen independently from the earlier box successor, 
in other words, there needs to be a uniform diamond successor satisfying p for all earlier 
box successors. As this example suggests, the semantics of IFML can be formulated in 
terms of imperfect information games. IFML is interesting from a logical point of view 
since it is more expressive than standard modal logic, due to its ability to express certain 
weak confluence properties. 

The area of modal logic and games is active and in full development. Due to upcoming 
technologies like on-line auctions and e-voting, researchers apply a new range of tools 
and techniques to ask and settle ‘standard’ questions of logicians and computer scientists 
regarding the specification, verification and synthesis of interactive systems or mecha- 
nisms. In the ‘classical’ areas of game theory and social choice theory, this logical work 
generates both interesting results regarding formalisation and computational complexity, 
and at the same time new and sometimes even philosophical questions about the nature 
of games, or more generally, interaction. 
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Modal logic is one of philosophy’s many children. As a mature adult it has moved out 
of the parental home and is nowadays straying far from its parent. But the ties are still 


there: 


philosophy is important for modal logic, modal logic is important for philosophy. 


Or, at least, this is a thesis we try to defend in this chapter. Limitations of space have 


ruled 


out any attempt at writing a survey of all the work going on in our field — a book 


would be needed for that. Instead, we have tried to select material that is of interest 


in its 


own right or exemplifies noteworthy features in interesting ways. Here are some 


themes which have guided us throughout the writing: 


The back-and-forth between philosophy and modal logic. There has been a good deal 
of give-and-take in the past. Carnap tried to use his modal logic to throw light on 
old philosophical questions, thereby inspiring others to continue his work and still 
others to criticise it. He certainly provoked Quine, who in his turn provided — and 
continues to provide — a healthy challenge to modal logicians. And Kripke’s and 
David Lewis’s philosophies are connected, in interesting ways, with their modal 
logic. Analytic philosophy would have been a lot different without modal logic! 
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e The interpretation problem. The problem of providing a certain modal logic with 
an intuitive interpretation should not be conflated with the problem of providing a 
formal system with a model-theoretic semantics. An intuitively appealing model- 
theoretic semantics may be an important step towards solving the interpretation 
problem, but only a step. One may compare this situation with that in probability 
theory, where definitions of concepts like ‘outcome space’ and ‘random variable’ are 
orthogonal to questions about “interpretations” of the concept of probability. 


e The value of formalisation. Modal logic sets standards of precision, which are a 
challenge to — and sometimes a model for — philosophy. Classical philosophical 
questions can be sharpened and seen from a new perspective when formulated in 
a framework of modal logic. On the other hand, representing old questions in a 
formal garb has its dangers, such as simplification and distortion. 


e Why modal logic rather than classical (first or higher order) logic? The idioms of 
modal logic — today there are many! — seem better to correspond to human ways 
of thinking than ordinary extensional logic. (Cf. Chomsky’s conjecture that the 
NP + VP pattern is wired into the human brain.) 


In his An Essay in Modal Logic [107] von Wright distinguished between four kinds of 
modalities: alethic (modes of truth: necessity, possibility and impossibility), epistemic 
(modes of being known: known to be true, known to be false, undecided), deontic (modes 
of obligation: obligatory, permitted, forbidden) and existential (modes of existence: uni- 
versality, existence, emptiness). The existential modalities are not usually counted as 
modalities, but the other three categories are exemplified in three sections into which 
this chapter is divided. Section 1 is devoted to alethic modal logic and reviews some 
main themes at the heart of philosophical modal logic. Sections 2 and 3 deal with topics 
in epistemic logic and deontic logic, respectively, and are meant to illustrate two different 
uses that modal logic or indeed any logic can have: it may be applied to already existing 
(non-logical) theory, or it can be used to develop new theory. 


1 ALETHIC MODAL LOGIC 


In this part we consider the challenge that Quine posed in 1947 to the advocates of modal 
logic to provide an account of modal notions that is intuitively clear, allows “quantifying 
in”, and does not presuppose intensional entities. The modal notions that Quine and his 
contemporaries were primarily concerned with in the 1940’s were, broadly speaking, the 
logical modalities rather than the metaphysical ones that have since come to prevail. In 
the 1950’s modal logicians responded to Quine’s challenge by providing quantified modal 
logic with model-theoretic semantics of various types. In doing so they also, explicitly 
or implicitly, addressed Quine’s interpretation problem. Here we shall consider the ap- 
proaches developed by Carnap in the late 1940’s, and by Kanger, Hintikka, Montague, 
and Kripke in the 1950’s and early 1960’s, and discuss to what extent these approaches 
were successful in meeting Quine’s doubts about the intelligibility of quantified modal 
logic. 

It is useful to divide the reactions to Quine’s challenge into two periods. During the 
first period modal logicians provided modal logic with formal semantics as just men- 
tioned. In the second period philosophers — inspired by the success of possible worlds 
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semantics — came to take the notion of a possible world seriously as a tool for philo- 
sophical analysis. Philosophical analyses in terms of possible worlds were provided for 
many concepts of central philosophical importance: propositional attitudes [42, 43, 45], 
metaphysical necessity, identity, and naming [69, 70], “intensional entities” like proposi- 
tions, properties and events [84, 61, 102, 103], counterfactual conditionals and causality 
(77, 78], supervenience [62]. At the same time the notion of a possible world itself came in 
for philosophical analysis. The problems of giving a satisfactory analysis of this notion 
indicates that Quine’s interpretational challenge is still alive. The basic philosophical 
questions surrounding the notions of alethic necessity and possibility are as puzzling as 
ever! We end this section by discussing the relationship between the logical and meta- 
physical interpretation of the alethic modalities. 


1.1 The search for the intended interpretation 


Starting with the work of C. I. Lewis, an immense number of formal systems of modal logic 
have been constructed based on classical propositional or predicate logic. The originators 
of modern modal logic, however, were not very clear about the intuitive meaning of the 
symbols U and 0, except to say that these should stand for some kind of necessity and 
possibility, respectively. For instance, in Symbolic Logic [72], Lewis and Langford write: 


It should be noted that the words “possible”, “impossible” and “necessary” 
are highly ambiguous in ordinary discourse. The meaning here assigned to 
Op is a wide meaning of “possibility” — namely, logical conceivability or the 
absence of self-contradiction. (160-61) 


This situation led to a search for more rigorous interpretations of modal notions. Gödel 
[35] suggested interpreting the necessity operator O as standing for provability (informal 
provability or, alternatively, formal provability in a fixed formal system), a suggestion 
that subsequently led to the modern provability interpretations of Solovay, Boolos and 
others.! 

After Tarski [105, 106] had developed rigorous notions of satisfaction, truth and logical 
consequence for classical extensional languages, the question arose whether the same 
methods could be applied to the languages of modal logic and related systems. One 
natural idea, that occurred to Carnap in the 1940’s, was to let Ly be true of precisely 
those formule y that are logically valid (or logically true) according to the standard 
semantic definition of logical validity. This idea led him to the following semantic clause 
for the operator of logical necessity: 


y is true in an interpretation T iff ọ is true in every interpretation 7’. 


This kind of approach, which we may call the validity interpretation, was pursued by 
Carnap, using so-called state descriptions, and subsequently also by Kanger [53, 54] 
and Montague [83], using Tarski-style model-theoretic interpretations rather than state 
descriptions. In Hintikka’s and Kanger’s early work on modal semantics other interpre- 
tations of O were also considered, especially, epistemic (‘It is known that y’) and deontic 
ones (‘It ought to be the case that y’). In order to study these and other non-logical 
modalities, the introduction by Hintikka and Kanger of accessibility relations between 


1Cf. [101] and [13]. 
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possible worlds (models, domains) was crucial. Finally, Kripke [66, 67, 68] introduced 
the kind of model structures that are nowadays the standard formal tool for the model- 
theoretic study of modal and related non-classical logics: Kripke models. Thus Kripke 
gave possible worlds semantics its modern and mature form. 

In Carnap’s, Kanger’s and Montague’s early theories, the space of possibilities (the 
“possible worlds”) is represented by one comprehensive collection containing all state 
descriptions, domains, or models, respectively. Hence, every state description, domain, 
or model is thought of as representing a genuine possibility. Hintikka, Kripke and modern 
possible worlds semantics are instead working with semantic interpretations in which 
the space of possibilities is represented by an arbitrary non-empty set K of model sets 
(in the case of Hintikka) or “possible worlds” (Kripke). Following Hintikka’s [46, 47] 
terminology, one may say that the early theories of Carnap, Kanger, and Montague were 
considering standard interpretations only, where one quantifies over what is, in some 
formal sense, all the possibilities. In the possible worlds approach, one also considers non- 
standard interpretations, where arbitrary non-empty sets of possibilities are considered.” 
The consideration of interpretations (model structures) that are non-standard in this 
sense — in combination with the use of accessibility relations between worlds in each 
interpretation — made it possible for Kripke [64, 67, 68] to prove completeness theorems 
for various systems of propositional and quantified modal logic (T, B, S4, etc.). 


1.2 Carnap’s formal semantics for quantified modal logic 


The proof theoretic study of quantified modal logic was pioneered by Ruth Barcan Marcus 
(5, 6, 7] and Rudolf Carnap [16, 17] who were the first to formulate axiomatic systems 
that combined quantification theory with (S4- and S5-type) modal logic. The attempts 
to interpret quantified modal logic by means of formal semantic methods also began with 
Carnap. 

Carnap’s project was not only to develop a semantics (in the sense of Tarski) for 
intensional languages, but also to use metalinguistic notions from formal semantics to 
throw light on the modal ones. In ‘Modalities and quantification’ from 1946 he writes: 


It seems to me ... that it is not possible to construct a satisfactory system 
before the meaning of the modalities are sufficiently clarified. I further believe 
that this clarification can best be achieved by correlating each of the modal 
concepts with a corresponding semantical concept (for example, necessity 
with L-truth). 


In [16, 17] Carnap presented a formal semantics for logical necessity based on Leibniz’s 
old idea that a proposition is necessarily true if and only if it is true in all possible worlds. 
Suppose that we are considering a first-order predicate language £ with predicate symbols 
and individual constants, but no function symbols. In addition to Boolean connectives, 
quantifiers and the identity symbol = (considered as a logical symbol), the language £ 
also contains the modal operator O for logical necessity. We assume that £ comes with 
a domain of individuals D and that there is a one-to-one correspondence between the 
individual constants of £ and the individuals in D. Intuitively speaking, each individual 
in D has exactly one individual constant as its (canonical) name. A state description S 
for £ is simply a set of (closed) atomic sentences of the form P(a1,...,@n), where P is 


2For the standard/non-standard distinction, see also [23]. 
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an n-ary predicate in £ and aj,...,a, are individual constants in £.2 Carnap [17, p. 
9] writes “...the state descriptions represent Leibniz’s possible worlds or Wittgenstein’s 
possible states of affairs”. 

In order to interpret quantification, Carnap introduced the notion of an individual 
concept (relative to £): An individual concept is simply a function f that assigns to 
every state description S' an individual constant f(S) (representing an individual in D). 
Intuitively speaking, individual concepts are functions from possible worlds to individu- 
als. According to Carnap’s semantics, individual variables are assigned values relative to 
state descriptions. An assignment is a function g that to every state description S and 
every individual variable x assigns an individual constant g(x, S). Intuitively, g(a, S) 
represents the individual that is the value of x under the assignment g in the possible 
world represented by S. We may speak of g(x, S) as the value extension of x in S' rel- 
ative to g. Analogously, the individual concept (AS)g(x, S) that assigns to every state 
description S the value extension of x in S$ relative to g, we call the value intension of x 
relative to g. Thus, according to Carnap’s semantics a variable is assigned both a value 
intension and a value extension [17, p. 45]. The value extension assigned to a variable 
in a state description S is simply the value intension assigned to the variable applied to 
S. 

With these notions in place, we can define what it means for a formula y of £ to be 
true in a state description relative to an assignment g (in symbols, Syl[g]). 

For atomic formule of the form P(t1,...,tn), where ti,...,tn are individual terms, 
i.e., variables or individual constants, we have: 


(1) SE P(ty,...,tn)[g] iff P(S(t1,9),...,5(tn,g)) € S. 


Here, S(t;, g) is the extension of the term t; in the state description S relative to the 
assignment g. Thus, if t; is an individual constant, then S(t;, g) is t; itself; and if t; is a 
variable, then S(t;,g) = g(ti, S). 

The semantic clause for the identity symbol is: 


(2) SE (tı = t2)[g] iff S(t1, g) = S(t, 9). 


That is, the identity statement tı = to is true in a state description S relative to an 
assignment g if and only if the terms tı and tz have the same extension in S' relative to g. 

The clauses for the Boolean connectives are the usual ones. Carnap’s clause for the 
universal quantifier is: 


(3) S E Vaylg] iff for every assignment g’ such that g =. g', SF ylg’], 


where g =, g’ means that the assignments g and g’ assign the same value intensions to 
all the variables that are distinct from x and possibly assign different value intensions to 
x. Intuitively, then Vay(a) may be read: “for every assignment of an individual concept 
to x, p(x)”. 

Finally, the semantic clause for the necessity operator is the expected one: 


(4) S = Oọlg] iff, for every state description S”, S” E [g]. 


3Actually Carnap’s state descriptions are sets of literals (i.e., either atomic sentences or negated 
atomic sentences) that contain for each atomic sentence either it or its negation. However, for our 
purposes we may identify a state description with the set of atomic sentences that it contains. 
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That is, the modal formula ‘it is (logically) necessary that y’ is true in a state description 
S (relative to an assignment g) if and only if y is true in every state description S” (relative 
to g). 

A formula ọ is true in a state description S (in symbols, S F yw) if it is true in S 
relative to every assignment. Logical truth (logical validity) is defined as truth in all 
state descriptions. We write F ọ for y being logically true. 

Carnap’s semantics satisfies the following principles: 


(5) All truth-functional tautologies are logically true. 
(6) The set of logical truths is closed under modus ponens. 


(7) The standard principles of quantification theory (without identity) are valid. In 
particular, 
(US) Vap(a) — y(x) (Universal Specification) 
(EG) y(t/z) > Arp (Existential Generalisation) 
(where t is substitutable for x in p) 


hold without restrictions. 


It is easy to verify that O satisfies the usual laws of the system S5, together with the 
so-called Barcan formula and its converse, and the rule of necessitation: 


(K) FO(y > 4) > (Oe y). 

(T) F Op > p 

(S4) E Oy > g. 

(55) F “Op > O-Oy 

(BF) E VeOyp(2) > OYry(zx). (The Barcan formula) 

(CBF) =EOYzry(x) > YrOy(zx). (The Converse Barcan formula) 
(Nec) If F y, then F Oy. 


Notice that the Barcan formula (BF) and its converse (CBF) are schemata rather than 
single formule. 
The following schemata are also valid in Carnap’s semantics: 


(8) = Oy iff F y. 
(9) F “Oy iff 7 y. 
(10) Either F Oy or F “Oy. 


For identity, we have: 
(LI) Ft=t. (Law of Identity) 
However, the unrestricted principle of indiscernibility of identicals is not valid in Car- 
nap’s semantics. In other words, the following principle does not hold for all formulæ vy: 


Q=) Fvavy(a=y > (p(x/z) > 9ly/2))). 
Instead, we have a restricted version of (I =): 


(I =restr) F VaVy(a2 = y > (y(x/z) — v(y/z))), provided that y does not contain 
any occurrences of O. 


For the unrestricted case, we only have: 
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(0 =) E Vavy(O(2 = y) > (y(2/z) > p(y/2))). 
The following principle is of course not valid according to Carnap’s semantics: 
(0 =) VaVy(a=y—>O(«@=y)). (Necessity of Identity) 

In the presence of the other principles, it is equivalent to the unrestricted principle of 
indiscernibility of identicals. Nor do we have: 

(A4) YrYy(lz # y —> O(s #y)) (Necessity of Non-Identity) 

In view of Church’s undecidablity theorem for the predicate calculus, it is easy to 
prove that Carnap’s quantified modal logic is not axiomatizable. For every sentence y of 
predicate logic y, either Dy or =D is true in every state description. So, if Carnap’s logic 
were axiomatizable, then we could decide effectively whether y is provable in predicate 
logic. But this is contrary to Church’s theorem. 


THEOREM 1. The set of all logically true sentences according to Carnap’s semantics 
is not recursively enumerable, so there is no formal axiomatic system with this set as its 
theorems. 


Carnap introduced the notion of a meaning postulate to account for analytic connec- 
tions between the non-logical symbols of a predicate language. Thus, suppose that MP is 
the set of all the meaning postulates of a given language £L. MP is then a set of sentences 
in the non-modal fragment of L. We say that a state description S is admissible if MP 
US is consistent. Then, we can interpret O as ‘analytic necessity’ by modifying clause 
(4) above to: 


(4') S F Op iff, for every admissible state description $”, S” F y. 


We also say that ọ is analytically true iff ọ is true in all admissible state descriptions. 
In the modified semantics, we have: 


SF Op iff ¢ is analytically true. 
S E —Oy iff y is not analytically true. 


Carnap’s semantics for the quantifiers can be understood in two ways. The most 
straightforward interpretation is to say that the quantifiers simply range over individual 
concepts. Sometimes Carnap himself characterises his interpretation of the quantifiers 
in this way, and this is how Quine describes it. There is, however, another more subtle 
interpretation according to which every individual term, including the (free) variables, has 
a double semantic role given by its extension and its intension, respectively. Each variable 
has a value extension as well as a value intension. According to this interpretation — 
which presumably is the one that Carnap really had in mind — it is simply wrong to ask 
for the range of the individual variables. In ordinary extensional contexts the variables 
can be thought of as ranging over ordinary individuals. However, in intensional contexts 
the intensions associated with the variables come into play. This is what explains why 
the principle (O =) fails. 

Carnap’s interpretation of the quantifiers can still be criticised for being unintuitive. 
The problem is that he lacks a way of discriminating between those individual concepts 
that, intuitively speaking, pick out one and the same individual in all possible worlds and 
those that don’t. Suppose that we have assigned to the variable x as its value intension 
the individual concept: the number of planets. Relative to this assignment it is true that: 


(1) © =9A D(a = 9). 
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However, there is no object that has the property of being identical with 9 but doesn’t 
have this property necessarily. So from (1) it should not follow that: 


(2) 


But of, course, on Carnap’s interpretation of the quantifiers, (2) is a logical consequence 
of (1). Intuitively, one should be able to make the inference from (1) to (2) only if the 
concept assigned to x in (1) is, what might be called, a logically rigid concept, i.e. a 
concept that picks out the same individual relative to every state description.* 


a(a =9 A “D(a = 9)). 


1.3 Quine’s interpretational challenge 


Quine’s criticism of quantified modal logic comes in different strands. First, there is the 
simple observation that classical quantification theory with identity cannot be applied to 
a language in which substitutivity of identicals for singular terms fails. It seems, from 
the so-called Morning Star Paradox, that either universal specification (US) (and its mir- 
ror image: existential generalisation (EG)) or indiscernibility of identicals, (I=), has to 
be given up. This observation gives rise to the following weak, and apparently uncon- 
troversial, Quinean claim: Classical quantification theory (with identity and individual 
constants) cannot be combined with non-extensional operators (i.e., operators for which 
substitutivity of identicals for singular terms fail) without being modified in some way. 
This weak claim already gives rise to the challenge of extending quantification theory in 
a consistent way to languages with non-extensional operators. 

In addition to the weak claim, there is the much stronger claim that one sometimes can 
find in Quine’s early works, that objectual quantification into non-extensional (so called 
“opaque” ) constructions simply does not make sense [91, 93, 94]. The argument for this 
claim is based on the idea that occurrences of variables inside of opaque constructions 
do not have purely referential occurrences, i.e., they do not serve simply to refer to their 
objects, and cannot therefore be bound by quantifiers outside of the opaque construction. 
Thus quantifying into contexts governed by non-extensional operators would be like try- 
ing to quantify into quotations. This claim is hardly credible in the face of the multitude 
of quantified intensional logics that have been developed since it was first made, and we 
take it to be refuted by the work of among others, David Kaplan [59, 61] and Kit Fine 
[26, 27].5 

Then, there is Quine’s claim that quantified modal logic is committed to Aristotelian 
essentialism, i.e., the view that it makes sense to say of an object, quite independently 
of how it is described, that it has certain of its traits necessarily, and others only contin- 
gently. Aristotelian essentialism, however, comes in stronger and weaker forms. Kripke’s 
“metaphysical necessity” of Naming and Necessity represents a strong form of essen- 
tialism, while there are weaker forms according to which only logical properties that are 
shared by all individuals are essential. A quantified modal logic needs only be committed 
to this weak relatively benign form of essentialism. 


“The notion of a logically rigid concept is closely related Carnap’s [17, Part II] notion of an L- 
determinate intension. Intuitively, an L-determinate intension picks out the same extension in every 
state description. Thus, Carnap’s notion of L-determinacy may be viewed as a precursor of Kripke’s 
notion of rigidity. 

5See also Burgess [14] and Neale [86] for recent evaluations of Quine’s criticism of quantified modal 
logic. 
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Here we shall only consider the specific criticism that Quine directed in 1947 toward 
quantification into contexts of logical or analytical necessity. In his paper ‘The problem 
of interpreting modal logic’ from 1947, Quine formulates what one might call Quine’s 
challenge to the advocates of quantified modal logic: 


There are logicians, myself among them, to whom the ideas of modal logic (e. 
g. Lewis’s) are not intuitively clear until explained in non-modal terms. But 
so long as modal logic stops short of quantification theory, it is possible ... 
to provide somewhat the type of explanation required. When modal logic is 
extended (as by Miss Barcan) to include quantification theory, on the other 
hand, serious obstacles to interpretation are encountered — particularly if 
one cares to avoid a curiously idealistic ontology which repudiates material 
objects. 


What Quine demands of the modal logicians is nothing less than an explanation of the 
notions of quantified modal logic in non-modal terms. Such an explanation should satisfy 
the following requirements: 


(iii) 


It should be expressed in an extensional language. Hence, it cannot use any non- 
extensional constructions. 


The explanation should be allowed to use concepts from the ‘theory of meaning’ 
like analyticity and synonymy applied to expressions of the metalanguage. Quine 
is, of course, quite sceptical about the intelligibility of these notions as well. But he 
considers it to be progress of a kind, if modal notions could be explained in these 
terms. 


The explanation should make sense of sentences like: 


x(a is red A Q(x is round)), 


WwW 


in which a quantifier outside a modal operator binds a variable within the scope 
of the operator and the quantifier ranges over ordinary physical objects (in distinc- 
tion from Frege’s “Sinne” or Carnap’s “individual concepts”). In other words, the 
explanation should make sense of ‘quantifying in’ in modal contexts. 


Quine [92] — like Carnap before him — starts out from a metalinguistic interpretation of 
the necessity operator L in terms of the predicate ‘... is analytically true’. Disregarding 
possible complications in connection with the interpretation of iterated modalities, we 
have for sentences y of the object language: 


6 


y’ is true iff y is analytically true. 


Now Quine argues for the thesis that it is impossible to combine analytical neces- 
sity with a standard theory of quantification (over physical objects). The argument (a 
variation of “the Morning Star Paradox”) is based on the premises: 


(1) 


(Hesperus = Hesperus) 


(2) Phosphorus = Hesperus 
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(3) =O(Phosphorus = Hesperus), 


where ‘Phosphorus’ and ‘Hesperus’ are two proper names (individual constants) and 
is to be read ‘It is analytically necessary that’. We assume that ‘Phosphorus’ is used by 
the language community as a name for a certain bright heavenly object sometimes visible 
in the morning and that ‘Hesperus’ is used for some bright heavenly object sometimes 
visible in the evening. Unbeknownst to the community, however, these objects are one 
and the same, namely, the planet Venus. ‘Hesperus = Hesperus’ being an instance of the 
Law of Identity is clearly an analytic truth. It follows that the premise (1) is true. (2) 
is true, as a matter of fact. ‘Phosphorus = Hesperus’ is obviously not an analytic truth, 
‘Phosphorus’ and ‘Hesperus’ being two different names with quite distinct uses. So, (3) 
is true. 
From (1), (2), (3) and the Law of Identity, we infer by sentential logic: 


(4) Phosphorus = Hesperus A =H(Phosphorus = Hesperus), 


(5) Hesperus = Hesperus ^ O(Hesperus = Hesperus). 


Applying (EG) to (4) and (5), we get: 


(6) Ja(a = Hesperus A^-O(x = Hesperus)), 


(7) Jz(x = Hesperus ^A O(a = Hesperus)). 


As Quine [92] points out, however, (6) and (7) are incompatible with interpreting Vx 
and Jx as objectual quantifiers meaning “for all objects x (in the domain D)” and “for 
at least one object x (in D)” and letting the identity sign stand for genuine identity 
between objects (in D). Because, under this interpretation, (6) and (7) imply that one 
and the same object, Hesperus, both is and is not necessarily identical with Hesperus, 
which seems absurd. 

The following are classical proposals for solving Quine’s interpretational challenge: 


(i) Russell-Smullyan (Smullyan [99]). According to this proposal, all singular terms 
except variables are treated as Russellian terms, i.e., as “abbreviations” of definite 
descriptions that are eliminated from the language by means of contextual definition 
à la Russell. If we let ‘Hesperus’ and ‘Phosphorus’ be Russellian terms having 
minimal scope everywhere — which clearly corresponds to the intended reading 
— then the inference will not go through (i.e., once the Russell terms have been 
contextually eliminated): the (EG)-steps above will not correspond to valid steps in 
primitive notation. With this treatment of singular terms, the paradox is avoided. 
One has the feeling, however, that the problem has been circumvented rather than 
solved. 


(ii) Carnap (at least the way Quine reads him): The individual variables are not taken 
to range over physical objects, but instead over individual concepts. According to 
this reading, the names ‘Phosphorus’ and ‘Hesperus’ stand for different but coexten- 
sive individual concepts. The identity sign is interpreted not as a genuine identity 
between physical objects but as coextensionality between individual concepts. That 
is, an identity statement ‘u = v’ is true if and only if the terms ‘w’ and ‘v’ stand for 
coextensive individual concepts. According to this interpretation, (6) and (7) mean: 
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(6’) There is an individual concept x which actually coincides with the individual 
concept Hesperus but does not do so by analytical necessity. 

(7') There is an individual concept x which not only happens to coincide with the 
individual concept Hesperus but does so by analytic necessity. 


No contradiction ensues from these two statements. The price for this interpreta- 
tion, however, seems to be as Quine expresses it: “a curiously idealistic ontology which 
repudiates material objects” . 


1.4 The advent of possible worlds semantics 
1.4.1 Semantics for quantified modal logic in 1957: Hintikka and Kanger 


1957 was a pivotal year in the history of modal logic. In that year Stig Kanger published 
his dissertation Provability in Logic and a number of other papers where he outlined a 
new model-theoretic semantics for quantified modal logic. In the same year, Jaakko 
Hintikka published two papers on the semantics of quantified modal logic: ‘Modality as 
referential multiplicity’ and ‘Quantifiers in deontic logic’ (Hintikka [39, 40]). There are 
some striking parallels between these works by Hintikka and Kanger, but there are also 
notable differences. 

Hintikka and Kanger had both done important and closely similar work in non-modal 
predicate logic. Using so-called model sets (nowadays often called “Hintikka sets” or 
“downward saturated sets”) for predicate logic, Hintikka [38] had developed a new com- 
plete and effective proof procedure for predicate logic. 

Let £ be a language of predicate logic with identity and let U be a non-empty set 
of individual constants that do not belong to £L. A model set (over U) is a set m of 
sentences of the expanded language Ly satisfying the following conditions:” 


(C~) if np Em, then y €m, 

(C.n) if 4y Em, then Y E€ m, 

(C.A) ifpAwWe™m, then y € mand yE nm, 

(C.A) if a(pAwW) © nm, then ng € m or mW E€ m, 

(CY) if Vay € m, then for every constant a in U, y(a/x) € m, 

(C.AV) if aVay € m, then for some constant a in U, ~y(a/x) E€ m, 

(C. =) for no individual constant a in Ly,a 4a E€ m, 

(CInd) if y(a/x) € m, where y is atomic, and a = b E€ m, then y(b/x) € m. 


Hintikka showed, what nowadays goes under the name Hintikka’s lemma, namely, that a 
set I of sentences is satisfiable (true in some Tarski-style model) iff it can be imbedded 
in a model set over some non-empty set U of (new) individual constants. Furthermore, 
he provided an effective proof procedure for classical predicate logic. The method is very 
similar to the nowadays more familiar semantic tableaux method of Beth [11]. 

Hintikka [38, p. 47] points out that there is a close connection between his proof pro- 
cedure and proofs in Gentzen’s sequent calculus. The systematic search for a counterex- 
ample of a formula y corresponds to the backward application of the rules of Gentzen’s 


6See [24] for a comprehensive historical account of the development of possible worlds semantics. For 
a mathematical exposition of the development of modal logic, see [36]). 

THere we have assumed that —, ^ and Y are primitive and that V,— and J are introduced as abbre- 
viations in the usual way. For other choices of primitive logical constants, the definition of a model set 
has to be adjusted accordingly. 
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cut-free calculus for predicate logic. As a matter of fact, Kanger in Provability in Logic 
[53] provided an elegant effective proof procedure for classical predicate logic based on a 
sequent calculus that is equivalent to Hintikka’s. 

Hintikka’s formal semantics for modal logic. When studying classical predicate logic, 
Hintikka and Kanger used strikingly similar techniques and obtained similar results. 
However, their approaches to modal logic were different. Kanger started out from the 
work of Tarski and set himself the task of extending the method of Tarski-style truth- 
definitions to predicate languages with modal operators. Hintikka, on the other hand, 
generalised his method of model sets to the case of modal logic. In doing so he invented 
the notion of a model system. Roughly speaking, a model system consists of a set Q of 
model sets and a binary relation R defined between the members of 2. Different versions 
of Hintikka’s semantics impose different conditions on model sets, but in order simplify 
the exposition, we can say that a model system is an ordered pair S = (Q, R), such that: 


a) Q is a non-empty set of model sets for £, 


( 
(b) R is a binary relation between the members of Q (the alternativeness relation), 


) 
) 
) 
) 


(c 


(d) for all m € Q, if -Oy E m, then ~g € n, for some n € Q such that mRn. 


for all m € Q, if Oy € m, then for all n € Q such that mRn, yp En, 


Hintikka thought of the members of Q as partial descriptions of possible worlds. A 
set I of sentences is satisfiable (in the sense of Hintikka) iff there exists a model system 
S = (Q, R) and a model set m € Q such that T C m. A sentence y is valid iff the set 
{=} is not satisfiable. 

Hintikka [40] sketched a tableaux-style method of proving completeness theorems in 
modal logic. The idea is a generalisation of his proof procedure for first order logic. 
Hintikka [41] states (without formal proofs) that the systems T, B, S4, S5 for sentential 
logic are sound and complete with respect to the Hintikka-style semantics where R is 
assumed to be reflexive, symmetric, reflexive and transitive and an equivalence relation, 
respectively. Rigorous completeness proofs using the tableaux method were published 
by Kripke, [64], for the case of quantified S5, and for numerous systems of propositional 
modal logic in [67, 68].° 

An important difference between Hintikka’s semantics for modal logic, on the one 
hand, and the ones developed by Carnap, Kanger and Montague [83], on the other, is 
that Hintikka allows the space of possibilities Q to vary from one system to another. The 
only requirement is that Q is a non-empty set satisfying the constraints (b), (c) and (d) 
above. In the formal semantics of Carnap, Kanger and Montague, on the other hand, 
the space of possibilities is fixed once and for all to be the set of all state descriptions 
(Carnap), the class of all systems (or alternatively, domains) (Kanger), or all first-order 
models over a given domain (Montague). One could say that Carnap, Kanger and Mon- 
tague only allow interpretations of modalities that are in a sense standard and disallow 
non-standard interpretations. Thus, the relationship between Hintikka’s semantics (and 
the one later developed by Kripke) and the ones developed by Carnap, Kanger and Mon- 
tague is analogous to that between standard and non-standard semantics for higher-order 


8In [65], Kripke announces a great number of completeness results in modal propositional logic. He 
also notes “For systems based on S4, S5, and M, similar work has been done independently and at an 
earlier date by K. J. J. Hintikka”. 
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predicate logic. This distinction between the various approaches has been emphasised 
by Cocchiarella [23] and Hintikka [46]. Allowing non-standard interpretations for modal 
logics, of course, facilitated the proofs of completeness results, since the logics for log- 
ical or analytical necessity corresponding to the standard semantics are in general not 
recursively enumerable. 

Kanger’s Tarski-style semantics for quantified modal logic. Kanger’s ambition was 
to provide a language of quantified modal logic with a model-theoretic semantics a la 
Tarski.? 

A Tarski-style interpretation for a first-order predicate language £ consists of a non- 
empty domain D and an assignment of appropriate extensions in D to every non-logical 
symbol and variable of £. Kanger’s basic idea was to relativise the notion of exten- 
sion to various possible domains. In other words, he thought of an interpretation for a 
given language £ as a function that simultaneously assigns extensions to the non-logical 
symbols and variables of £ for every possible domain. Such a function Kanger called a 
(primary) valuation. Formally, a valuation for a language L of quantified modal logic is 
a function v which for every non-empty domain D assigns an appropriate extension in 
D to every individual constant, individual variable, and predicate constant in £. Kanger 
also introduced the notion of a system S = (D,v) consisting of a designated domain D 
and a valuation v. Notice that v does not only assign extensions to symbols relative to 
the designated domain D, but relative to all domains simultaneously. 

Kanger then defined the notion of a formula y being true in a system S = (D,v) (in 
symbols, S F w): 


me SF (ti = te) iff v(D, tı) = v(D, t2), 
E P(ty,...,tn) iff (v(D,t1),...,v(D,tn)) € v(D, P), 
SHL, 

E (py) if SH por SE y 
(D,v) E Vay iff (D, v’) E ọ, for each v’ such that v’ =, v, 
(6) for every operator O, S E Oy iff VS’, if SRgS’, then S’ F y. 


Explanation: v’ is like v except possibly at x (also written, v’ =, v) if and only if, 
for every domain U and every variable y other than x,v'(U,y) = v(U, y). In the above 
definition, Rg is a binary relation between systems that is associated with the modal 
operator Rg is what is nowadays called the accessibility relation associated with 
the eem . Kanger points out that by imposing certain formal requirements on 
the accessibility relation, like reflexivity, symmetry, transitivity, etc., one can make the 
operator satisfy corresponding well-known axioms of modal logic. 

One source of inspiration for Kanger’s use of accessibility relations in modal logic was 
no doubt the work of Jónsson and Tarski [52] on representation theorems for Boolean 
algebras with operators.!° Jónsson and Tarski define operators 4 on arbitrary subsets 
X of a set U in terms of binary relations R C U x U in the following way: 


OX = {x EU: Jy E€ X(yRz)}, 


°Cf. Kanger [53, 54, 55, 56, 57]). See also Lindström [81] for a more extensive discussion of Kanger’s 
approach to quantified modal logic. 
10On [53, p. 39] Kanger makes an explicit reference to Jonsson and Tarski [52]. 
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that is OX is the image of X under R. They also point to correspondences between 
properties of and properties of R. Among other things, they prove a representation 
theorem for so-called closure algebras that, via the Tarski-Lindenbaum construction, 
yields the completeness theorem for propositional S4 with respect to Kripke models with 
a reflexive and transitive accessibility relation. However, Jónsson and Tarski do not say 
anything about the relevance of their work to modal logic. 

Among the modal operators in £L, Kanger introduced two designated ones, N (“analytic 
necessity”) and L (“logical necessity”), with the following semantic clauses: 


(D,v) F Nọ iff for every domain D’,(D’,v) F ~ 
(D,v) E Ly iff for every system S,SF Q. 


A formula ¢ is true in a system (D,v) iff (D,v) E y. A formula ¢ is said to be valid 
(logically true) if it is true in every system (D,v). A formula y is a logical consequence 
of a set I of formule (in symbols, I F y) if y is true in every system in which all the 
formulze in I are true. 

In order to get a clearer understanding of Kanger’s treatment of quantification, we 
shall speak of selection functions that pick out from each domain an element of that 
domain as individual concepts. We can think of a system S = (D,v) as assigning to 
each individual constant c the individual concept {(D,v(D,c)) : D is a domain} and 
to each variable x the individual concept {(D,v(D,x)) : D is a domain}. The formula 
P(t1,...,tn) is true in S = (D,v) if and only if the individual concepts designated by 
t1,..-,tn pick out objects in the domain D that stand in the relation v(D, P) to each 
other. The identity symbol designates the relation of coincidence between individual 
concepts (at the “actual” domain D). That is, tı = t2 is true in a system S = (D,v) 
if and only if the individual concepts designated by tı and t2, respectively, pick out one 
and the same object in the domain D of S. 

The universal quantifier Vx can now be thought of as an objectual quantifier that 
ranges not over the “individuals” in the “actual” domain D, but over the (constant) 
domain of all individual concepts. That is, Vy is true in a system (D,v) if and only if 
y is true in every system that is exactly like (D,v) except, possibly, for the individual 
concept that it assigns to the variable x. 

Kanger’s solution to Quine’s paradox of identity is essentially the same as Carnap’s. 
Quine’s objection to Kanger would therefore be the same as to Carnap: Kanger’s quanti- 
fiers do not range over ordinary individuals but over individual concepts instead. More- 
over, Kanger’s treatment of quantification in modal contexts does not provide any means 
of identifying individuals from one domain to another. Hence there is no way of saying 
in Kanger’s modal language that one and the same individual has a property P and pos- 
sibly could have lacked P. That is, neither Carnap’s nor Kanger’s semantics can account 
for modality de re. 


1.4.2 Hintikka’s response to Quine’s challenge 


Quine’s interpretational challenge seemed to place the advocates of quantified modal logic 
in a dilemma. They would either have to accept standard quantification theory (with 
the usual laws of universal instantiation, existential generalisation and indiscernibility of 
identicals) and reject quantified modal logic, or accept a quantified modal logic, where 
the quantifiers were interpreted in a non-standard way a la Carnap as ranging over 
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intensional entities (individual concepts), rather than over robust extensional entities as 
Quine would demand. 

Hintikka [39, 40], however, rejected the terms in which Quine’s interpretational chal- 
lenge was stated. First of all he broadened the discussion by not only considering the 
logical modalities and Quine’s metalinguistic interpretation of these, but also epistemic 
modalities (‘It is known that p’) and deontic ones (‘It is obligatory that p’). He then 
introduced the idea of referential multiplicity. In answer to Quine’s question whether 
a certain occurrence of a singular term in a modal context is purely referential, and 
thus open to substitution and existential generalisation, or non-referential, in which case 
substitution and existential generalisation would fail according to Quine, Hintikka [39] 
pointed to a third possibility. According to the classical Fregean approach [32] singular 
terms would in non-extensional contexts not have their standard reference but instead 
refer to intensional entities, their ordinary senses. Hintikka saw no need to postulate 
special intensional entities for the singular terms to refer to in non-extensional contexts. 
The failure of substitutivity was instead explained by the referential multiplicity of the 
singular terms and by the fact that in intensional contexts the reference of the terms in 
various alternative courses of events (“possible worlds”) is considered simultaneously. 

Informally Hintikka [39] expressed the basic ideas behind the possible worlds interpre- 
tation of modal logic in the following words: 


... we often find it extremely useful to try to chart the different courses the 
events may take even if we don’t know which one of the different charts we 
are ultimately going to make use of. ...This analogy is worth elaborating. 
The concern of a general staff is not limited to what there will actually be. Its 
business is not just to predict the course of a planned campaign, but rather 
to be prepared for all the contingencies that may crop up during it. ... Most 
of the maps prepared by the general staff represent situations that will never 
take place. ... There are for the most parts some actual units for which the 
marks on the map stand, and the mutual positions of the units are such that 
the situation could conceivably arise. ... But the location of the units on the 
maps may be different from the locations the units have or ever will have. 
Some of the marks may stand for units which have not yet been formed; other 
maps may be prepared for situations in which some of the existing units have 
been destroyed. All these features have their analogues in modal logic. 


In this example Hintikka informally speaks of the same units as occurring in different 

situations (“cross-world identification of individuals”) and of individuals coming into 

existence or disappearing as one goes from one situation to another (“varying domains” ). 
Hintikka goes on to explain the bearing of the above example on referential opacity. 


We may perhaps say that when we are doing modal logic, we are doing more 
than one thing at one and the same time. We use certain symbols — constants 
and variables — to refer to the actually existing objects of our domain of 
discourse. But we are also using them to refer to the elements of certain 
other states of affairs that need not be realized. Or, which amounts to the 
same, we are employing these symbols to build up ‘maps’ or models for the 
purpose of sketching certain situations that will perhaps never take place. 
If we could confine our attention to one of these possible states of affairs 
at a time, the occurrences of our symbols would be purely referential. The 
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interconnections between the different models interfere with this. But since 
the symbols are purely referential within each particular model, the deviation 
from pure referentiality is not strong enough to destroy the possibility of 
employing quantifiers with pretty much the same rules as in the ordinary 
quantification theory. If I had to characterize the situation briefly, I should 
say that the occurrences of our terms in modal contexts are not usually purely 
referential, but rather that they are multiply referential. 


This idea of referential multiplicity is perhaps the basic intuitive idea behind the 
possible worlds interpretation of modal notions and of indexical semantics in general. It 
seems that Hintikka here gives one of the earliest, or perhaps the earliest, clear expression 
of the idea. 

Hintikka’s semantics for quantified modal logic is informally interpreted in such a 
way that the quantifiers range over genuine individuals. Thus, Hintikka has a notion of 
cross-world identification: one and the same individual may occur in different worlds. 
However, the semantics allows individuals to split from one world to another, i.e., the 
individuals a and b may be identical in one world wo but they may fail to be identical in 
some alternative world to wo. Thus, the principle: 


(0 =) YzYy(z = y > O(x = y)), (Necessity of Identity) 
is not valid in Hintikka’s semantics. As a consequence, the unrestricted principle of 


indiscernibility of identicals does not hold in modal contexts according to Hintikka (cf., 
Hintikka [41] and later writings). 


Hintikka’s solution to Quine’s paradox of identity. There are two cases to consider: 


(1) One or the other of the singular terms under consideration (‘Hesperus’ or ‘Phospho- 
rus’) is not a “rigid designator”, that is it does not designate the same individual 
in every possible world (or “scenario”) under consideration. Then, existential gen- 
eralisation fails and Quine’s paradoxical argument does not go through. 


(2) Each of the two names picks out “the same” individual in every world under consid- 
eration. However, some scenario w under consideration is such that the individual 
Hesperus in w is distinct from the individual Phosphorus in w. In this case, Quine’s 
argument goes through, but Hintikka has to argue that the conclusion: 


(6) 


(7) Jz(x = Hesperus ^ O(x = Hesperus)), 


WwW 


(a = Hesperus A —O(x2 = Hesperus)) 


contrary to appearance, is not absurd, since an individual can “split” when we go 
from one possible scenario to one of its alternatives. Consider for example: 


Superman and Clark Kent are in fact identical, but Lois Lane doesn’t 
believe that they are identical. 


Hintikka may explain the apparent truth (according to the story) of this sentence by 
the fact that some scenarios (possible worlds) in which Superman and Clark Kent are 
different individuals are among Lois Lane’s doxastic alternatives in the actual world 
(where they are identical). 
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1.4.3 Montague’s early semantics for quantified modal logic 


A semantic approach to first-order modal predicate logic that has a certain resemblance 
to Kanger’s was developed by Montague [83].!! Like Kanger, Montague starts out from 
the standard model-theoretic semantics for non-modal first-order languages and extends 
it to languages with modal operators. He defines an interpretation for an ordinary first- 
order predicate language £ to be a triple J = (D,I,g), where (i) D is a non-empty set 
(the domain); (ii) I is a function that assigns appropriate denotations in D to the non- 
logical constants (predicate symbols and individual constants) of £; and (iii) a function 
g (an assignment in D) that assigns values in D to the individual variables of £. For 
each non-logical constant or variable X, let Z(X) be the semantic value (i.e., denotation 
for non-logical constants and value for variables) of X in the interpretation Z. Then the 
notion of truth relative Z is defined as follows: 


1) TE P(ti,...,tn) iff (Z(t1),...,Z(tn)) € Z(P), 
z (ty = t2) iff I(ti) = Ita), 


(1) T 
(2) T 
(3) TE ~y iff ZH y, 
(4) Z 
(5) T 


4 


F (p> p) iff TF yp or TF y, 


E Vay iff for every object a € D,Z(a/x) E yp. 


5 


Here, Z(a/x) is the interpretation that is exactly like Z, except for assigning the object 
a to the variable x as its value. 

Montague now asks the same question as Kanger: How can this definition of the 
truth-relation be generalised to first-order languages with modal operators? As we recall, 
Kanger solved the problem by modifying the notion of an interpretation: a Kanger-type 
interpretation (what he called ‘a system’) assigns denotations to the non-logical constants 
and values to the variables not only for one single domain (the ‘actual’ one) but for all 
domains in one fell swoop. Montague’s approach is simpler than Kanger’s: he keeps the 
notion of an interpretation Z of first-order logic intact, and just adds semantic evaluation 
clauses for the modal operators. As in the Kanger semantics, each modal operator 
is associated with an accessibility relation Rg. Now, however accessibility relations 
are relations between interpretations J = (D,I,g) of the underlying non-modal first- 
order language. The semantic clause corresponding to the operator O, with associated 
accessibility relation Rp, is: 


(6) Z 


y iff for every interpretation Z’ such that TRoT',T' E ọ. 


Montague associates with the operator L of logical necessity the accessibility relation 
Rz defined by: 
(D, I, g9)RL(D',T', g^ iff D = D’ and g = g'. 


Thus, his semantic clause for L becomes: 


11Montague [83] writes: “The present paper was delivered before the Annual Spring Conference in 
Philosophy at the University of California, Los Angeles, in May, 1955. It contains no results of any great 
technical interest; I therefore did not initially plan to publish it. But some closely analogous, though not 
identical, ideas have recently been announced by Kanger [54, 55] and by Kripke in [64]. In view of this 
fact, together with the possibility of stimulating further research, it now seems not wholly inappropriate 
to publish my early contribution.” 
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(7) (D,I, g) F Ly iff for every I’ defined over D, (D,I',g) F y. 


That is, Ly is true in an interpretation Z iff y is true in every interpretation 7’ that is 
like Z except for, possibly, assigning different semantic values to the non-logical constants 
of L. 

Stated in contemporary terms, Montague’s semantic clause for the logical necessity 
operator becomes: 


(8) Ly is true in a model M = (D, I) relative to an assignment g iff for every model 
M’ with domain D, ¢ is true in M’ relative to g. 


Let us say that a formula vy of £ is D-valid relative to g iff for every model M with 
domain D, ọ is true in M relative to g. We say that y is D-valid iff it is D-valid 
relative to every assignment g in D. Then, from Montague’s semantic clause for L, we 
can conclude: 


(9) Ly is true in M = (D, I) relative to g iff y is D-valid relative to g. 
and 
(10) Ly is true in M = (D, I) iff y is D-valid. 


We say that a formula y of £ is logically true iff it is D-valid in every non-empty domain 
D. 

Montague’s [83] semantics for L is exactly what Cocchiarella [23] refers to as the 
“primary semantics” for logical necessity. Hence, we can reformulate Cocchiarella’s [23] 
incompleteness theorem for that semantics as follows: 


THEOREM 2. Suppose that L contains at least one binary predicate symbol. Then, the 
set of logically true sentences in Montague’s [88] semantics for logical necessity is not 
recursively enumerable. Thus, Montague’s [88] logic for logical necessity is not axioma- 
tizable. 


Montague’s solution to Quine’s paradox of identity. According to Montague’s interpreta- 
tion, Ly is logically equivalent with a formula of second-order predicate logic ()y, where 
() stands for a string of universal quantifiers that bind all non-logical symbols in y. In 
other words, Montague’s semantics induces a translation from first-order modal logic to 
extensional second-order predicate logic. According to Montague’s semantics from [83], 
the quantifier Vz is interpreted as a genuine quantifier over individuals. Free variables 
are “directly referential”, i.e., a free variable is interpreted uniformly inside a formula as 
standing for one and the same individual regardless of where in the formula it occurs. 
Individual constants, on the other hand, are reinterpreted freely from one interpretation 
to another. 
Montague’s semantics validates the following principles without restrictions: 

(LI) Va(«e = 2), (Law of Identity) 

(I=) VaVy(a4 = y > (p(2/z) — v(y/z))).  (Indiscernibility of Identicals) 
In addition, we have: VzL(a = x). Therefore, the following principle is valid: 
(CI) VYeYy(x = y > L(x = y)). (Necessity of Identity) 
But the following is not valid: 
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Phosphorus = Hesperus — L(Phosphorus = Hesperus). 


It follows that the principles of Universal Specification (US) and Existential Generali- 
sation (EG) are not valid. Thus, Quine’s paradoxical argument (Section 1.3, (1)-(7)) 
cannot be carried through within Montague’s logic. Although (US) and (EG) cannot be 
applied to individual constants, they do hold for variables. 

It appears that Montague’s semantical interpretation satisfies all requirements imposed 
by Quine [92] on an interpretation of quantified modal logic for the logical modalities. 
However, Montague’s semantics still has counterintuitive consequences. Consider, for 
instance, the following proof of the thesis that everything there is exists necessarily: 


1) Vady(a = y) predicate logic 


2) LVxSy(« = y) from (1) by necessitation 


4) L(Vady(« = y) > dy(x = y)) from (3) by necessitation 


( 
( 
(3) Vady(x2 = y) > Jy(x = y) universal specification (US) (for variables) 
( 
(5) L3y(x = y) from (2) and (4) by modal logic 

( 


6) VaLiy(« = y) from (5) by universal generalization (UG) 


This proof is valid according to Montague’s semantics: line (1) is logically true and the 
steps in the proof preserve logical truth. It is also easy to see directly that the conclusion 
(6) of the argument is logically true according to Montague’s definition. This conclusion, 
however, is extremely counterintuitive (provided we read the quantifiers in the normal 
way as ranging over ordinary objects). Intuitively, it is simply false that everything there 
is exists necessarily. Hence, there are still problems with Montague’s semantics. We 
shall return to the above problematic argument in connection with Kripke’s [66] possible 
worlds semantics. 

It should also be noted that Montague’s semantics validates the schema: 

Œ) Arby(2) a VeLy(z). 
i.e., y holds necessarily of one thing just in case y holds necessarily of everything. More- 
over, the semantics validates the Barcan schema and its converse: 

(BF) VaLy(x) > LVzy(2) 

(CBF) LVzy(x) > VeLy(z). 
From (1), (BF) and (CBF) we infer: 

(II) ArlLy(2) — LVry(z). 
That is, a property holds necessarily of one thing just in case it is necessary that it holds 
of everything. 

According to Montague’s semantics the logically necessary properties are the same for 
everything; namely, just those properties that by logical necessity hold of everything. 
That is, Montague’s semantics is essentialist in the weak Quinean sense of distinguishing 
between properties that hold necessarily of a thing and properties that hold only con- 
tingently of it. But it rejects the strong essentialist thesis that there are properties that 
some objects have necessarily and others do not have at all, or have only contingently 
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(cf. [8, 89]).12 Hence, condition (I) seems to be correct, as long as we speak of logical 
necessity. Logic does not discriminate between individuals, so if F is a logically necessary 
property of one thing, it is a logically necessary property of everything there is.13 

The Barcan formula and its converse, however, are dubious. Consider first (BF). 
Suppose that a is the only thing that exists. Then, VazL(« = a). However, it does not 
seem intuitively correct to infer: LYx(x = a). Next, consider (CBF). Clearly, LYx3y(x = 
y). If (CBF) were valid, we could infer VaLiy(z = y), which — as we have already 
pointed out — is counterintuitive. We will return to the semantic significance of (BF) 
and (CBF) in Section 1.4.4. Finally, condition (II) is clearly counterintuitive. Burgess 
[14] says of (II) that it “could silence any critic who claimed the notion of de re modality 
to be more obscure than that of de dicto modality, but would do so only at the cost of 
making de re notation pointless”. 


1.4.4 Kripke’s semantics for quantified modal logic 


Kripke 1959. The possible worlds semantics introduced by Kripke [64] may be cast in 
the following form (which differs from Kripke’s original formulation in terminology as 
well as in some minor details). We consider a language £ of modal predicate logic with 
identity containing for each n > 1, a denumerably infinite list of n-ary predicate symbols, 
but no function symbols or individual constants. Let D be a non-empty set. We define 
a valuation for L over D to be a function V which to every n-ary predicate symbol 
P(n > 1) in £ assigns a value V(P) C D”. An assignment in D is a function g which to 
every individual variable x assigns a value g(x) € D. A model over D is an ordered pair 
M = (K, Vo) such that (i) K is a set of valuations for £ over D, and (ii) Vo € K. 

Given a model M = (K, Vo) over D, an evaluation V in K, assignment g in D, and 
formula y we define recursively what it means for y to be true in V relative to M and 
g (in symbols: V Em y[g]): 


V Em P(z1,...,£n)lg] if (g(21),.--,9(@n)) € V(P), 


Em (x = y)lg] iff g(x) = g(y), 


V 

V Em 79g] iff V Ym lg], 

V Em (Y > V)ig] iff V Zm olg] or V Em Yig], 
V 

V 


Em Vaylg] iff for every object a € D, V Em ylg(a/z)], 


Fm Oy iff for every valuation V’ in K, V’ Em ¢. 


As usual, g(a/x) is the assignment that is exactly like g except for assigning a to the 
variable x. 


12See also Kaplan’s [61] penetrating analysis of the distinction between logical and metaphysical ne- 
cessity. According to Kaplan, logical necessity is committed to a benign form of Aristotelian essentialism 
that “makes a specification of an individual essential only if it is logically true of that individual”. Meta- 
physical necessity, on the other hand, is invidious, since it allows for distinct individuals to have different 
essential properties. 

13On the other hand, (I) is clearly counterintuitive for metaphysical necessity. Let, for example, y(x) 
be the formula ‘(Ay(y = x) — x € {Socrates})’ and let O stand for metaphysical necessity. Then, 
(Socrates) is true. Socrates is a member of {Socrates}, in every possible world where Socrates exists. 
But, of course, Uy(Plato) is false. Thus (I) fails for metaphysical necessity. 
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We say that ọ is true in M relative to g if Vo Em vig]. p is true in M if Vo Fm plg] 
for every assignment g in D. ¢ is valid in the domain D if ¢ is true in all models M 
over D. is universally valid if p is valid in every non-empty domain D (i.e., just in 
case y is true in every model M). 

Kripke gives the following intuitive motivation for this semantics: The valuations in K 
are thought of as representing the set of all “possible” (or “conceivable” or “imaginable” ) 
worlds. The valuation Vo represents the “real” world. It is assumed that the set D of 
individuals is the same for all possible worlds. Necessity is defined as truth in all possible 
worlds. 

Kripke’s [64] semantics validates all the classically valid schemata of first-order pred- 
icate logic with identity, the characteristic axioms of S5, as well as the Barcan formula 
(BF) and its converse (CBF). The set of valid sentences is closed under modus ponens, 
uniform substitution, necessitation, and universal generalization. In [64], Kripke defines 
a formal system S5*~ for quantified modal logic and proves using semantic tableaux 
methods that it is sound and complete for the given semantics. 

Let us now compare Kripke’s [64] semantics with Montague’s semantics [83] for logical 
necessity. Let us say that a Kripke [64] model M = (K, Vo) over a non-empty domain D 
is maximal if K contains all valuations for £ over D.'4 

Montague’s semantics for logical necessity differs from Kripke’s [64] semantics in con- 
sidering maximal models only. We obtain Montague’s semantics for logical necessity by 
imposing the requirement on Kripke’s [64] models that the set K should contain all val- 
uations V for £ over D. Hence, a sentence ọ of £ is logically true in Montague’s [83] 
semantics for logical necessity iff it is true in all maximal Kripke [64] models. By restrict- 
ing our attention to maximal models, we get what Cocchiarella [23] calls the “primary 
semantics” for logical necessity. 

At this point it is natural to ask what intended interpretation Kripke had in mind for 
the necessity operator in 1959. Was it logical necessity, analytical necessity, or perhaps 
some kind of metaphysical necessity? One reason for thinking that Kripke’s notion of 
necessity in 1959 was not logical necessity is his use of models that are non-maximal (or 
“non-standard” in the terminology of Hintikka [46]). Instead of working with all models 
or valuations over D, like Montague, or with all possible systems as Kanger, Kripke is 
considering an arbitrary non-empty subset of all possible valuations. This feature of his 
models may suggest that Kripke’s intended interpretation of the necessity operator is not 
strict logical necessity, but perhaps instead some kind of metaphysical necessity. This 
conclusion is however, not unavoidable: Kripke’s intended interpretation of the necessity 
operator could still have been logical necessity and his intended interpretations could still 
be some or all of the mazimal models. Kripke’s reason for allowing non-maximal models, 
in addition to maximal ones, when defining validity, could have been logical rather then 
philosophical.!° If Kripke, like Kanger and Montague, had chosen to work only with 
maximal models, the set of valid sentences would not have been recursively enumerable 
and there would be no completeness theorem to be proved. Kripke’s intended model 
could, for instance, be a maximal model over some infinite set. A modal sentence of an 
interpreted language of modal predicate logic would then be true if it was true in the 


14The term “maximal model” was introduced by Parsons [89] in connection with Kripke’s [66] semantics 
for quantified logic. It is less tendentious than Hintikka’s term “standard model”. 

15Ballarin [4] argues that Kripke’s development of his possible worlds semantics was driven entirely 
“by formal considerations, not interpretive concerns” . 
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intended model. Interpreted in this way, Kripke’s 1959 approach would be very close to 
Montague’s of 1960. The only essential difference would be Kripke’s use of non-standard 
models in addition to the standard ones for the purpose of defining a notion of universal 
validity that is recursively enumerable. 

On the other hand, in [64, p. 3], Kripke speaks of K as representing the set of all 
“conceivable” worlds. He writes “...a proposition OB is evaluated as true when and only 
when B holds in all conceivable worlds”. This seems to indicate that Kripke’s operator 
of [1959] should not be interpreted as strict logical necessity. It is very likely that the 
set of valuations representing all “conceivable” worlds is a proper subset of the set of 
absolutely all valuations. Thus Kripke may have had philosophical reasons, in addition 
to formal ones, for favouring a “non-standard” semantics allowing non-maximal models 
to a “standard” one.!® 


Kripke 1963. We present a version of Kripke’s [66] semantics for modal predicate 
logic with identity, where the notion of a possible world is an explicit ingredient of the 
semantic theory. We differ from Kripke [66] in letting the language £ contain individual 
constants. 

A (Kripke) frame (or to use Kripke’s own terminology, a model structure) for a lan- 
guage L of first-order modal predicate logic (with identity and individual constants, but 
no function symbols) is a quintuple F = (W, D, R, E, wọ) where, (i) W is a non-empty 
set; (ii) D is a non-empty set; (iii) R C W x W; (iv) E is a function which to each 
w € W assigns a subset E,, of D; and (v) wo is a designated element of W. Intuitively 
we think of matters thus: W is the set of all (possible) worlds (possible states of affairs, 
possible ways the world could have been), D is the set of all (possible) individuals, R is 
the accessibility relation between worlds, for each world w, Ew is the set of individuals 
that exist in w; and wo is the actual world. It is required that D = Urei Ew, i. e., that 
every possible individual exists in at least one world. 

Next, let us say that J is an interpretation (in D with respect to W) if it is a family of 
functions Iw, where w ranges over W, such that Iw assigns a subset Iy (P) of D” to each 
n-ary predicate constant P of £ and an element I,,(c) € D to each individual constant c 
of L. A Kripke model (for £) is an ordered pair M = (F, I), where F = (W, D, R, E, wo) 
is a frame and J is an interpretation in D with respect to W. A model M of the form 
(F, I) is said to be based on the frame F. 

Observe that Iu (P) is not necessarily a subset of (F,)", i. e., the extension of P in w 
may contain individuals that do not exist in w. Nor do we require that I,(c) € Ew. An 
assignment in M is a function g which assigns to each variable x an element g(x) in D. 
For any term t in £, we define M,,(t,g) to be g(t) if t is a variable; and Iwẹ(t) if t is an 
individual constant. We speak of M.,,(t,g) as the denotation of the term t at the world 
w relative to the model M and the assignment g. 

With these notions in place, we can define what it means for a formula y to be true at 
a world w with respect to the model M and the assignment g (in symbols, w Fm ¢[g]): 


(1) wEm P(ti,...,tn)[g] iff (Mu(ti,9),...,;Mu(tn,9)) € Iw(P). 
(2) w Em (ti = te) [9] iff Mu(ti,g) =Mw(te, 9). 
(3) w Em 7¢lg] iff w Fm plg]. 


16Cf., however, Almog [1, p. 217], who writes about Kripke [64]: “... Kripke had at the time nothing 
more than “complete assignments,” and the modality he worked with was definitely logical possibility” . 
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(4) w Em (p > Y)ig] if w Am plg] or w Em Yig]. 


(5) w Em Vaya] iff, for every a € Ew, w Em plgla/x)]. 


(6) w Em Og[g] iff, for every u € W such that wRu, u Fm vig). 


We say that y is true with respect to the model M and the assignment g (in symbols 
Em ọlg]), iff y is true at the actual world wo with respect to M and g. y is true in the 
model M (in symbols, Fm p), if for every assignment g,F xy, plg]. p is true in a frame 
F (in symbols, FF ọ) if ọ is true in every model based on F. Let K be a class of frames. 
We say that y is K-valid if y is true in every F € K. 

Observe that there are two notions of validity that are naturally defined on classes of 
Kripke frames. With respect to the notion that we have just defined — we may call it 
real-world validity — the actual world plays a special role: a sentence ọ is real-world 
valid in a class K of frames if it is true at the actual world in every frame in K. Then, 
there is another notion of validity that we may call general validity: A sentence ọ is 
generally valid in a class K just in case it is true at each world w in each frame in K.!7 
In the definition of general validity, the designated point of a Kripke model does not play 
any role. Thus, if we are only interested in general validity, there is no need to provide 
Kripke frames with designated worlds. Let us write Fk and FX for real-world validity 
in K and general validity in K, respectively. Then we have, for any sentence y of £ 


(1) Ek y% iff Fx Oy 
Let us say that a class K of Kripke frames is normal iff it satisfies the condition: 


Whenever F is in K and F’ is a frame that differs from F only with respect 
to which world is the actual one, then F’ is also in K. 


For normal classes of frames, real-world validity coincides with the general validity. 
Thus, for any sentence y of £, 


(1) if K is normal, then Fx ọ iff Fk Y 


The semantic import of the Barcan formula and its converse. Notice that Kripke frames 
in general have varying domains, i.e., the domains of quantification E,, are allowed to 
vary from one possible world to another. We say that a frame F = (W, D, R, E, wo) 
has increasing domains iff for all u,v € W, if uRv, then E, C E,. F has decreasing 
domains iff for all u,v € W, if uRv, then E, C E,. F has locally constant domains 
iff for all u,v € W, if uRv, then F,, = E,. F has globally constant domains iff for all 
u € W,E, = D. We also say that F is a constant domain frame iff F has globally 
constant domains. 
Consider now the following conditions on frames F: 


(ID) F has increasing domains. 
(DD) F has decreasing domains. 
(LCD) F has locally constant domains. 


17Cf. [51, 22-24], for a comparison between the two concepts of logical truth (validity) and for the 
history of the distinction between the two. 
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(CBF) Every instance of the converse Barcan formula: OVry(x) —> Va y(z), is 
generally valid in every model based on F. 


(BF) Every instance of the Barcan formula: VeOy(x) — OVary(x), is generally 
valid in every model based on £F. 


(CBF + BF) Every instance of the Barcan formula and its converse is generally valid in 
every model based on £F. 


There is an exact correspondence between the conditions (ID), (DD), (LCD) and (CBF), 
(BF) and (CBF + BF), respectively (cf. [30]). That is: 


(i) F has increasing domains iff it satisfies (CBF). 
(ii) F has decreasing domains iff it satisfies (BF). 
(iii) F has locally constant domains iff it satisfies (CBF + BF). 
Moreover, 


(iv) A sentence is generally valid in the class of all constant domain frames iff it is 
generally valid in all locally constant domain frames. 


We may introduce an existence predicate E as a new logical constant and give it the 
semantic clause: 


w Em E(t)[g] iff Mult, g) E€ Ew. 


However, this is unnecessary as long as we have identity in the language, since the 
predicate E is definable in terms of the existential quantifier and identity: 


w Em E(t)[g] iff w Fm Jyly = t)[g], where y is a variable that is distinct from t. 


Hence, we may take E(t) as an abbreviation of Jy(y = t). 
In terms of E we can express the requirements of increasing and decreasing domains 
in a simple way: 


(v) F has increasing domains iff the sentence OYszOE(x) is valid in £F. 


(vi) F has decreasing domains iff the formula O(QE(x) — E(x)) is valid in F. 


We are especially interested in frames where R is the universal relation in W, i.e., in 
which: 


w Em Opty] iff, for every u € W, u E m vig. 


Let QS5= be the class of all such frames. It follows from what we have stated above, 
that neither the Barcan formula nor its converse is (QS5=)-valid. 

In order to illustrate the difference between Kripke’s [66] semantics and his earlier 
semantics from 1959, consider again the purported proof that everything there is exists 
necessarily (Section 1.4.3). The proof is valid in the semantics of Montague [83] as well 
as in Kripke [64]. However, according to Kripke [66], the argument fails. It is easy to see 
that the conclusion is not valid according to Kripke [66]. When we look at the purported 
proof, we see that it is line (3) that fails: 
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(3) Vady(a2 = y) > Ay(a = y) universal specification (US) (for variables) 


That is, (US) is not valid according to Kripke [66] (not even for variables): The universal 
quantifier in the antecedent of (3) ranges over the domain of actually existing objects, 
while the free variable x in the succedent may take possible objects as values that lie 
outside the domain of actually existing objects. The failure of this intuitively invalid 
argument in Kripke’s [66] semantics speaks in favour of this semantics in comparison 
with Montague [83] and Kripke [64]. 


Rigid designators. Kripke’s [66] semantics validates the Law of Identity, 
(L=) Va(a=~«), 

as well as the principle of Indiscernibility of Identicals, 

(=) Vavyla = y > (y(2/z) > oy/2))I; 


applicable without restrictions also to modal contexts (z). From these principles, to- 
gether with the rule of Necessitation it is easy to infer: 


(O =) VaVy(« = y > O(a = y)) (Necessity of Identity) 


(OFA) VaVy(2 4 y > O(a £ y)). (Necessity of Distinctness) 
However, neither 


(1) c=d > O(c = d) 


nor 
(2) c#d>D(c#d), 


is valid, for arbitrary individual constants c, d. This reflects an important difference 
between how individual variables and individual constants are treated in our modelling: 
in spite of their name, the denotation of individual constants may vary from one possi- 
ble world to another, whereas the denotation of variables — in spite of their name — 
remains fixed throughout the universe of possible worlds. Here is obviously a niche to 
be filled! Suppose we introduce a new syntactic category of names and require that the 
interpretation of a name n be constant over the set of all possible worlds in any model 
M; formally, 


I (n) = (n), 


for all u,v € W. Then, if n and m are any names, then: 


(3) n = m > O(n = m) 
(4) n#m—> [O(n # m). 


are both valid. The proposed modification amounts to treating the elements of the new 
category of names as what is now known, after Kripke [71], as rigid designators. In 
[71] Kripke made the claim that ordinary “proper names” in natural language are rigid 
designators. 


Maximal models and maximal validity. Next, we introduce a special kind of Kripke 
models that we refer to as maximal models. We say that an ordered triple (D, A, V} is a 


1174 Sten Lindstrom and Krister Segerberg 


first-order model for L with outer domain D and inner domain A iff (i) D # Ø, A C D; 
and (ii) for each n-ary predicate constant P,V(P) C D”; (iii) for each individual constant 
c,V(c) €D. 

A Kripke model M = (W, D, R, E, wo, I) is maximal if (i) R= W x W; (ii) for every 
subset A of D and every first-order model (D,A,V) with outer domain D and inner 
domain A, there exists a w E€ W such that Ey = A and Iw = V; and (iii) if u,v € W and 
E, = E, and I„ = I,, then u = v. Thus, in a maximal Kripke model with individual 
domain D, the possible worlds can be identified with all first-order models with outer 
domain D. Thus, for each non-empty set D, there is a unique maximal Kripke model 
with individual domain D. 

The notion a maximal Kripke model is due to Terence Parsons [89]. Montague’s [83] 
models correspond to the maximal Kripke models with a constant domain, i.e. where 
each Ewy = D. If M is the maximal Kripke model with domain D, then for every formula 
y of L: 


y is true at a world w in M relative an assignment g iff ọ is true in every 
first-order model with outer domain D relative to g. 


Thus, it is natural to interpret O as a kind of logical (or combinatorial) necessity with 
respect to maximal Kripke models: Hy is true in a maximal model with domain D iff y 
is true in every first-order model with outer domain D. 

Let us say that a formula y is mazimally valid iff for every maximal Kripke model M 
and every assignment g in M,F yy y[g]. Observe that the set of maximally valid sentences 
is not closed under uniform substitution of arbitrary sentences for atomic sentences: for 
an atomic formula Pc,QPc is maximally valid, but, of course, Oy is not in general 
maximally valid. Moreover, if y is a formula that does not contain O or > which is not a 
theorem of first-order logic, then ~y is maximally valid. Of course, neither the Barcan 
schema nor its converse is maximally valid. 

Suppose now that the intended model of £ is some maximal Kripke model Mo with 
an infinite domain Dy. Then, all sentences of the form: 


(n) Oday... dan(ay A T2 A... A T1 É Un A T2 E £3 N... NT2 É Ln A... N Tn-1 É Ln), 


where z1,..., £n are n(n > 1) distinct variables, are true in (the intended model for) £. 
This appears to be as it should be, given the interpretation of > as (a kind of) logical 
possibility. With this notion of truth in £, we can associate various notions of logical 
truth. One alternative is to say that a sentence in £ is logically true iff it is true in 
every maximal model with the given outer domain D. With this notion all the sentences 
(n) come out as logically true. Another alternative is to say that a sentence is logically 
true if it is maximally valid, i.e., true in all maximal Kripke models. Then the sentences 
(n) are no longer logically true. Finally, we may identify logical truth in £ with truth 
in all QS5=-Kripke models. Of these choices, only the last one satisfies the standard 
requirement on a logic of being closed under uniform substitution. Thus, if we insist that 
a logic should be closed under uniform substitution, it is reasonable to identify logical 
truth in £ with Kripke’s notion of universal validity. Hence, regardless of whether the 
intended model is a maximal model or not, we may reasonably conclude that the logic 
of alethic necessity is the set of all QS5=-valid sentences. By this line of reasoning, we 
come to the conclusion that regardless of whether we interpret OJ as standing for logical 
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or metaphysical necessity, the logic of O will be the same. 


Kripke versus Quine. In 1959 Kripke wrote: 


It is noteworthy that the theorems of this paper can be formalized in a met- 
alanguage (such as Zermelo set theory) which is “extensional,” both in the 
sense of possessing set-theoretic axioms of extensionality and in the sense of 
postulating no sentential connectives other than the truth-functions. Thus it 
is seen that at least a certain non-trivial portion of the semantics of modality 
is available to an extensionalist logician. 


Perhaps, Kripke meant that he had refuted Quine’s scepticism about quantified modal 
logic. Had he not after all done for quantified modal logic what Tarski and others 
had done for non-modal predicate logic: provided it with an extensional set-theoretic 
semantics? In addition he had axiomatised the logic and proved it complete for the given 
semantics. What else could one require of the interpretation of a logic? 

Quine, however, was not satisfied. In 1972 he writes in a review of Kripke’s paper 
‘Identity and Necessity’ [96]: 


The notion of possible world did indeed contribute to the semantics of modal 
logic, and it behoves us to recognize the nature of its contribution: it led to 
Kripke’s precocious and significant theory of models of modal logic. Models 
afford consistency proofs; also they have heuristic value; but they do not 
constitute explication. Models, however clear in themselves, may leave us 
still at a loss for the primary, intended interpretation. 


Whatever was his aim in 1959 or 1963, in his later work Kripke’s project is not to give 
an explanation of modal concepts in non-modal terms. In the Preface to Naming and 
Necessity, 1980 he writes: 


I do not think of ‘possible worlds’ as providing a reductive analysis in any 
philosophically significant sense, that is, as uncovering the ultimate nature, 
from either an epistemological or a metaphysical point of view, of modal 
operators, propositions, etc., or as ‘explicating’ them. 


Clearly, Kripke’s essentialist concept of necessity (“metaphysical necessity”) simply can- 
not be reductively explained in non-modal terms. 

Among other modellings for predicate modal logic, David Lewis’s counterpart theory 
should be mentioned.!® According to the Kripke paradigm, an individual may exist in 
more than one possible world (with respect to our formal modelling, it is possible that 
E,, and E, should overlap, even if u 4 v). For Lewis, however, each individual inhabits 
only its own possible world; but it may have counterparts in other possible worlds. This 
approach has also been influential, both in philosophical and in mathematical quarters. 


1.5 General intensional logic 


1.5.1 Carnap-Montague’s Intensional Logic 


Frege’s theory of Sinn (sense) and Bedeutung (denotation, reference), which was outlined 
in the article ‘Uber Sinn und Bedeutung’ [32] has great intuitive appeal. In particular, 


18Cf, [15]. 
OE [75, 37]. 
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it seems to provide elegant and intuitively appealing solutions to the familiar difficulties 
concerning: 


(i) the cognitive significance of identity statements: how can ‘a = b’ if true, be an 
informative statement differing in cognitive significance from ‘a = a’? 


(ii) the problem of oblique or non-extensional contexts: how can two meaningful ex- 
pressions with the same denotation (extension) ever fail to be interchangeable salva 
veritate? 


(iii) the problem of providing an adequate truth-conditional semantics for propositional 
attitude reports. 


Fregean solutions to these problems essentially involve the distinction between sense 
and denotation. The appearance of oblique contexts in natural languages was interpreted 
by Frege as indicating a certain kind of systematic ambiguity rather than a failure of 
extensionality. According to Frege’s doctrine of indirect denotation, expressions denote 
in (unembedded) oblique contexts what is ordinarily their sense. Frege’s extensional 
point of view has been advocated and developed in the 20th century by Alonzo Church 
[19, 20, 21] in his Logic of Sense and Denotation.?° 

Carnap [17], although still working within the Fregean tradition, saw the occurrence 
of oblique contexts in natural languages as genuine counterexamples to the principle of 
extensionality, according to which the denotation of a meaningful expression is always a 
function of the denotations of its semantically relevant parts. 

According to Carnap [17], each well-formed expression of a language has both an 
extension (corresponding to Frege’s denotation) and an intension (roughly corresponding 
to Frege’s sense). Intuitively, the intension of a sentence is the proposition that the 
sentence expresses and the extension is the truth-value (true or false) of the sentence. A 
proposition partitions the set of all possible worlds in two cells: (i) the set of all worlds 
in which the proposition is true; and (ii) the set of all worlds in which the proposition is 
false. Carnap, therefore, proposed to identify a proposition p with the function f, from 
the set W of all possible worlds to truth-values which for every possible world w has 
the value f,(w) = the truth-value of p in the world w. Thus, propositions are identified 
with functions from possible worlds (or in Carnap’s case, from state descriptions, or 
set-theoretical models, that are taken to represent possible worlds) to truth-values. The 
intension of a sentence is the proposition it expresses and its extension in a possible 
world w is the truth-value in w of the proposition it expresses. 

The intension of a predicate expression is intuitively the property (or relation-in- 
intension) that the predicate expresses. A property of individuals determines for every 
possible world w, the set of individuals that has the property in that world. Hence, a 
property P, can according to Carnap and Montague be identified with a function fp from 
the set W of all possible worlds to sets of individuals, which for every possible world w 


20 As emphasised by Church [22] and Kaplan [60], the Fregean tradition in intensional logic should 
be distinguished from the quite different tradition stemming from Russell where the sense/denotation 
distinction is avoided. Russellian semantics, in contrast to Fregean semantics, assigns only one kind 
of semantic value, most naturally thought of as a kind of denotation, to the well-formed expressions 
of a language. In Russellian semantics, (logically) proper names refer (directly) to objects, sentences 
designate Russellian propositions, i.e. complexes of properties and objects, and predicates stand for 
propositional functions. Modern so-called theories of direct reference belong to the Russellian tradition 
(cf., for instance, [98]). 
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has the value fp(w) = the set of all entities that in the world w has the property P. 
For instance, the property of being red, is identified with the function form possible 
worlds to individuals that associates with every possible world the set of red objects in 
that world. Similarly, an n-ary relation-in-intension R is identified with a function from 
possible worlds to sets of ordered n-tuples. The intension of a predicate expression is the 
property or relation-in-intension it expresses and its extension in a possible world w is 
the set or relation-in-extension that is the value of that intension in the world w. 

Finally, singular terms have individuals as their extensions and their intensions are 
what Carnap calls individual concepts, i.e., functions from possible worlds to individuals. 
The singular term ‘the Greek philosopher that taught Alexander the Great’ has in the 
actual world Aristotle as its extension. In another possible world, the extension may 
be Plato. In possible worlds where there is no unique Greek philosopher that taught 
Alexander, the singular term might be assigned an arbitrary conventional extension, the 
null extension. Since proper names, presumably, are rigid designators (cf. [71]) they have 
the same extension in every possible world (or at least in every possible world where the 
bearer of the name exists). Hence, the intension of a proper name is a constant function 
picking out the same object in every possible world (or at least this is the case for rigid 
designators of objects that exist necessarily, for instance, the numerals designating the 
natural numbers). On Kripke’s view, co-referring proper names have the same intension. 
As a result, if a and b are co-referring proper names, then ‘a = a’ and ‘a = b’ have 
the same intension. Thus, it seems that difference in cognitive significance cannot be 
explained by difference in intension. 

Kripke’s [66, 67, 68] major innovation was his use — within each model structure — of 
a set of abstract points (indices, “possible worlds”) to represent the space of possibilities. 
This innovation made it possible for Montague [84] — building on ideas from Carnap 
[17] — to represent intensional entities (senses, intensions) by set-theoretic functions from 
points (representing possible worlds) to extensions. Every kind of meaningful expression 
has according to Carnap-Montague semantics a suitable intension, i.e., a function from 
possible worlds to appropriate extensions. If E is an expression with intension Int(E), 
and w is a possible world, then Int(E)(w), i.e., the result of applying the intension of 
E to the possible world w, is the extension of E in the world w (in symbols Exty(£)). 
The extension of E, Ext(E), is the extension of E in the actual world. 

Following Carnap [17] we distinguish between different kind of constructions (or con- 
texts) ®: 


(i) © is extensional iff there exists a function fs such that for every possible world w, 
and all (appropriate) expressions F1,..., En, Evty(®(E£1,...,En)) = fo(Etty (£1), 
..., Etty(E,)). An extensional language is a language where every grammatical 
construction is extensional. An extensional language satisfies the principle of exten- 
stonality, i.e., the principle that the extension of a complex expression is always a 
function of the extensions of its semantically meaningful constituents. 


(ii) ® is intensional iff there exists a function F such that for all (appropriate) expres- 
sions E),...,E,, Int(®(E1,..., En)) = Fo(Int(E1),..., Int(E,)). An intensional 
language is a language in which every grammatical construction is intensional. In- 
tensional languages satisfy the principle if intensionality, i.e., the principle that 
the intension of a complex expression is always a function of the intensions of its 
semantically meaningful constituents. 
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The principles of extensionality and intensionality are special cases of the principle of 
compositionality, i.e., the principle that the meaning of a complex expression is deter- 
mined by its structure and the meaning of its constituents (cf., [104]). 

The classical Boolean connectives are, of course, paradigm examples of extensional 
constructions. By modifying the above definitions slightly, in order to take variable 
binding operators into account, the classical quantifiers V and J are naturally construed 
as extensional operators as well. The modal operators O and ¢, on the other hand, are 
examples of constructions that are intensional but not extensional. Carnap also consid- 
ered propositional attitude constructions like ‘John believes that ...’, that in his opinion 
were not even intensional. Such constructions for which the principle of intensionality 
fails, may be called ultraintensional. 

In order to give a semantic analysis of belief contexts, Carnap introduced the notion 
of intensional isomorphism [17, §14]. Roughly speaking, two expressions are intension- 
ally isomorphic iff they are built up from atomic expressions with the same intensions 
in the same way. Intensionally isomorphic expressions were said to have the same in- 
tensional structure. The intensional structure of an expression can thus be identified 
with the equivalence class of all expressions of the given language that are intension- 
ally isomorphic with it. Intensional isomorphism and intensional structure was Carnap’s 
explications of the intuitive notions of synonymy and meaning, respectively.?! The inten- 
sional structures that correspond to sentences may be viewed as structured propositions 
in contrast to Carnapian propositions (functions from possible worlds to truth-values) 
that lack syntactical structure.?? Carnap suggested that belief and other propositional 
attitudes be operators on such structured propositions rather than on intensions. If so, 
then intensionally isomorphic expressions are substitutable salva veritate in propositional 
attitude contexts. This seems fairly reasonable since one might argue that synonymous 
expressions are substitutable in such contexts. 

Montague’s intensional logic IL is a typed \-calculus.?? There are two basic types e 
and t of (possible) individuals and truth-values (true and false), respectively. Then, there 
is for every two types a and £, a type (aß) of functions from entities of type a to entities 
of type 8. Finally, for every type a, there is a type (sa) of senses appropriate for entities 
of type a. Montague identifies the senses with Carnapian intensions, i.e., the members 
of (sa) are functions from possible worlds to entities of type a. All the domains of the 
various types are constant from one world to another. In particular, there is one domain 
of individuals that is common to all possible worlds. Thus, the domain of individuals is 
best thought of as the domain of all possible individuals. 

For every type a, the language of IL contains variables and non-logical constants of 
type a. It also contains the logical constants: = (identity), À (lambda-abstraction), ^ 
(intensional abstraction), ~ (intensional application), and brackets [, ]. The sentential 
connectives, quantifiers Y, 4, and modal operators O, Q, are definable in terms of =, A, 
^, and ~ (Gallin [33, 15-16]). For each type a, one can quantify in IL over all the entities 
of type a. In particular, one can quantify over the collection of all possible individuals. 


21This theme is developed further in Lewis [76]. 

?2See King [63] for an overview of more recent work on structured propositions and references to the 
relevant literature (including work by David Kaplan, Nathan Salmon, Scott Soames, Jeff King, and 
others within the “direct reference”-tradition on so-called “Russellian propositions” ). 

?3See Montague [84], and especially Gallin [33] for a thorough model-theoretic study of Montague’s 
intensional logic. In particular, Gallin presents an axiomatisation of Montague’s intensional logic and 
proves that it is strongly complete with respect to general Henkin-type models. 
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In other words, IL is committed to an ontology of possible individuals. 

Complex terms of IL are built up from atomic terms (variables and constants as 
follows): (i) If A is a term of type (ap) and B is a term of type a, then [AB] is a term 
of type 6; (ii) If A is a term of type @ and z is a variable of type a then AxA is a term 
of type (a): (iii) If A, B are terms of the same type, then [A = B] is a term of type t; 
(iv) If A is a term of type a, then “A is a term of type (sa); (v) If A is a term of type 
(sa), then “A is a term of type a. Terms of type t are called formule. 

In the semantics, every (closed) term A of type a is assigned an extension Ezt,,(A) of 
type a relative to w, for each possible world w. The intension Int(A) of A is then the 
function from worlds to extensions such that for each w, Int(A)(w) = Exty(A). For each 
term A, ^A is a name of the intension of A. And, for each term A denoting an intension 
F, ~A is a term which at every world w, refers to the value of F at w. Hence, (A =~* A) 
will always hold. The semantics of IL satisfies the principle of intensionality and ^ is 
the only primitive non-extensional construction of IL. The modal operator U is defined 
in IL as follows: 


Y =a. [ep = ^T], 


that is, y is necessarily true iff the intension of y equals the intension of any tautology 
T. is an S5-operator and the Barcan formule and their converses are valid in the 
semantics. 

Montague’s intensional logic admits quantifying into intensional constructions. Ac- 
cording to Montague’s intended interpretation, the individual quantifiers range over pos- 
sible individuals. Quantification over actual individuals can be analysed by means of the 
introduction of an existence predicate. However, Montague’s use of quantifiers ranging 
over possibilia is of course an abomination in the eyes of Quine and likeminded philoso- 
phers who favour an actualist metaphysics. 


1.5.2 Church’s logic of sense and denotation 


The expressions of natural language are according to the Fregean view systematically 
ambiguous: both the sense and the denotation of an expression vary with the linguistic 
context in which it occurs. This systematic ambiguity is the basis for Church’s program 
[19, 20, 21] of representing natural language discourse involving oblique contexts within 
a formal language the logic of which is completely extensional, that is, in which the 
ordinary principles of substitutivity of classical logic are valid. His fundamental idea is 
to let each expression A of the natural language be represented by different expressions 
Ao, A1, Ag,...of the formal language depending on the context in which A occurs. Sup- 
pose, for instance, that the sentence “Tom is married”, when it occurs in a non-oblique 
context, is translated as Married(Tom). Then, the sentence (1), where the verb phrase 
“suspects that” gives rise to an oblique context, may be represented as: 


(2) Suspects(Mary, Married;(Tom;)), 


where Married, and Tom; are atomic expressions that denote the (ordinary) senses of 
Married and Tom, respectively. Analogously, 


(3) George knows that Mary suspects that Tom is married 


may be represented as 
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(4) Knows(George, Suspects;(Mary,, Married2(Tomz:))). 


Using Church’s terminology, we may say that Tom; and Toms denote the concept 
of being Tom and the concept of being the concept of being Tom, respectively. In this 
way ambiguity is avoided in the representing language and the classical principles of 
substitutivity as well as all other principles of classical logic are preserved. 

Church’s logic of sense and denotation is a simple type theory that has much in 
common with Montague’s intensional logic IL but which differs from IL in not violating 
the principle of extensionality. In Montague’s language there is, as we recall, only one 
non-extensional operator ^ which transforms a term A into a term ^A that denotes the 
intension of A. Since A occurs in ^A, ^ is non-extensional. Church’s logic of sense and 
denotation, on the other hand, is fully extensional. For each denoting expression A, there 
is in Church’s language another expression (A), denoting the sense of A. Since (A) does 
not contain A as a syntactic part, the occurrence of A in the language does not violate 
extensionality. (A) replaces A in oblique contexts. For instance, the indirect discourse 
construction: ‘John believes that y’ is replaced by the direct discourse version: ‘John 
believes (y)’, where (p) is a name of the proposition expressed by the sentence y. The 
construction ‘John believes (pY differs from ‘John believes ^p’ in being fully extensional. 

In Church [18] and [19], three alternative principles of individuation for senses were 
proposed referred to as Alternatives (0), (1) and (2). The alternative that individuates 
senses most coarsely is Alternative (2), according to which two expressions have the 
same sense iff they are logically equivalent. Roughly speaking, Alternative (2) amounts 
to identifying Fregean senses with Carnapian intensions, i.e., with functions from possible 
worlds (or models or state descriptions representing possible worlds) to denotations (or 
extensions). Thus, Alternative (2) is the alternative which is closest to modern possible 
worlds semantics. 

The alternative that is closest to Frege’s own conception of sense is probably Alterna- 
tive (0), according to which two terms A and B have the same sense, if and only if they 
are intensionally isomorphic in the sense of Carnap [17]. In addition to alternatives (0) 
and (2), Church also considered an intermediate alternative called Alternative (1), which 
is fairly close to Alternative (0) but seems to have less intuitive motivation. According 
to Alternative (1) expressions that are lambda-convertible to each other have the same 
sense. 

Church’s logic of sense and denotation is not directly concerned with linguistic ex- 
pressions and their senses and denotations, but rather with the language-independent 
so-called concept relation that holds between senses and the entities that they are senses 
of. As Church points out in [21], the more finely senses are individuated, the more closely 
will the abstract theory of senses and their objects resemble the more concrete theory of 
names and their denotations, with the concept relation playing a role similar to the one 
played by the denotation predicate of semantics. Consequently, antinomies analogous to 
the semantic antinomies may arise for formulations of the logic of sense and denotation 
along the lines of Alternative (0) or (1). Indeed, Myhill [85] points out that Church’s 
Alternative (0) is threatened by the antinomy described by Russell in The Principles of 
Mathematics, Appendix B, p. 527, the so-called Russell-Myhill paradox (cf. Anderson 
(2). 

The development of a logic of sense and denotation along the lines of Alternative (0) — 
taking Carnap’s intensional isomorphism, Church’s synonymous isomorphism, or some 
related notion as a criterion for two expressions having the same sense — is of great 


Modal Logic and Philosophy 1181 


theoretical interest. First of all, the fundamental principle of Alternative (0): 
sense(FA) = sense(F'B) — sense(A) = sense(B), 


seems to be involved whenever a difference in sense between FA and FB is explained in 
terms of a difference in sense between A and B. Secondly, any principle of individuation 
for senses that is substantially less strict than Alternative (0) seems to be inadequate for 
a Fregean treatment of the logic of propositional attitudes. 

Unfortunately, however, the attempts so far to develop a logic of sense and denotation 
along the lines of Alternative (0) have led either to inconsistency or to great complica- 
tions, for instance, in the form of an infinite hierarchy of concept relations of different 
orders. Furthermore, no entirely satisfactory explanation has so far been given of the 
notion of sense involved in Alternative (0). Related to this is the lack of an intuitive 
semantic theory for Alternative (0) and a corresponding notion of logical validity. 

However, the pursuit of Church’s Alternative (2) has made considerable progress. 
Thus, David Kaplan [58, 60] and Charles Parsons [88] have provided versions of Church’s 
logic of sense and denotation with a possible worlds semantics of Carnap-Montague type. 
Parsons [88] even shows that his version of Church’s logic of sense and denotation is 
exactly equivalent to (intertranslatable with) Montague’s intensional logic. Moreover 
he provides an axiomatisation of Church’s Alternative 2 that is equivalent to Gallin’s 
axiomatisation of Montague’s intensional logic. 


1.6 Logical and metaphysical necessity 


We make a rough distinction between two types of intuitive interpretations of the oper- 
ators Ô and [O of alethic modal logic. First there is the metaphysical or counterfactual 
interpretation: 


Oy: either y, or it could have been the case that y. 
p: p, and it could not have been the case that ny. 


Then, there is the logical or metalogical interpretation: 


Oy: it is not self-contradictory to assume that ọ is the case. 
y: it is self-contradictory to assume that ~g is the case. 


From now on, we shall use Ly and My for the logical modalities and reserve O and Q 
for the metaphysical ones. 
According to the possible worlds analysis of metaphysical necessity: 


y is true at a possible world w iff ọ is true at every possible world. 


There is an extensive and fast growing philosophical literature on the proper analysis of 
the notion of a possible world (cf. [25, 87]). Roughly speaking, we are distinguishing 
between the world as the (concrete) totality of everything there is and possible worlds as 
total alternative ways the world could have been (cf. [71, pp. 15-20]). Characterised in 
this way, possible worlds are abstract entities: total possible states of the world. This no- 
tion of possible world should be contrasted with David Lewis’s notion of a possible world 
as a concrete alternative universe (cf. [80]). Regardless of our ultimate understanding of 
possible worlds, to say that a statement y is true at a possible world w means, intuitively, 
that y, with its actual meaning, would have been true (simpliciter) had w obtained. 
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A delicate question that now arises is how metaphysical necessity relates to logical 
necessity. The answer, of course, depends on how precisely we characterise the notion 
of logical necessity. Different semantic characterisations give rise to different answers. 
Suppose that we define logical necessity in terms of a class K of (admissible) models 
(or interpretations). Each model M is associated with a set Um of points (representing 
“possible worlds”) of which one is the designated point Qm (representing “the actual 
world”). We write u Fm y for the sentence y being true at the point u in the model M. 
Truth in a model M is defined as truth at the designated point @ m of the model M. 
Logical truth, or validity, is defined as truth in every model in K. We assume that: 


i) uF ny iff not: u Em Y 


ii) wEm (p > %) iff either uy y or u Em Y¢. 


iii) u Em Ly iff for every model N in K, Qw Fy ¢. 


iv) u Fm Oy iff for every point v E€ Um, v Em Y. 


( 
( 
( 
( 


Given this type of semantics, there is no guarantee that logical necessity implies meta- 
physical necessity. Suppose, for example, that the language contains a logical constant 
actually with the semantic clause: 


(v) uEm actually (Y) iff Qm Fm f, 


i.e., actually (vy) is true at a point in a model iff ọ is true at the designated point in the 
model. Then, every instance of the following schema is valid: 


(1) L(y e actually (¢)), 


although, the following schema fails (in both directions): 


(2) Oly = actually ()). 


We can easily construct models M for a sentential language of the indicated kind for 
which (2) fails. 

Thus it appears, as Zalta [108] has argued, that logical necessity does not imply 
metaphysical necessity. There are logical truths that are metaphysically contingent. 
However, this claim is highly counterintuitive. There are various ways of avoiding the 
conclusion that logical truth does not imply metaphysical necessity. One may, for one 
reason or another, refuse constructions like actually, that make reference to special 
worlds, the status of logical constants. 

Another option is to modify the notion of logical truth. The notion of logical truth 
that we have employed is the one we have called real-world validity. It is the notion 
according to which a statement y is logically true (valid) iff it is true at the actual world 
in each model. As we have seen, however, there is an alternative notion, general validity, 
according to which a statement is logically true iff it is true at each world in each model. 

Let us write F and F* for real-world validity and general validity, respectively. The 
two notions are related as follows: For any statement y, 


(1) E ọ iff F* actually (9). 


(2) F* » if F Oy. 
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The operator L was introduced by “reflecting” the meta-linguistic notion of real-world 
validity into the object language. We can also introduce an operator L* corresponding 
to the notion of general validity. The semantic clauses for L (real-world logical necessity) 
and L* (general logical necessity) are: 


(vi) uF, Ly iff for every model N in K, Qy Fy vy. 


(vii) u Fm L*y iff for every model M in K and every point v in N,v Fy 9. 


That is, L corresponds to truth at the actual world in each model and L* corresponds to 
truth at every world in each model. The two notions of logical necessity are interdefinable: 


(1) F* Ly © L*actually(y). 


(2) F* L*y > LOY. 


Moreover, we have: 


(3) F* L*y > Dy, 


although, as we have seen, the corresponding implication does not hold for real-world 
logical necessity, i.e., for L. 

Metaphysical necessity does not imply logical necessity. It does not appear self- 
contradictory to think, as the Greeks did, that water is an element. But since water, as 
it turned out, is a compound of oxygen and hydrogen, it could not have been an element. 
There is, so to speak, no counterfactual situation, or possible world, where water is not 
a compound. So even if it is not logically necessary, it is metaphysically necessary that 
water is a compound. Hence, the statement: 


(1) Water is a compound 


is metaphysically necessary (assuming that “water”, is a rigid designator), but it is not 
logically necessary. In conclusion, we can say that real-world logical necessity (L) neither 
implies nor is implied by metaphysical necessity (CJ). General logical necessity (L*) on 
the other hand, implies metaphysical necessity, but is not implied by it. 

The (epistemological) distinction between a priori and a posteriori also comes in here. 
In Kripke’s theory, (1) exemplifies a statement that, although metaphysically necessary, 
is nevertheless a posteriori. On the other hand, given certain assumptions, “The Paris 
meter is one meter long” may be an example of a statement that is true a priori but is 
not metaphysically necessary [71]. 


2 THE MODAL LOGIC OF BELIEF CHANGE 


In this section, modal logic is brought to bear on an area which has already reached a 
degree of maturity (although still in need of further development) and which has been 
formulated with little or no regard to modal logic. By re-formulating the theory in terms 
of modal logic, a degree of systematisation is gained, and — it is hoped! — the theoretical 
understanding of the theory is enhanced. 
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2.1 Introduction 
2.1.1 Two paradigms 


The theory of belief change is a fairly sprawling phenomenon. In the tradition examined 
here, one is interested in how new information is handled by a “rational” agent. By 
assumption, the agent is situated in an environment, often referred to as “the world”. 
The world is always in some world state or other, and the agent is always in some belief 
state or other. From time to time, the agent is presented with new information about 
the world. The problem is to describe how the new information affects the current belief 
state. In the two cases studied here, two further assumptions are made: that the new 
information is always accepted, and that acceptance always leads to a uniquely defined 
(usually, but not necessarily, different) belief state. 

We distinguish between two cases: the case when the world is static (the world does not 
change) and the case when the world is dynamic (the world might change); belief change 
is called belief revision in the former case, belief update in the latter. We also distinguish 
between two attitudes which an agent may have and which are called conditionalisation 
and imaging, respectively; these terms, which have an origin in probability theory, will 
not be explained (see Lewis [128], Gardenfors [112]). The two paradigms selected for 
study here, AGM and KM, exemplify those two attitudes: AGM is a conditionalising 
and KM is an imaging theory. It is commonly accepted that a conditionalising attitude 
is appropriate for belief revision and an imaging attitude for update. Thus AGM is said 
to be a theory of belief revision and KM a theory of update. 

In this section we shall offer explications within modal logic of both the AGM paradigm 
and the KM paradigm. They are not meant to be exact counterparts of AGM and KM 
as they were historically defined; they are rather meant to bring out what we take to be 
essential to those conceptions. (Our use of the terms “AGM” and “KM” is ambiguous: 
they stand both for certain people (Alchourrén, Gärdenfors and Makinson in the former 
case, Katsuno and Mendelzon in the latter) and for the theories developed by those 
authors.) 


2.1.2 Revision 


There is a strong connection between the theory of belief change and the logic of condi- 
tionals. That this should be so is not so surprising if it is remembered that the following 
much quoted passage in a paper of Frank Ramsey, published posthumously, inspired both 
fields: 


If two people are arguing ‘If p will q?’ and are both in doubt as to p, they 
are adding p hypothetically to their stock of knowledge and arguing on that 
basis about q; so that in a sense ‘If p, q and ‘If p, ~q’ are contradictories. We 
can say that they are fixing their degrees of belief in q given p. If p turns out 
false, these degrees of belief are rendered void. If either party believes p for 
certain, the question ceases to mean anything for him except as a question 
about what follows from certain laws or hypothesis. [133, p. 149]. 


Both Robert Stalnaker and David Lewis cite this passage as a point of departure for their 
respective theories of conditional logic (Stalnaker [140], Lewis [127]). But it was read also 
by Peter Gardenfors, who was looking for a different kind of theory of conditionals, one 
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with a semantics not formulated in terms of possible worlds. Given a formal language of 
some familiar sort, what an agent believes on a certain occasion may be represented by 
what Gardenfors called a belief set, namely, the set of propositions believed by the agent. 
It is assumed that belief sets are theories in Tarski’s sense, that is, that they contains all 
tautologies and are closed under modus ponens. Fundamental for Gardenfors’s theory of 
belief change is the existence of an operation * such that, for any T, if T is an agent’s 
belief set on a certain occasion and y is a proposition, then T x y is the agent’s belief set 
if and after he has revised his beliefs by y. Given x, Ramsey may be read as suggesting 
that two people, who share a belief set T and argue ‘If y will w?’, can be represented 
as arguing whether ~ is an element of T * y. In this way Gärdenfors was led to look for 
assertability conditions for conditionals rather than truth conditions. In particular, he 
had hoped to find a conditional => satisfying the following form of the so-called Ramsey 
Test: 
(RT) pSwveTifipeTxy. 


Everything now hangs on the properties of the revision operation *. Proceeding in the 
same way as C. I. Lewis when the latter was trying to characterise his modal operators, 
Gärdenfors laid down a number of postulates in order to characterise x. Let K be a 
certain background theory, that is, a special belief set that is taken for granted and not 
subject to revision. A K-theory is a theory that includes K. We say that a formula ¢ is 
K-consistent if the set K U {py} is K-consistent, that a formula y is K-consistent with a 
belief set T if T U {y} is consistent, and that two formule y and y% are K-equivalent if 
p= y EK. For any set X, we write Cn() for the set of tautological consequences of 
x. In the following postulates, T is supposed to be a K-theory. 


(AGM1) For any formula y, T * ọ is a K-theory. 

(AGM2) ypEeET xy 

(acm3) TxyC Cn(TU {p}). 

(acM4) ọọ is K-consistent with T, then Cn(T U{y}) CT * 

(AGM5) _ If y is K-consistent, then T « y is K-consistent. 

(aGM6) If% and y% are K-equivalent, then T* y = T * wv. 

(AGM7) T'*(pAw) E Cn(T* pU {y}). 

(AGM8) Ify is K-consistent with T * y, then Cn(T * pU{y}) CT *(pAY). 


Some of these postulates have received their own names in the literature: (AGM2) is 
the Success Postulate, (AGM4) the Preservation Postulate and (AGM5) the Consistency 
Postulate. 

This, in a nutshell, is the syntactic side of AGM, the famous paradigm created by 
Gärdenfors in collaboration with Carlos Alchourrén and David Makinson [109, 113]. 
Now it turns out, as Gardenfors himself was the first to observe, that if the condition 
(RT) is added to the AGM-postulates (after the new operator => has been added to the 
object language), then the result is, not inconsistency, but triviality. This is yet another 
interesting example of how intuitions, which on the face of it seem quite reasonable, 
turn out jointly to be incompatible. But it is also a wonderful example of the old 
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saying that they who seek will find, but not always what they are looking for. For even 
though Gärdenfors did not find his conditional, he did find, together with Alchourrén 
and Makinson, a seminal theory of belief revision. 


2.1.8 Update 


A different theory of belief change is given in Katsuno and Mendelzon [122] (see also 
Grahne [115]). They emphasise a distinction, which they attribute to Keller and Winslett 
[123], between knowledge-adding changes (revisions) and change-recording updates. Ac- 
cording to Katsuno and Mendelzon, we believe that the real world is one of a certain set 
of possible worlds, which one we may not know. When we are informed that the real 
world has changed in a certain respect, we examine each of the old possible worlds and 
ask how our beliefs would have changed if that particular one had been the real world 
(notice the counterfactual!). “The fact the real world has changed gives us no grounds 
to conclude that some of the old worlds were actually not possible.” (This is the feature 
that made us classify Katsuno and Mendelzon’s theory as imaging.) 

Where AGM have belief sets, KM have knowledge bases (abbreviated KBs), each 
knowledge base consisting of just one formula (“since we need a finite fixed representation 
of a KB to store it in a computer”). Like AGM, KM also introduce a new operator: if y 
is a KB and y is a formula (intuitively, the new information) then yw is the KB that 
results from updating y with wv. Assuming a propositional language with only finitely 
many letters, they propose the following postulates: 


(KM1) yw implies 4%. 

(KM2) If y implies w, then yw is equivalent to y. 

(KM3) If both ọ and y are satisfiable, then yw is also satisfiable. 

(kM4) If y is equivalent to y’ and w is equivalent to y’ then yw is equivalent to 
grou. 

(KM5) (pO) A 6 implies pd A 8). 


(KM6) If yOw implies y’ and yw" implies y, then yoOw is equivalent to pow". 


(KM7) If y is such that, for all x, y implies x or y implies sy, then (yw) A (pow’) 
implies p(w V y’). 


(KM8) (pV vy’) Ow is equivalent to (py) v (yoy). 


An important difference between the two paradigms is that, while the AGM operator x 
is not part of the language in which the agent’s beliefs are expressed, the KM operator 
® is. For this reason, AGM is not a logic, in the usual sense of the word, but KM is. 


2.1.4 Translations 


To a modal logician, it is obvious that AGM can be re-formulated as a modal logic. A 
Rosetta stone with inscriptions in ordinary language, AGM language and the language 
of modal logic might contain the following text: 
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ordinary language AGM modal logic 
the agent believes that ~ ypeT By 
after revising his beliefs by y, 

the agent believes that x xETxọ [xy|Bx 


What is called modal logic here is of course doxastic logic enriched with change op- 
erators loaned from dynamic logic. In particular, if y is a formula, then the expression 
xọ functions like a term that denotes ‘the agent’s acceptance of p’ — an event, possibly 
an action. In this way the nonformal theory of AGM can be translated, more or less 
faithfully, into a formal theory within what we shall call dynamic doxastic logic (DDL); 
details are provided below. (We prefer “doxastic” to “epistemic” since belief need not be 
veridical.) 

To give a direct translation of KM is more difficult. The KM-operator > (a binary 
operator not to be confused with the homonymous unary higher-order operator appearing 
in DDL-operators of type [y]) is a propositional connective but not one of classical logic. 
A KM-formula 


(x) (pow) - x 


might at first sight seem to represent the claim that if an agent, who believes that y, 
updates his beliefs by w, then he will believe, after the update, that x. If so, then the 
DDL-formula By — [Oy]By would be a natural translation of (+). However, there is 
a great difference between the total of an agent’s beliefs — a knowledge base, to use 
KM-terminology — and a single belief of the agent. Therefore a faithful translation into 
DDL requires a strengthening of our current language. One possibility would be to adopt 
an operator E of a kind first considered by Hector Levesque, Ey carrying the intuitive 
meaning “the agent believes exactly that y (and what follows logically from y)” or “all 
that the agent believes is that y (and what follows logically from y)”. In this more 
expressive language 
Ey > [Oy |Bx 

would be an adequate translation of (x). Unfortunately, Levesque’s operator is not easy 
to axiomatise (see [124]). 


2.1.5 Some object languages 


A number of object languages will figure in the sequel, and it is a good idea to give 
careful definitions of them at this point. Let LETT be a denumerable set of letters. We 
assume a truth-functionally complete supply of boolean operators, conditional operators 
J and >, dorastic operators B, b, K, and k, as well as a star operator x, a rhombus 
operator &, and change operators [| and ( ). The operators B, K and | | are so-called 
box operators, while the operators b, k and ( ) are dual so-called diamond operators; for 
simplicity, in what follows we shall treat the latter as abbreviatory devices: that is, for all 
appropriate formule: x, by =at ~B-y, ky =at ~7K-7x, by =at ~B7y, p} x =at [xy] 7K 
and (Oy) x =at 7[Oy]7x. In the same way, we also stipulate that y > Y =at (Y I v). 

Informally, formulæ of type y I y and y > p may be read as “if y then w” or, 
if a distinction between them is called for, as “if p then certainly y” and “if y then 
conceivably wy”. (But we are not committed to any particular reading, be it “ontic”, 
“epistemic”, “dynamic”, or whatever.) The operators B and K are for belief and for 
doxastic commitment, respectively. For many purposes a reading of laziness of Ky as 
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“the agent knows that y” is all right, but “the agent is doxastically committed to p” is 
better, for implicit in the theories we are considering below is the assumption that what 
is referred to is implied by a certain, usually not specified, sometimes possibly variable, 
background theory. The change operators are the after-operators of dynamic logic. 


Classical language 
LETT C BOOLE, 


p, Y E BOOLE > (Y AY), (p V Y), (p > Y), (p > Y), WY E€ BOOLE. 


Basic doxastic language 
BOOLE C BASIC-DOX, 


p, E BASIC-DOX= (pA 4), (Vv), (Y > 4), (p = Y), WY E BASIC-DOX, 
p € BOOLE > By, by, Ky, ky € BASIC-DOX. 


Full doxastic language 
BOOLE C FULL:DOX, 
y,W E FULL-DOX > 
(PAY), (EV y), (p > Y) (p © Y), 79, By, by, Ky, kp € FULL-DOX. 


Basic revision language 
BASIC-DOX C BASIC-REV, 


p,p E BASIC-REV > (p A Y), (pV ¥),(y > Y), (p = Y), =p E BASIC-REV, 
(p € BOOLE & xX € BASIC-REV) > [*y]x, (*p)}x € BASIC-REV. 


Full revision language 
FULL-DOX C FULL-REV, 


p,p E FULL:REV > (YA Y), (p V Y), (p > Y), (p = Y), =p E FULL-REV, 
(p € FULL-DOX & x E€ FULL-REV) > [xy]x, (*p}x E FULL-REV. 


Unlimited revision language 
FULL-DOX C UNLIM-REV, 
p, Y E UNLIM-REV => 


(p AY), (PV Y), (=> ¥), (9 e> y), 7H, By, by, Ky, ky € UNLIM-REV, 
(p E€ UNLIM-REV & x E€ UNLIM-REV) => [xy]x, (#Y)X E UNLIM-REV. 


Conditional language 
BOOLE C COND, 
p, Y E COND > 
(y AY), (e V Y), (Y => ¥), (y a ¥), 7, (e FY), (e > Y) € COND. 


Update language 

BASIC:DOX U COND C UPDATE, 

p, E UPDATE = (pA), (PV 4%), (9 > 4), (p = p), =p E UPDATE, 

p E COND => By € UPDATE, 

(p E COND & x € UPDATE) => [Oy]x, (Qp)x € UPDATE. 

We say that a formula is an agent formula, relative to BASIC-REV, FULL-REV, UNLIM-REV, 
or UPDATE, if it can occur both within the scope of a doxastic operator and within the 
scope of the star operator or rhombus operator, whichever is appropriate. 
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2.2 Conditional logic 


As remarked above, there is a close connection between the theory of belief change and 
the theory of conditionals. For this reason, we devote an entire section to this topic, 
which is also, by our lights, a chapter of modal logic. 


2.2.1 Topology 


Let U be any nonempty set. A topology in U is a set T of subsets of U satisfying two 
conditions: for all S C T, (i) US € T, and (ii) if S is finite and nonempty, then N S € T. 
A topology always has at least two elements: U is the union of all subsets of U and is 
therefore a member, and @ is the union of the empty set of subsets of U and is therefore 
also a member. The structure (U, T) is called a topological space, but when it is clear 
what the intended topology is one usually refers to U itself as the topological space. The 
elements of T are said to be open sets; a closed set is one that is the complement of an 
open set. In general, a set need not be either open or closed, but on the other hand some 
sets are both; we will use the term clopen (adjective or noun) for the latter. Notice that 
the complement of a clopen set is clopen and that U and Ø are clopen in any topology. 
The (topological) closure of a set X, the smallest closed set that includes X, is defined 
as the intersection of all closed sets that include X. 

A cover of a set X C U is a family C of subsets of U such that X C UC. A cover, 
every element of which is an open set, is an open cover. If C is a cover of X and there 
is a family D C C such that X C UD, then D is a subcover of C of X. A topology T is 
compact if every open cover of the whole space has a finite subcover; a logically equivalent 
condition is that every family of closed subsets of U whose intersection is empty has a 
finite subfamily whose intersection is empty. A topology T is totally separated if, for any 
pair of distinct elements of U, one is an element of a clopen set of which the other is not. 
A Stone topology is a topology that is compact and totally separated. 

A family B of subsets of T is a base for the topology if, for every X € T, there is some 
family C C B such that X = [J C. In other words, B is a base if every open element is 
the union of some elements of B. It is not difficult to prove that in a Stone topology, the 
family of clopen sets forms a base. 

Let U be a space with a Stone topology. A sphere system or, more colloquially, an 
onion (in U) is a nonempty family of closed subsets (spheres) of U that satisfies two 
conditions: it is closed under arbitrary nonempty intersection, and it is linearly ordered 
by set inclusion. An onion is trivial if it contains only one sphere and that sphere is 
the empty set; hence there is a unique trivial onion, namely {@}. The centre of an 
onion O is the set ()O, and we say that O is centred on ()O; thus the trivial onion is 
centred on the empty set. We say that an onion O overlaps with a set X (we assume 
that X is a subset of U) if UO N X #4 Ø. The family of spheres of an onion O that 
intersect with a set X is denoted by Oe X. If S is a family of sets and X is the smallest 
element of S, then we may express this by the notation X u S (thus “mu” is a special 
case of “epsilon” ). It is not difficult to prove that if O is an onion that overlaps with a 
clopen set X, then there is a smallest sphere in O that intersects with X; in symbols, 
UONX 49> JZ(Z u (Oe X)); this important condition is called the limit condition. 

Sphere systems were introduced by David Lewis (who never called them onions) [127]. 
Ours differ from his in one notable respect: his spheres, but not ours, are closed under 
unrestricted union. One particular consequence of Lewis’s condition is that the empty 
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set is an element of every sphere system of his, while our onions may, but need not, 
contain the empty set as an element. 

The reader may find it helpful to think of the clopen sets as the agent’s propositions 
of the frame, and closed sets as possible agent’s theories (or theory sets, to use a term of 
Bengt Hansson). The topological setting may surprise some readers, but it provides an 
elegant way for keeping tabs on the limit condition. 


2.2.2 Semantics 


Let us say a quadruple (U, P,Q, D) is a Lewis frame if (i) U is a Stone space, (ii) P is the 
set of clopen sets, (iii) Q is a quantity (that is, set) of onions in U, (iv) D is a function 
(the onion determiner) assigning to each element u of U an onion Q, and (v) whenever 
X and Y are clopen subsets of U, then so are 


{uEU :VZ(Z u (D(u)e X) > ZNX CY)} 


and 


{weU :4AZ(Z u (D(uye X) &K ZNXNY F@B)}. 


We consider a language COND for conditional logic. A valuation in a Lewis frame 
(U, P,Q, D) is a function from the set LETT of propositional letters to P. A Lewis model 
(U, P,Q, D,V) is a Lewis frame (U, P,Q, D) cum valuation V. We define the truth of a 
formula in a given Lewis model M = (U, P,Q, D, V) as follows (we suppress reference 
to M in the notation). The definition, which proceeds by induction in the usual way, is 
relative to a point u of U. We use the notation [y] for the set called the truth set of ọ. 
If u € [py] we say that ọ is true at u and may write uF y. 


[vy] = V(P), if P is a propositional letter, 

lp ^y] = lel A fyl, 

ly v y] = [y] Y [y], 

[>e] =U - ly], ete., 

[poy] = {u € U :YZ(Z u D(u) o [p] = ZA fy] E WI} 

[y >y] = {u € U :3Z(Z u D(u) o lp] & ZA [yla ly] # 2) 


(Note that, thanks to the closure rules on P, including (v), [y] is a clopen set, for 
every formula vy.) We say that a formula is valid if it is true at all points in all models. 
A schema is valid if all its instances are valid. 


2.2.8 Postulates for David Lewis’s VC and VCU 


First, assume as postulates all tautologies and the rule of modus ponens. Then add the 
rules 


(REA) yoy /(pl4)(y' 90), 
(REC) 0¢0/(pIA-wIe) 


and, as axioms, all instances of the following schemata: 


(MLI) (PAHANG) e (YIAY)A(I4), 


Modal Logic and Philosophy 1191 


ML2) IT, 


DF>) (ẹ >y) -~le 3 7y), 


( 

( 

(cLl) poy, 

(cL2) (p>) > (>T), 
(cL3) po(b> (py) 
(c14) 
(CL5) 
( 


=> ((pl¥)- y), 
(^Y) 0) > (YAW), 
cL6) (p> 4%) > (YI = 0)) > (YAY) 19). 
Brian Chellas suggested a different notation which highlights the connection with 


modal logic: writing [p] for y I w and (y)w for y > w. If we rewrite the preceding 
conditions in Chellas’s notation, we get the following result: 


(REA’) po y'/[ylé > [p], 
(REC) 0 6'/[p]0 = [yp] 


and, as axioms, all instances of the following schemata: 


(MLI) [el AA) = (Type) A [¢]8), 
(MLZ) [y]T, 

(DF(...)) (y > vlel), 

(cL1’)  [¢le, 

(cL2") (yp) > (Y)T, 

(cL3’) ep (4 > [ply), 

(c14) => (lly > 9), 

(cL5’) i nyje > [el > 0), 


(c16) (piy => (lell > 8) > [o A 40). 


The set of theorems of this axiom system coincides with David Lewis’s logic VC. To get 
his VCU, add the schemata: 


(4) Dy > DO 


(5) -20% > O-Oy, 
where Hy is an abbreviation of ~y I L (or [-y}1, in Chellas’s notation). (Note that 
the schema Oy —> y is derivable in VC). 

We say after Lewis that a frame (U, T, Q, D) is centred if the onion D(u) is centred on 
{u} for each u € U, and we say that it is uniform if U D(u) = U D(v), for all u,v € U. 


THEOREM 3 ([127]). A formula of conditional logic is derivable in VC [alternatively: 
in VCU] if and only if it is valid in all centred [alternatively: uniform centred] Lewis 
frames. 


There are of course many more completeness results of this kind. 
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2.8 Update and the logic of conditionals 
2.8.1 Semantics 


Consider an update language UPDATE. Let M = (U, P,Q, D, V) be a given Lewis model. 
The definition of truth in M (we will suppress reference to M in the notation) will be 
with respect to a situation, defined as an ordered pair (B,u) where B is a subset of U 
and x is a point in U. (Intuitively, B represents the current beliefs of the agent, while 
x represents the point that is currently actual.) The definition proceeds in two steps. 
First, we define the truth set [0] of formulæ 0 € COND in the usual way; thus [6] is a 
subset of U. Second, we define truth in a situation (B,«x) of formule: y in UPDATE: 


B, x)  » iff x € [p], ifp € COND, 

B, x) Fp ^Ay iff (B,x)E ọ and (B, x) E% 
B, 

B 


x) F pV w iff (B,x)F por (B,x) E4, 
i) F mp iff (B, x) 7 o, 

etc., 
(B, x) E By iff BC [fọ], 

(B, 2) F Kọ iff U{UDlu): u € B} C [e]; 

(B, x) F [Oy x iff (B',x) E x, where 

B =U{Zn [ol Tulu € B & Z p (Dla) $ Lel): 


We say that a formula is valid if it is true in all situations in all models. A schema is 
valid if all its instances are valid. 


2.39.2 Postulates 


We build an axiom system in stages, one block at the time. First block: all postulates 
(axioms and rules) of Lewis’s VC. Second block: normal modal logic for all modal and 
dynamic operators. Third block: 


(0) 0 = [Oy]9, if 0 E€ COND, 
(91) ex = bylx, 
(ORT) B(y y) e [Oy|BY 
( 

( 


OK) Kyo Boy 


RC) if a y is derivable, then so is [Oy|y > [Ow]x, for every x, for all formule 
p, Y € COND and y € UPDATE. 


(Here, as above, Oy abbreviates ~y 3 L.) The Ramsey condition is essentially a condi- 
tion of operator shift where both operators and positions change; this fact is especially 
striking if (RT) is rewritten in Chellas’s notation: 


(ÒRT) Biely -e [Oy] By. 


Call this system U. (Warning: Lewis’s U (for “uniform”) must not be be confused 
with our U (for “update” ).) Let U45 be the system obtained by adding the schemata (4) 
and (5) mentioned above. 


Modal Logic and Philosophy 1193 


THEOREM 4. A formula of the update language is derivable in U [alternatively: in U45] 
if and only if it is valid in all centred [alternatively: uniform centred] Lewis frames. 


Our axiomatisation, in which (RT) is the only postulate that is really novel, has thus 
issued in yet another confirmation of the observation of several authors about the close 
connection between conditional logic and update logic. It is worth remarking that the 
class of uniform centred frames, which in our object language determines UT45, also, 
in another object language which does not include the operator B, determines the logic 
Gösta Grahne calls VCU?, a logic based directly on Lewis’s VCU (see [115]). 


2.4 Revision and basic DDL 
2.4.1 Semantics 


In this section we assume a language BASIC-REV for basic revision logic. Two intuitions 
underlying our presentation are that belief change consists in the transition from belief 
state to belief state, and that belief states can be modelled by sphere systems (onions). 
Let us define a basic revision frame as a structure (U, P, Q, R) where U is a Stone space, 
P is the set of clopen sets, Q is a quantity of onions, and R is a function assigning to 
each clopen set X a binary relation RX over Q. The intuition is this: if the agent is 
in belief state O, then after accepting (the information carried by) a proposition X, his 
new belief state is a belief state O’ such that (O, O’) € RX. 

Valuations and models are defined as usual. We define the truth of a formula in a 
given model M = (U, P,Q, R, V) as follows (as usual, we suppress reference to M in the 
notation). The definition, which proceeds by induction, is relative to a situation, which 
is an ordered pair (O, x), where O is an onion and x a point of U. (Intuitively, O is the 
current belief state of the agent, and x is the current state of the world.) We use the 
notation [y] for the truth set of y if p is a Boolean formula. 


(O,x)F P iff x € V(P), if P is a propositional letter, 
(O,x2) F pA w iff (O,x) F y and (O, x£) E 4, 

(O,x) E pv p iff (O, x) E or (O, x) F 4, 

(O, x) F ~y iff (O, x) Z p, etc., 
(O, x) 
(O, x) 
(O, x) 


E By iff NO C fọ], 
F Ky iff UO C [y], 
E [ky]x iff VO'((0,0') € Riy] = (0',x) E x). 


Notice that the truth-conditions for the dynamic operators make sense as long as the 
star operator applies only to Boolean formule. Validity in a frame [in a class of frames] 
is then defined as truth relative to all situations in all models on the frame [in all frames]. 

To try to capture the ideas behind the historical AGM, further conditions are in 
order. One is that the belief set of a new belief state resulting from some new piece of 
information equal the overlap between the old onion and the clopen set representing that 
information: 


(i) (0,0') € RX only if O overlaps with X and NO’ = ZN X, where Z uw Oe X. 
Two other conditions are that every relation RX be serial and functional: 


(ii) 30’ € Q(0,0') € RX, 
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(iii) (0,0') € RX & (O,0") € RX > O' =O". 


Yet another condition to be considered is that what AGM called the “background” theory 
(in our jargon, the agent’s doxastic commitments) not change when beliefs are revised: 


(iv) 0,0'EQ>UO=UC. 


2.4.2 Translations of the AGM postulates 


A direct translation of the AGM postulates formulated in Section 2.1.2 gives the following 
result: 


(*2) — [ky|By, 

(#3) [xy|Bx > Bip > x), 

(*4) by > (Bx > [*y|Byx), 

(+5) ky — (*p)bT, 

(x6) K(p = 4) > ([*p|Bx © [+ By), 

(x7) BA ¥)|Bx > [+e] BU) > x), 

(8) (xy) by > (kB > x) > [(e A ¥) Bx. 


All instances of these schemata are valid. 


2.4.3 Postulates for the basic-DDL version of AGM 


We build an axiom system in stages, one block at the time. First block: tautologies and 
modus ponens. Second block: normal modal logic for B and K and [xy]. Third block: 
the postulates (*2)—(*8) mentioned in the preceding section plus the following additional 
postulates: 


(x0) x| [xy] x, if x is Boolean, 

(#1) px [ey], 

(*KB) Ky > By, 

(K) Ky = [+y|Ky. 

(RC) if + y is derivable, then so is [xy]. > [*w]x, for every x. 


THEOREM 5 ((167]). A formula of basic revision language is provable in the given axiom 
system if and only if it is valid in all basic revision frames. 
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2.4.4 Comparison with KM 


The two paradigms AGM and KM seem rather different. It is interesting, therefore, that 
the differences between the corresponding logics is not greater than it is. Of the AGM 
postulates, all are valid according to KM as well, except for the most controversial ones: 
(x4) and (*8). But even in these cases the two paradigms come close: 


DDL version of KM DDL version of AGM 
By > (Bx > [*y|Bx)) by > (Bx > [*y|By) 
(*p)By > (xp) by => 
(kB > x) > kly A Y)|Bx) (kye]B > x) > kly A y)]Bx) 


Among schemata valid in KM but not in AGM are BL = [xy]BL and BL > KL. 


One difference between revision and update, remarked upon by Katsuno and Mendel- 
zon, is what they call the “global” behaviour of revision versus the “local” behaviour of 
update. What they have in mind can be explicated within our framework as follows. In 
AGM, the belief states of an agent are represented by onions; the belief set of an agent 
is not enough to determine the entire onion. By contrast, in KM the belief set is enough 
to determine the belief state of the agent. The reason for this is of course the centred 
onions assigned to each point (“possible world”) in the universe of a frame. In the latter 
case, the beliefs of the agent come in two steps: beliefs about the world (represented by 
centred onions), and beliefs about which possible world is the actual one (represented 
by a belief set). In AGM, belief change is a progression from onion to onion. In KM, 
belief change is from belief set to belief set, but against the background of an underlying, 
constant web of beliefs about how the world can change. 


2.5 Revision and full or unlimited DDL 
2.5.1 Semantics 


Basic DDL tries to explicate AGM as originally formulated. This is why in basic DDL the 
agent’s beliefs are all about the world, and the agent’s beliefs are not part of the world. 
As we saw above, the language of AGM and the language of DDL are intertranslatable. 
Nevertheless, there is one sense in which DDL offers more flexibility: where AGM has 
x € T, DDL offers By, but AGM has no counterpart to BBy — (x € T) € T is not 
a well-formed expression. There is no reason why one could not extend the language of 
AGM to include the B-operator, but no-one seems to have done so. And rather than 
doing so, it seems easier to study the resulting theory in a DDL context. 

Therefore, let us move to the language FULL-REV of full revision, in which the agent 
formulze are the formulze of the full doxastic language FULL-DOX. Define a full revision 
frame as a structure (U, P, Q, R, D) where (i) U is a Stone space, (ii) P is the set of 
clopen sets, (iii) Q is a quantity of onions (not necessarily centred), (iv) R is a function 
assigning to each clopen set X a binary relation RX over Q, (v) D is a function from Uto 
Q and finally (vi) whenever X is a clopen subset of U, then both {u € U : (]D(u) C X} 
and {u € U : U D(u) C X} are clopen. Truth at a point u in a model (U, P,Q, R, D, V) 
is defined along usual lines: 
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E P iff u € V(P), if P is a propositional letter, 
FpAw iffuF-yanduFw 

FyVwiffuF- yoruFy, 

F wy iff uH y, etc., 

F By iff NO C [y], where O = D(w), 

E Ky iff UO C [y], where O = D(u), 

F [ply if Vo((u,v) € Rly] > v E X): 


egceereres 


As usual, a formula is valid in a frame if true at all points in all models. 


One difference between basic and full DDL is that in the former case the points of 
a frame represent world states whereas in the latter case they simultaneously represent 
both world state and belief state. This is why in basic DDL formule have to be evaluated 
at pairs (O,2) where O represents a belief state and x a world state, while in full DDL 
formule are evaluated at points representing total or combined states. In DDL there is 
thus an ambiguity in the informal term “world state”: in a narrow sense, which excludes 
the agent’s beliefs, the points of basic, but not full, DDL represent world states; but in 
a wide sense, which includes the agent’s beliefs, the points of full, but not basic, DDL 
represent world states. In any case, the intuition in full DDL is this: if the current total 
state is u, then if the agent accepts (the information carried by) a proposition X, there 
will be, immediately afterwards, a new current total state v such that (u,v) € RX. 

The semantics of unlimited DDL is the same as that of full DDL, with two exceptions: 
the language whose formule are given a meaning is UNLIM-REV, and the definition of an 
unlimited revision frame is obtained from the definition of a full revision frame by adding 
condition (vii) if X and Y are clopen subsets of U, then both {u € U : Vu((u,v) € RX > 
v € Y} and {u € U: Av((u,v) € RX & v € Y} are clopen. Intuitively, the points of 
an unlimited revision frame represents not only the state of the world and the agent’s 
beliefs about the state of the world but also the agent’s beliefs about how the world may 
change. 


2.5.2 Redefining revision? 


It is interesting that all the old postulates of basic DDL (but now over the formule 
of FULL-REV or UNLIM-REV) are satisfied. However, there are problems. Suppose, for 
example, that by and B-By are true in a certain situation. Then [xy]B-By follows by 
preservation. By the Success Postulate, we always have [xy]By. Hence [xy|B(yA By), 
by modal logic. Or suppose that by and BB-¥y are true in a certain situation. By the 
same kind of reasoning [xy]B(y A B-yw) follows. Or, even more problematic, note that 
both [x(y A ~By)|B(y A =By) and [*(y A Bay)|B(y A Boy) are valid. But if it is true, 
on a certain occasion, that it is raining in Umea and Sten, who happens to be visiting at 
Ojmundsbod far from Umea, does not believe that it is raining in Umea, or even believes 
that it is not raining in Umea, then surely it should be possible for him to accept this 
information without incurring doxastic inconsistency? 

This problem was first noted and left unresolved in van Linder, van der Hoek and 
Meyer [129]. Two strategies have later been suggested for dealing with it. One is given 
in Lindstrom and Rabinowicz [131] in which it is recommended that one perform a 
certain contraction before revising one’s beliefs. Roughly speaking, before accepting new 
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information, the agent should give up enough currently held beliefs to make sure that 
new information does not create doxastic inconsistency (assuming the new information 
is itself consistent). A different though related strategy is proposed in Segerberg [138] 
where it is recommended that the notion of revision be redefined. Two possibilities are 
outlined. In both cases, the star operator * is kept but a new revision operator R is 
introduced. One suggestion is to define 


[Re]x =at [k(p ABY A... AB" y)]x 


and require that the logic of B be of a certain strength, for example, contain at least the 
schemata BBy — By and B” — B"*'y. The other suggestion is to introduce yet a 
new doxastic operator C (for “complete” belief) with the semantics 


uF Cy iff Vn > O(uF B”4), 
define 


[IRe]x =af [lp A Co)]x 


and then require the logic of B to validate the schema BBy — By. Evidently, the 
operator C in effect represents common belief when only one agent is involved. One may 
note the validity of the following schemata: 


Cy > By, 

Cy — CCy, 

BCy e CBy, 

(By A C(y > By)) > Cy. 


In this modelling, which assumes that the doxastic commitments of agents are not open 
to revision, it is impossible for an agent who values the consistency of his beliefs to accept 
either the information that it-is-raining-and-he-does-not-believe-that-it-is-raining or the 
information that it-is-raining-and-he-believes-that-it-is-not-raining. In the terminology 
of Roy Sorensen [139], pA=By and pAB-y represent blindspots. In general, y represents 
a blindspot at u if ky A [Ry|B_ is true at u — if ọ is consistent with what the agent 
knows but revision by ọ leads to an absurd belief set. 


3 LOGIC OF ACTION AND DEONTIC LOGIC 


For natural reasons, deontic logic has been in the hands of deontic logicians from the 
beginning. As is the case with all modal logicians who do not concentrate on the purely 
formal aspect of their discipline, they have been acting as philosophers and as logicians at 
the same time, and so conceptual issues and technical treatment have been intermingled. 
It is remarkable that, even though deontic logic has been around for a long time, there is 
as yet not an accepted body of work that extends very far. What is needed to improve 
the situation in deontic logic, it seems, is to identify and philosophically discuss basic 
concepts in greater depth than has been done before. Not least must we develop better 
logics of action. Modal logic should be in a privileged position to inform such work, or 
so we argue in this essay. 
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3.1 Logic of action 
8.1.1 Logic of action without actions 


In the history of the logic of action, there is a line from Anselm in the eleventh century, 
restarted in modern times by authors like Kanger, Fitch, and A. R. Anderson, and 
continued by Chellas, which has recently received its most mature expression yet by 
Belnap, Perloff and Xu. We quickly sketch a version of a theory in this tradition. 

We say that a structure (U, A, T, H, E) is a frame if the following conditions are met. 
U is a set of points (informally, representing possible (total) states of the world, just 
as in dynamic logic). A is a finite set of agents. T is a linearly ordered set (we refer 
to the elements of T as times), and a T-history is a function from T into U. Let H 
be a certain set of T-histories (from now on, just histories). If h € H and t € T, then 
(h,t) is said to be a moment. We define two families of equivalence relations over H. 
First we define two histories h and g as coinciding up through t, in symbols, h ~+ g, if 
ht’ = gt’, for all t’ not later than t (that is, all t’ such that t’ < t). For each moment 
(h,t), define Hp, = {g E€ H : h ~ g}. E is a function assigning to each moment (h, t) 
and agent a € A a partitioning Eh t,a of Hn s. We say that two histories h and g are 
action-equivalent for a at t if h and g are equivalent under Ept.q (or, equivalently, if h 
and g are equivalent under Eg,t,a); we write h ~ta g if this is the case. It is clear that 
both ~; and ~t a are equivalence relations. 

Consider a classical propositional language (for example, BOOLE — see above) to which 
is added, for each natural number i, a propositional operator D; with the informal reading 
“the agent denoted by i brings it about that”. A valuation in a frame (U, A,T, H, E) is 
a function assigning to each natural number an element in A and to each propositional 
letter a set of moments. A model on a frame is the frame together with a valuation. The 
truth-value (truth or falsity) of a formula at a moment in a model is defined with respect 
to moments along traditional lines. The formal condition for the action operator D; is 


(h, t) E Diy iff V(t) =a & Sto < t(Vg(h Rea g > (9,t) E Y) & 


The idea is that, if a is the agent denoted by i, then a brings it about, with respect to 
h and t, that p, in symbols Dig, iff there exists a time to earlier than t such that two 
conditions are satisfied, (i) (the positive condition) that y be true with respect to g and 
t, where g is any history that is action-equivalent with h for a at to, and (ii) (the negative 
condition) that y be false with respect to g and t, where g is some history coinciding 
with h up through to. In other words, speaking somewhat freely, we might say that the 
positive condition guarantees that y is true in a certain important respect, while the 
negative condition shows the necessity of that guarantee. 

From a formal point of view (but not philosophically: see [144, p. 197 f.]) the system 
sketched may be said to present, more or less in the spirit of Chellas [150], the theory of 
Belnap and Perloff of an operator called by them the “achievement stit” (“stit” for “sees 
to it that”). If the negative condition of the truth definition is omitted and we require 
T to be the set of all (negative and nonnegative) integers, we get a definition which is 
essentially that of Chellas’s do-operator. (In the latter case, the element to mentioned in 
the truth condition of D; should be identified as t — 1.) 

As an operator of agency, the operator D; differs from many of its competitors in 
the literature. For example, in the Chellas version, D; is a normal modal operator; in 
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particular, D;T and D;( > Y) > (Diy > Dip) and Dily AW) e (Dip A Dip) are all 
valid (that is, true at all moments in all models); in the Belnap version, none of them 
is. In particular, even though (Diy A Dip) > Dily A v) is valid in the Belnap version, 
Dily Av) > (Div A Diy) is not; only the weaker Di(y A vw) > (Diy V Diy) is valid. 

Sometimes, “i is causally responsible for the fact that y” would seem to be a better 
translation of D;y than “i sees to it that y”. For let y be “the door is closed” and 
Diy thus “the agent sees to it that the door is closed” (presumably equivalent to “the 
agent closes the door”). The validity of D;y — ọ (in both the Chellas version and the 
Belnap version) implies that (at a certain moment in a certain model) D,y is true only 
if y is; which seems to mean that the door is closed when the agent closes it. But why 
close a door that is already closed? On a somewhat related point, notice that, with the 
truth-condition of D; as defined, there may be a model such that both (h, t1) F Diy and 
(h,t2) F Diy, where tı and tg are times such that tı < tg and h is a history such that 
(h,t) E for all times t between tı and tg. On the official stit-reading, the agent closes 
the door at (h, tı) as well as at (h, t2), never mind that the door is closed in h throughout 
the interval [t;,t2]. The awkwardness disappears on the alternative reading, according 
to which the agent is causally responsible at (h, tı) and (h, t2) for the door being closed. 
(But other naive questions remain: Where is the action? When did the door closing take 
place? Or are such questions not appropriate?) 

The theory presented by Belnap and his collaborators is the culmination of a long 
development in modal logic; it surpasses all earlier efforts by its sophistication, power 
and comprehensiveness. One reservation one might have is perhaps the one hinted at in 
the preceding paragraph: it is a logic of action without actions. No author in the Anselm- 
Kanger-Chellas line up through Belnap — Davidson belongs to a different tradition — 
has countenanced the existence of actions in his logic: action talk, yes; ontology of 
actions, no.?* For those who would like a representation not only of action language but 
of action there is therefore a reason to continue the search for a logic of action worth the 
name (without, of course, any guarantee that such a thing will ever be found). 


3.1.2 What dynamic logic can offer 


One liberating effect of the introduction of dynamic logic was that it finally permitted 
modal logicians to talk about actions and events (without necessarily knowing exactly 
what they were talking about). The novelty was the introduction of a syntactic category 
of terms and a corresponding semantic category of — well, what? Formally, the meaning 
of a term is what modal logicians know as an accessibility relation. But since terms were 
introduced to formalise the action of programs, it was natural for dynamic logicians to 
think of these accessibility relations — which relate points-before to points-after — as 
event types or action types. In fact, Vaughan Pratt himself, the originator of the modal 
logic of programs, as dynamic logic was called in the early days, remarked that he saw 
his theory as a logic of computer action. 

It would seem that if it is reasonable to represent real propositions (propositions about 


24One author to whom this remark does not apply is J. F. Horty. Horty, who works within the 
stit-tradition, explicitly refers to choice cells as actions and, in his book [159], actually refers to them 
as “actions”. In correspondence he has made the following comment: “These actions are only action 
tokens, however — individual concrete actions. There is no such thing as the action type of “opening 
a window”, for example. There are individual, concrete openings of individual windows, but nothing to 
group them together.” 
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the world) as sets of points, then it cannot be totally unreasonable to represent real events 
(events in the world) as sets of paths. Such representation has obvious technical advan- 
tages. For one thing, the Boolean operations of union and intersection and even com- 
plement become well-defined, and so do the operations of relative product and transitive 
closure. But it also makes it possible more directly to address the question concerning 
the relationship between events and action, a topic much debated by philosophers. One 
example from one of the most interesting philosophers of action: 


The notion of a human act is related to the notion of an event, i.e., a change 
in the world. What is the nature of this relationship? It would not be right, 
I think, to call acts a kind or species of events. An act is not a change in the 
world. But many acts may quite appropriately be described as the bringing 
about or effecting (‘at will’) of a change. To act is, in a sense, to interfere 
with ‘the course of nature’. ... To every act ... there corresponds a change 
or an event in the world. [171, 36f., 39] 


One wonders why there should be this difference in theoretical status between propo- 
sitions and events. Given a certain context, propositions may be true of false; but events 
may occur or not. A proposition perhaps may be made true or made false; but an event 
may be brought about or avoided. A proposition may be known or be believed or be 
given a certain normative status by someone competent to do so; but an event can be 
foreseen or be remembered, be prescribed or proscribed. One may perceive that a propo- 
sition is true; but one may also perceive an event. Some authors such as van Benthem 
have recognised the analogous position of the two categories, propositions and events, 
and have tried to give them an even-handed treatment. Unfortunately, philosophers have 
remained unimpressed so far. 


8.1.38 Thinking about change 


There already exist modal logical modellings containing interpretations of events, not so 
much in the philosophical as in computer science literature, [149, 163]. In general, we 
believe that philosophers have much to learn from the theoretical computer scientists, 
whose assault on conceptual problems is often fresh and undaunted (“never mind what 
Aristotle said”). But how are we to make philosophical sense of their constructions and 
avoid ad hoc-ishness? 

There is an environment, also referred to as the world. The world is always in some 
(total) state or other. The states themselves never change, but the state in which the 
world is (the currently actual state) may change from time to time. The way the world 
changes is influenced, but perhaps not completely determined, by agents outside the 
world. Furthermore, all change is regular: it takes place according to some change rule. 

Trying to incorporate these ideas into the semantics of traditional modal logic, think 
of a system as a triple (U, A, C), where U represents the world, A is the set of all agents 
(assumed to be finitely many), and C is a function representing the change rule. Of 
these three primitives, two are old: the universe U of points (representing total world 
states) and the set A of agents are as above (for simplicity, we shall think of the agents 
as a set of integers {0,1,...,n — 1}, where n is nonnegative (if n = 0, then A is empty 
and the system is agentless)). To describe the change function, the one new primitive, is 
more complicated. The world is always in some total world state or other. Change in the 
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world (which for simplicity’s sake is assumed to be discrete) is completely described by the 
change function. Any finite change is from a point-before to a point-after, perhaps via a 
number of intermediate points; an infinite change can be described in the same way except 
that there is no point-after. Suppose the world is in a state u € U. Suppose the agents, 
at this point, make individual “contributions” or “inputs” 7o,...,7n—1, respectively, and 
that there are no further contributions from the agents, nor any other kind of interference. 
The result will be a change in the world (one possible change is of course the null change), 
which we may represent as a sequence p = C(u,io,...,in—1) of points of which u is the 
first element; we say that p is the theoretical result of the input (%o,...,¢n—1). Points to 
be noted. (1) C depends on the currently actual state of the world but not on any other 
possible state. (2) The nature of the agents’ inputs is not specified (in this modelling). 
But (3) they are assumed to be outside (not a part of) the world. (4) Since the change 
rule is represented by a given function, the system as described is deterministic. (It 
would be nondeterministic if the change rule were represented by a function assigning 
to each n + 1-tuple (u,%o,...,¢n—1), not a path, but a set of paths. Such indeterminacy 
would be called ontic: not due to limited knowledge on our part, but a property of the 
system itself.) (5) It is possible for an agent to make no proper contribution. When this 
happens we say, for book-keeping purposes, that his input is the null input, and we use 
the symbol 0 to denote it. 


3.1.4 What a modal logic of actions and agency might look like 


Suppose we (as outside observers) witness a certain development taking place in a system. 
What would it be to have a record of it? Any development in the world consists in the 
succession of one state after the other, therefore to know the sequence of states, in 
the order they were realised, would be to have a representation of what took place. 
But knowing the inputs of the agents would yield a fuller understanding. So perhaps 
we should think of a record as a certain sequence of elements of type (u,%0,...,%n—1)- 
(There are a number of technical details that would need to be addressed in a rigorous 
exposition. Let us mention one: if (u,io,...,¢n-1) and (u’,ig,...,#,_1) are consecutive 
elements of a history, then u’ must be the second element of the path C(u, to, ...,%n—1)-) 

Technically we may think of a record, from now on more often called a history, as a 
function that assigns to each proper subpath q of a certain path p an n-tuple (to, .. ., in—1); 
we refer to (t9,...,¢n—1) as the agents’ input after q. The path p is called the trace of 
h; in symbols, tr(h) = p. Compared to the “thin” histories of classical modal logic, ours 
are a lot “fatter”, but there is an obvious connexion: the trace of a fat history is a thin 
history. 

As for events, we think of them as sets of finite paths (a path in U is a sequence of 
points in U). If p is a path in e (that is, if p € e), then we may say that p realises e. 
So if we witness p played out before our eyes, we also witness a realisation of e. Given 
this terminology, what would it mean to say that the agents bring about or realise a 
certain event e? This is a question to which at the present time no-one seems to have an 
answer. One source of difficulty is the complexity of the many-agent case. The effects of 
the input of one agent can be modified or completely altered if there are inputs of other 
agents, either at the same time or later. Agents also sometimes change their mind, thus 
modifying or altering the effects of their own earlier inputs. For these and other reasons 
it is often difficult, not only in abstract theory but also in real life, to determine agency 
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and to allocate (causal) responsibility. 


Let us examine one particularly simple case. We say that a history h with trace p is 
simple if p = C(u,io,...,in-1), where i, # 0 for at least some a < n, and, furthermore, 
h(q) = (0,...,0), for all q < p such that q 4 Ø. Thus a simple history is one where 
the trace is the theoretical result of the initial input. In this very special case, it makes 
sense to make comments such as the following: the action of the agents was allowed to 
run its course; the agents brought about the path p; the agents’ action realised all events 
e for which there are paths p',p” and q such that q € e and p = p’qp”; the agents are 
(causally) responsible for every event realised by their action. 

The one-agent case is of special interest. In this case, we treat the other agents, if any, 
as part of the background. Technically, if a is an agent, then define the a-reduct of C as 
the function C%, which assigns to each pair (u,i) the set 


C° (u, t) = {p : Jio, . E A =i& p= C(u, 20, os -stn—1))}- 


In general, C° (u, i) is not a singleton set, so in this case we face a certain indeterminacy. 
Note, however, that the latter may be said to be epistemic in kind, in contrast to the 
possible ontic indeterminacy discussed above. 


So far we have left open the question about the nature of the agents’ input. In this 
particular case, however, it would be tempting to think that the input 7 of the agent a 
consists in calling up a program or plan or, as it was termed in Segerberg [164], routine 
r such that, if r is started with the world in the state u, then the paths in C%(u, i) 
correspond to possible developments according to r (computations according to r, if r is 
a program). A mathematician might even go as far as identifying the input, the routine 
and the corresponding reduct: r = C° (u,r). 

Summarising this discussion: there are three entities that should not be confused: the 
routine r; the event of running r; the result of running r (on a particular occasion or in 
general). 


Carrying out the routine r is, in a sense, what the agent “really does”. In the case 
of individual physical human action — the case that dominates analytical philosophical 
discussion of action — an agent’s routines may be identified with his ways of moving 
parts of his body: 


If we interpret the idea of a bodily movement generously, a case can be made 
for saying that all primitive actions are bodily movements. [...] We never 
do more than move our bodies: the rest is up to nature. [154, 49 and 50] 


But of course by our bodily movements we accomplish many other actions. If we 
introduce a distinction (not honoured by ordinary language) between doing and realising 
an action, we might reserve the former locution for what the agent “really does” or 
“does directly”, and the latter for what the agent may accomplish by his action or “does 
indirectly”. In a modal language we might accordingly introduce event operators does,, 
done; and realises;, realised; and contemplate appropriate meaning-conditions for them. 
There are no direct counterparts in natural language to these operators, but we have 
something like the following in mind. Let e be the event that is the interpretation of a 
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and a the agent assigned to 2: 


does;a : a is just about to do e, 

done;a : a has just finished doing e, 

realises;a : because of a’s action, e is just about to be realised, 
realised;a: because of a’s action, e has just been realised. 


It is a challenge as yet unmet to give fruitful conditions for the latter two operators, 
which seems like the more important pair. The challenge will not be met in this paper 
either, but it may be instructive to see what the difficulty is. 

Let us say that a history is well-behaved if it is the sequence of simple histories. 
Furthermore, let us say that (h,g) is an articulated history if the last element of the 
trace of h is also the first element of the trace of g; call the latter element the virtual 
present of (h,g). Note that it is natural to think of h as the past history up to the 
virtual present moment of (h,g) and g as a possible future history from there on. The 
following semi-formal meaning-conditions summarise the remarks above concerning the 
one-agent case. Assume that (h,g) is an articulated history and that both h and g are 
well-behaved. We assume that a is the agent assigned to i, that a is an event term and 
that the interpretation of an event term a is an event [a]: 


(h, g) E does;a iff g begins with an initial simple subhistory g’ such that C“(u, i) = 

[a] and tr(g’) € [a], where i Æ Ø is a’s contribution after h, 

(h, g) E done;a iff h ends with an terminal simple subhistory h’ such that C%(v, i) = 
[a] and tr(h’) € [a], where h = h”h’, for some history h”, and v is the 
first element of tr(h’), and i 4 Ø is a’s contribution after h”. 


For the other pair one might try conditions such as these: 


(h,g) F realises;a iff 3g', g”, go, 91, g92,p(g = g'g” & g' is simple & g = 
gogig2 & p = tr(g1) & p € [a]), 

(h, g) FE realised;a iff Iho, hi, he, g', g”, p(h = hohiho & g = g'g” & hihog' is simple 
& p=tr(h2) & p € [a]) 


or 


(h, g) F realises;a iff IK’, h”, go, g1, g92,u, p, Uh = hh” & g = gogige & h” gogi is 

simple & p = tr(go) & p E€ [a] & u is first in tr(h”) & tr(h"g’) = 

C° (u,i) & Vq(q € C° (u, i) > Ago, q1, q2(4 = omg & qı € [a]))), 

(h, g) F realised;a iff Sho, hi, h2, g', g”, u, p, ilh = ho, hi, h2 & g = g'g” & hihag' 
is simple & p = tr(h2) & p € [a] & u is first in tr(h1) & tr(hiıh2g) = 
C° (u, i) & Vaq(q € C° (u, i) = Ago, 41, G2( = GoNd & qı € lal))). 


Call the former pair of conditions the weak definition and the latter pair the strong 
definition of action realisation. The weak definition is probably too wide, and the strong 
definition probably too narrow, for either properly to reflect an intuitive understanding 
of an action or event being realised. Another complication is that in daily life there is a 
tendency to consider that an agent has realised an action (whether he intended it or not) 
if and only if we hold him causally responsible for it; that is, if we can attribute agency 
to him. Insofar as the attribution of agency is normative in this sense, it is beyond our 
simple modelling. 
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3.2 Deontic logic 
8.2.1 Background 


Deontic logic is the formal study of normative concepts. Here we shall concentrate on 
the concepts ‘obligatory’ and ‘ought’. There are many ‘oughts’, and it is well to keep 
them apart. In particular, we wish to call attention to three distinctions. One that is 
particularly relevant to this paper is that between ‘ought-to-be’ (Seinsollen) and ‘ought- 
to-do’ (Tunsollen): ‘oughts’ that apply to the state of the world, and ‘oughts’ that 
apply to actions. That they really are different notions that require different logics was 
argued particularly forcefully by Castaneda. The distinction itself is older and often 
associated with Meinong, who seems to have held that, even though they are different 
concepts, Tunsollen is in the final analysis logically reducible to Seinsollen. This view 
was endorsed by Chisholm who gave it a more precise formulation: in his view — dubbed 
the Meinong/Chisholm thesis by Horty — 


(1) it ought to be that i brings it about that , 


(2) i ought to bring it about that y, 


are logically equivalent [152, 159]. Actually, this thesis involves also another important 
distinction: that between the personal and the impersonal. This is seen more clearly if 
(2) is rephrased as “it is obligatory for i to bring it about that p” or even “i has an 
obligation to bring it about that wy”. So in a discussion of the Meinong/Chisholm thesis 
there are actually two distinctions to bear in mind. 

Yet another important distinction is that between standing versus one-time notions 
of deontic concepts. A standing obligation (permission, prohibition) has a certain scope 
and covers everything in that scope, while a one-time obligation (permission, prohibition) 
concerns one particular item (event, occasion, alternative, possibility, or what not). The 
two kinds of concepts differ in respect to performance of the actions involved. For exam- 
ple, while a one-time obligation is discharged when one performs the particular action 
it concerns, a standing obligation can be violated but never, within it scope, completely 
discharged. 

To bring analytical order to this field, von Wright 1963 introduced deontic logic. 
Relatively quickly Standard Deontic Logic emerged, simply classical logic with an extra 
propositional operator O with the informal reading of Oy as “it is obligatory that p” 
or “it ought to be the case that p” and satisfying certain extra postulates: all instances 
of the schemata O(y A Y) > (Oy A Ow) and Oy — =O-¥ are axioms, and the rule of 
replacement of provable equivalents holds. Some authors would also include further axiom 
schemata, for example, OT (making the system normal), Oy — OOy, OOy — Oy and 
O(Oyv — ¢). (For definitions and criticisms of SDL, see [156, 153].) 

Needless to say, this simple theory — which was a great step forward at the time 
— was unable to deal with the barrage of counterexamples and conundrums posed by 
moral philosophers. Some have concluded that the dream of an adequate formal deontic 
logic is a chimzera, other have looked for ways in which to increase the expressiveness of 
that very primitive object language. In particular, some authors, including von Wright 
himself, decided that deontic logic needs a logic of action as a base. 
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3.2.2 Deontic logic within dynamic logic? 


Someone who accepts dynamic logic as a logic of action could reasonably try the simple 
device of directly adding deontic operators. The latter would of course apply to terms, 
not formule. For example, let us write ob,a,pm,a, and fbaa for “a is obligatory for a”, 
“a is permitted for a” and “a is forbidden for a”, respectively. In order to define these 
notions, one might resort to a well-known device going back to Stig Kanger and Alan 
Ross Anderson, independently of one another, of introducing a constant OK (for approval 
or absence of a sanction) or a constant S (for disapproval or presence of a sanction); the 
two approaches are equivalent on the assumption that the formula S > —OK is valid. 
(161, 141, 142] or permission and prohibition this would seem to provide a start, at least 
initially. In fact, two possibilities come to mind: 


(1) pm,a +> [a]OK and fbaa > —[ajOK, 
(2) pm,a © (a)OK and fb,a > 7(a)OK. 


Both have a certain plausibility. Alternative (1) is in the spirit of so-called free-choice 
permission: permission implies that any outcome of doing the permitted will meet with 
approval. Alternative (2) is more insidious: if the agent has permission to do something 
there may nevertheless be outcomes of exercising the permission that will incur the 
sanction. It seems we do have concepts of permission with these features, say, strong 
permission and weak permission. There are analogous remarks about prohibition; in 
either case, the formula fbaa —> apm,qa, is valid. So far, so good. But for obligation 
there is a problem: how to express it? In Standard Deontic Logic, ọ is obligatory if and 
only if the negation of y is not forbidden. So perhaps one might try obaa > —=pm,(—a), 
where pm is one of the alternative operators above and —a is “the complement of a”. 
(See [162] for an effort of this kind; cf. [146].) However, there are difficulties with this 
approach, which seem hard to overcome. The main difficulty is perhaps that, although 
the notion of the complement of a can be given a precise meaning in the formal semantics, 
it does not agree well with intuitive notions. If events are binary relations in a set U, 
then the complement U x U — e of an event e is of course again a binary relation. But 
in general the complement may not be recognised as an intuitively well-defined event 
corresponding to that set-theoretical entity. It is also worth noticing that sanctions and 
absence of sanctions may apply not to points but to paths: not so much to what is done 
as how it is done. It may be all right to drive from one place to another, but if you do 
so by going in the wrong direction on a one-way street you may find yourself in trouble. 
Again, one would wish for a more general analysis. 


8.2.38 Norms, norm systems and norm functions 


There are norms of different kinds. Every time a mode of behaviour is prescribed or 
proscribed, approved or disapproved, a norm or a norm system is created. Not only 
do we have moral and legal codes of varying complexity, but in general all standards of 
behaviour set norms. ‘Etiquette’, ‘decorum’, ‘savoir-faire’, ‘comme-il-faut’ and ‘tasteful’ 
exemplify concepts that are meaningful only in relation to some norm system. The 
norm systems we meet in daily life are usually neither exact nor complete. For any 
complex norm system, we need experts, pundits, arbiters, judges, connoisseurs or some 
such authority to implement it. The ten commandments and the Golden Rule form the 
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basis of a (religiously founded) morality, but we need theologians to explain what they 
mean, and ministers to tell us how to apply them. The law attempts to give rules for 
assessing any possible situation that may come up, but lawyers often disagree about what 
the law says in a particular case; in many countries, even the Supreme Court decides its 
issues by vote. 

What would it be to have a complete norm system? Consider a given, maximal 
history. If the norm system, call it the Norm, is complete and we (the analysts) have 
a full understanding of it, then it should be possible for us, at least in principle, to 
examine the history, from beginning to end, and see whether at any stage there has been 
a violation of the Norm. If there has, then paint the history red. Otherwise, ask if there 
is some over all respect in which the history fails to comply with the Norm. If there is, 
then paint the history yellow. Finally, if after all this the history is not painted either 
red or yellow, then paint it green. The set of green histories could be called “legal” if the 
Norm is legal, “moral” if the Norm is moral, “politically correct” if the Norm is political 
correctness, and so on. Here, to use a neutral, expression, we shall call the green histories 
normal. At this point, we shall not make a distinction between yellow and red but simply 
call all histories of that colour non-normal. 

Strictly speaking, it is not enough that a norm system can partition the set of maximal 
histories into normal and non-normal; for any past history, the set of future histories 
must be similarly partitioned. For in general — unless the Norm is totally unforgiving or 
recognises the possibility of so-called tragic dilemmas or, at the other extreme, is totally 
tolerant or permissive — any past will admit of possible futures that are red or yellow 
or green in the sense just described. 

In order formally to represent a norm system in this sense — there could of course 
be several, but we shall be dealing with only one — we now introduce the concept of a 
norm function. Consider the model theory outlined in the section on the logic of action. 
Let U and T be as in subsection 3.1.1. A (total) T-history is a function from T to U; a 
partial function from T to U is a partial T-history. A past is a partial history h such that 
hg € H, for some history g. By the same token, a future is a history g such that hg € H 
for from some history h. If h is a past, we write cont(h) and cont°(h) for the set of all 
complete continuations of h in H and the set of all incomplete continuations of h in H, 
respectively; in symbols, cont(h) = {g : hg € H} and cont°(h) = {go : dgi(hgogi € H)}. 
Now, a norm function is a function N from the set of all possible pasts to the set of 
subsets of all possible futures such that, for every possible past h, N(h) C cont(h). If 
g E€ N(h) and g = g'g”, then we say that g’ is a normal continuation of h and that g is 
a complete normal continuation of h. 

We end this subsection by noting a number of modal operators that can be introduced 
with truth conditions in the modelling of the previous section. First, there are three box 
operators [x] and corresponding dual diamond operators (x), where x is H (“historically”), 
D (“deontically”) or F (“future”): 


) E [H]p iff Yg'(g' € cont(h) = (h, g') E p). 
(h, g) F [D] iff Yg'(g' € norm(h) = (h, 9g’) Fy). 
) E [Fly iff Vh’, g'((hg = h'g' & Af(f $Ø & K = hf)) = (W',g') F p). 


[H] is the operator called “historical necessity” by Chellas and “unavoidability” by Thoma- 


son. [D] is a deontic operator that should not be automatically translated as “it is oblig- 
atory that”; if a reading other than the literal “for every normal continuation” is insisted 
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on, we recommend “ideally”, but care has to be taken not to read too much into that 
word. [F] and (F) are Prior’s operators G and F, respectively. We are of course able to 
help us to all the usual temporal operators, including Kamp’s UNTIL: 


(h,g) F (UNTILY)x iff either Vg’, 9(g = g'g” => (hg', g") 7 9) 
or else 3g1, 92(9 = 9192 & (hgy, 92) & (1) & (2)) 
where (1) and (2) are the following conditions: 

(1) V9',9"((g = g'g” & (hg’, g") E p) = Ag*(9' = g19*)), 

(2) Yk, k'((g = kk & Ik” (gı = kk*)) > (hk, k’) E x)). 


3.2.4 A fragment of dynamic deontic logic 


Deontic logic and doxastic logic are often thought to be formally quite similar. Nev- 
ertheless, to develop a dynamic deontic logic (DAL) as a counterpart to the dynamic 
doxastic logic (DDL) outlined in the previous section would require much effort. Here 
we shall be content to offer one example of what DAL might look like by considering 
how an operator of the personal, one-time, ought-to-do type might be definable in our 
framework. 

In other words, what would a meaning-condition for ob;a@ look like if it is to carry 
something like the intuitive meaning of “e is obligatory for a” or “it is obligatory for a 
to see to it that e is done” (where e is an event or action and a is an agent)? A careful 
explication in natural language might run as follows (first formulation): “As long as 
you haven’t done whatever it is that you are obligated to do, you are still supposed to 
do it (if the obligation has not, for some reason, lapsed), never mind violations of the 
norm that may have taken place in the past; but when you then do it in a normal way, 
you thereby discharge that particular obligation.” Dressing this vernacular suggestion 
in semi-technical language may give this result (second formulation): an event e is one- 
time-obligatory for agent i, given the past history h, if and only if, if at the end of any 
continuation fo of h the event e has not yet been realised by i, then (i) e is realised in 
every normal continuation of hfo, and (ii) if ko is an incomplete normal continuation of 
hf in which e has been realised, then there is a normal continuation of hfoko in which 
e is never again realised. 

To make this semi-technical version a notch more formal, counterfactually assume that 
we possess a definition of action realisation (remember that we were not quite able to 
work one out in the section on action logic). The semi-formal formulation above may the 
be replaced by the following formal definition (third formulation): 


(h,g) E obja iff Vf € cont(h)V fo, fil f = fofi & (hf, fi) Z realised;a) > 


(Vk & norm(hfo)dko, kı(k = kokı & (hoko, kı) E realised;a@ & 
dle norm(hfoko)Vlo, hil = loli > (hfokolo, l) Z realised;a))). 


The final, fully syntactic version of our definition of personal one-time ought-to-do 
obligation is the following valid schema (fourth formulation): 


ob;a © [H](UNTILrealised;@) [D] (F)(realised;a@ A (D)[F]7realised;a). 


The ob-operator is of course only one of a number of operators explicating a notion 
of obligatoriness (cf. [169]). Complicated as it is, it nevertheless neglects at least one 
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important aspect, namely, what may be called the Problem of the Implicit Dead-line: the 
time within which a one-time obligation should be discharged is often not explicit, but 
there may still be some time limit that is tacitly understood. (See, for example, [155]). 


3.2.5 Normative positions 


The modelling presented in the last two sections is limited in numerous ways. Some of 
them would take much effort to overcome. However, there is one particular shortcoming 
that is philosophically important and deserves a comment here. Norm systems are usually 
systematic. If one past history is a (not necessarily normal) continuation of another, 
then one would expect the normative situation after the former to be in some intimate 
sense related to the normative situation after the latter: a norm that does not possess 
a certain minimum of coherence will not be viable. In order to give an example of a 
possible coherence criterion, let us first augment the modelling of the previous section. 

Describing the AGM paradigm above, we introduced sphere systems to model belief 
states (see subsection 2.2.1). Now we shall use sphere systems to model what we will 
call the “normative position”. Thus we redefine the concept of a norm function to be a 
function N from the set of all possible pasts such that, for every possible past h, N(h) 
is a sphere system in cont(h) (meaning that X C cont(h), for every element X € N(h)). 
It is the sphere system N(h) that we term the normative position after h. 

We adopt the following technical definitions. If h is a past history, g an incomplete 
continuation of h, and X is a set of complete continuations of h, then we write X9 for 
the set of continuations of hg that are final segments of elements of X. Schematically, if 
h is a past history and g € cont°(h), then for all X C cont(h), 


XI =a {f : f € cont(hg) & gf ce X}. 


Similarly, if S is a set of subsets of cont(h), then we write 99 for the set of nonempty 
subsets Y of cont(hg) such that Y = X9, for some X € H. Schematically, 


S9={X9:XEH&XIZ QO}. 


Note that S9 is a sphere system in cont(hg) if S is a sphere system in cont(h). 
We are now ready for the definition that is the point of this exercise: we define a norm 
function as coherent if, for all finite continuations g of any past history h, 


N(hg) = (N(h))*. 


Technically, the change from N(h) to N(hg) is related to the notion of irrevocable change 
discussed in a context of belief revision in [166]. (It is worth recalling that the original 
concern of Carlos Alchourrén — professor of jurisprudence and one of the fathers of AGM 
— was, not belief change, but legal change.) 


3.2.6 Moral 


We have included the non-standard material found in the last few sections — no doubt 
trying the reader’s patience to the limit — in the hope of driving home four theses: 


e as first argued by von Wright, deontic logic depends on the logic of action, 
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e as argued by Castañeda, for logical analysis propositions (formule) may not be 
enough — we also need something like actions (terms), 


e the logic of even common normative concepts is more complex than is usually 
thought, 


e modal logic is well equipped to deal with that particular kind of complexity. 
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and tense extensions, 473-474 
and the existence of a basis, 509 
for uniform formulas, 449 
invariance under simulation, 522 
no ~ for K4 x K4, 902 
of basic modal logic K, 28, 268 
of (cofinal) subframe logics, 473, 475 
of fusions, 874 
of guarded fragment, 57, 287 
of logics containing $4.3, 455, 508 
of logics containing K5, 456 
of logics containing S5 x S5, 158, 
456, 890 
of logics of finite depth, 454 
of CTL and modal p-calculus, 64, 
726, 741 
of PDL and CPDL, 61, 726, 830 
of temporal logics CL/Lin, 706-708 
of two-variable fragment, 279 


finite model propery (cont.) 
of products of modal logics, 890 
of union-splittings, 436 
undecidability of ~, 440 
first-order 
hybrid logic, 572 
intensional logic, 564 
logic of proofs, 949 
modal logic, 66-68, 130, 549-620, 
1152-1175 
$4.3, see $4.3 
S5, see S5 
subframe logics, 588 
temporal logic, 668, 676, 691-695, 
704, 710-712 
Fitting models, 947, 948 
fixed point (in Gédel-Lob logic), 532, 935 
theorem, 532, 935 
fixpoint logic, see mu-calculus 
flow of time, 658 
cyclical ~, 661 
examples, 706, 708 
linear ~, 659 
dense ~, 659 
Dedekind complete ~, 54, 659 
continuous ~, 659 
separable ~, 660 
Floyd—Hoare logic, 723 
forcing, 930, 947, 952, 960 
forgetful projection, 945, 946, 951 
formal epistemology, 928, 933, 941, 947, 
950 
formula algebra, see algebra 
fragment 
of first-order logic 
bounded ~ 52, 577, 839, 863 
finite /bounded variable ~, 27, 54, 
58, 69, 145, 278-281 
guarded ~, 56-58, 285-288, 753 
guarded ~ with constants, 850 
packed ~, 57 
of first-order modal and temporal 
logic 
classical ~, 580 
monadic ~, 581 
monodic ~, 582-586, 710-712 
two-variable ~, 581 
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frame 
definability, 35 
descriptive ~, 307, 309, 355 
general ~, 303, 305, 306, 355, 433 
full general ~, 303 
incompleteness, see incompletenes 
representation (for first-order modal 

logic), 587 

total ~, 664 

free algebra, see algebra 

functional dependency, 806 

functor, 596 
adjoint ~, 602 
cartesian ~, 596 
lex ~, 596 

fusion (of modal logics), 65, 872 


game 
2-player ~, 1078, 1084, 1130 
algebra, 1134 
bisimulation ~, 23 
competitive ~, 1078, 1081 
concurrent ~, 1139, 1141 
cooperation in ~, 1087—1090 
disjunctive ~, 1133 
dual ~, 1131 
extensive ~, 1078, 1080, 1082-1087, 

1090-1097, 1126-1130 
finite ~, 1125 
generic ~, 1084, 1092 
infinite ~, 1125 
iterated ~, 1131 
knowledge, 1099 
outcome of ~, 1080 
parity ~, 739 
strategic ~, 1080-1082, 1089-1091, 
1122-1126 

subgame of a ~, 1084, 1087 
synchronous ~, 1139 
turn-based synchronous ~, 1139, 1140 
von Neumann ~, 1109 
win-loss ~, 1084 
with simultaneous moves, 1085, 1086 
zero-sum ~, 1081 

game logic, 1078, 1130-1135, 1143 

game model, 1131 

game theory, 1078-1144 
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GCI (general concept inclusion axiom), 
765 
Geach axiom, 459 
general frame, see frame 
generalized element, 594 
generated subframe/substructure (see also 
bisimulation), 36, 259 
generated submodel (see also bisimula- 
tion), 16, 19 
Gentzen system (see also sequent cal- 
culus), 113, 229, 639 702, 946, 
1159 
geometric morphism, 602 
essential ~, 605 
GF (guarded fragment of first order logic), 
see fragment 
Gédel translation (of intuitionistic logic 
into S4), 477, 932, 941 
Gédel’s incompleteness theorem, 931, 933, 
936, 938, 942 
Gédel-Léb logic, see GL 
GL (Gödel-Löb logic), also called G and 
Lob logic, 929-939 
admissible rules for ~, 539 
canonical formula for ~, 462 
completeness of ~, 91 
expanding products of ~, 913-917 
fixed point theorem for ~, 532, 935 
interpolation of ~, 531 
logics containing ~, 452, 454 
non-elementarity of ~, 39, 311 
products of ~, 909 
provability interpretation of ~, 929- 
939 
topological interpretation of ~, 953- 
954 
tableau for ~, 106 
tense extension of ~, 474 
uniform interpolation of ~, 535 
GL (for game logic), see game logic 
global modality, see modality 
global satisfiability problem, 32 
Goldblatt-Thomason theorem, 41, 312, 
360, 840 
granularity, 665 
Grothendieck topology, 928, 958 
Grz, 459, 474, 480, 941 
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Grzegorczyk axiom, see Grz 

guarantee properties, 52 

guarded bisimulation, see bisimulation 
guarded fragment, see fragment 


HA, see Heyting arithmetic 
Halldén-completeness, 528 
Henkin 
construction, 111, 832 
dimension, 690 
Hennessy—Milner 
logic, 723 
property, 271, 299 
theorem, 270 
hereditary structural completeness, 542 
Heyting arithmetic, 936, 949 
highly undecidable problems 
in first-order modal logic, 589 
in hybrid logic, 830, 850 
in product modal logic, 909 
in temporal logic, 701, 710 
Thomason’s consequence, 45, 431 
Hilbert’s classical decision problem, 429 
Hintikka set elimination, 151 
history (in branching time), see tree 
Hoare implication, 955 
Horn axiomatisable modal logic, 886 
hybrid control systems, 955 
hybrid logic, 49-52, 448, 522, 543, 674, 
821-864 
binder, 51, 573, 823, 831 
first-order ~, 572-577 
satisfaction operator, 49, 573, 823 
temporal reference and ~, 1044 
hypercube, 1102 
hyperdoctrine, 
classical ~, 602 
intuitionistic ~, 602 
modal ~, 596 
hyperintensionality, 632, 649 
hyperresolution, see resolution calculus 
hypersequents, see sequent calculus 


IFP, see mu-calculus 

IL, see interpretability logic 

IL, see intensional logic 

imperfect information, see information 
imperfect recall, 1086 


implication 
material, 1017 
strict, 1017-1018 
incompleteness 
Kripke/frame ~, 35, 434, 450, 453, 
464, 468, 474, 909, 953 
degree of Kripke ~, 434 
in first-order modal logic, 586-588 
for atomic algebras, 362-365 
increasing domain model, 68, 556, 912, 
1171 
indexicality, 859 
indiscernability, 642 
inductive formula, 315 
inference rule 
admissible ~, 496, 536-542, 795 
Gabbay-Burgess-style ~, 829 
irreflexity rule, 543, 701 
modus ponens, 10, 88 
necessitation rule (also called modal 
generalisation), 10, 88 
of margins, 543 
regularity rule, 88 
infinitary 
modal equivalence, 271-273 
modal logic, 20, 69-70, 271-273, 294, 
416, 930, 960 
infinite combinatorics, 960 
inflationary fixpoint logic, see mu-calculus 
information 
almost perfect ~, 1085, 1135, 1138 
complete ~, 1097, 1098 
imperfect ~, 1085-1087, 1099, 1107— 
1110, 1129-1130, 1142 
perfect ~, 1078, 1082-1085, 1097 
information set, 1085, 1087, 1107 
information systems, 860 
instance checking, 770 
Int, see intuitionistic propositional logic 
intension, 564, 568, 635, 1036-1037, 1153, 
1176 
intensional function, 629 
intensional model, 566, 635 
intensional logic (IL), 627, 1178 
interior algebra, see algebra 
intermediate logic (see also superintuition- 
istic logic), 588 
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internalization rule (in logic of proofs), 
944 
internalization (of TBoxes), 769 
interpolation, 21, 276, 369, 498, 525, 695, 
750, 844 
uniform ~, 534, 750, 845 
interpretability logic (IL), 939, 940 
interpreted system, 1123, 1129-1130 
full system, 1102 
perfect recall in ~, 1105 
synchronous ~, 1104 
intersection of programs, 828 
interval temporal logic, see temporal log- 
ics 
introspection, 122, 995, 1109 
intuitionistic propositional logic, 476, 928- 
932, 941, 949 
intuitionistic logic of proofs, 949 
inverse method, 229, 230 
inverse modality, see modality 
IPC, see intuitionistic propositional logic 
irreflexivity rule, see inference rule 
isomorphism 
finite ~, 271 
partial ~, 271 
potential ~, 840 
intensional ~, 1178 


joint action, 1139 

Jénsson’s lemma, 346 

Jénsson-Tarski representation theorem, 
352 

justification logic, 948-951 


K, 10 
automated reasoning 
tableau-based, 209-217 
translation-based, 186-200 
completeness of ~, 87-91 
filtration for ~, 28, 150 
finite model propery of ~, 28, 150 
global satisfiability problem for ~, 
32, 151, 200 
interpolation for ~, 528-529 
natural deduction for ~, 95—99 
satisfiability problem for ~, 27, 186, 
209 
sequent calculus for ~, 116 
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K (cont.) 
tableau for ~, 101-105 
uniform interpolation for ~, 535 
K4, 33, 87 
admissible rules for ~, 536-540 
automated reasoning 
tableau-based, 217—219 
translation-based, 200-202 
axiomatization problem for ~, 439 
completeness of ~, 91 
finite model property of ~, 473 
logics containing ~, 452, 458-463 
natural deduction for ~, 98 
interpolation of ~, 531 
products of ~, 901 
tableau for ~, 101-105 
resolution for ~, 228 
sequent calculus for ~, 116, 
subframe logics containing ~, 473 
K4.1 (see also McKinsey axiom), 41, 462 
K4.2, 462 
K4.3, 455, 462 
K5 (and logics containing K5), 455, 912 
K.Alt,,, 33, 456, 475 
KB (also called B), 87, 89, 184 
KT (also called T), 87, 89 
KD (also called D, see also SDL), 87, 89 
k-variable property, 690 
Kamp frame, 664 
Kamp’s theorem, 54, 685 
KARO, 1005, 1006, 1008, 1009 
multi-agent, 1010, 1015 
Karp’s theorem, 272 
KM postulates (Katsuno-Mendelzon po- 
sulates), 1186 
Knaster-Tarski theorem, 62 
knowledge (see also epistemic logic) 
common ~, 123, 951, 992, 1011, 1012, 
1079, 1100, 1101, 1109, 1113- 
1116, 1121, 1123, 1124 
distributed ~, 1102 
everybody’s ~, 1102 
action, see epistemic program 
programs, 1108 
set, 1110 
Kripke completion of a system, 588 
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Kripke incompleteness, see incomplete- 
ness 

Kripke model, 4 

Kruskal’s tree theorem, 456, 468, 915, 
957 


A-conversion, 641 
labeled deduction, 638, 862 
language 
context free ~, 1055 
regular ~, 1058 
regular tree ~, 1062 
largest bisimulation, see bisimulation 
lattice of normal modal logics, see NExt(L) 
lazy unfolding, 201, 221 
Ics (least common subsumer), 791 
learning, 1116 
least 
common subsumer, 791 
fixed point logic, see LFP 
fixpoint logic, see LFP 
Leibniz operator, 511 
LFP (see also mu-calculus), 42, 316, 321, 
751 
limit assumption, see conditional logic 
limit closure, 700 
Lindenbaum construction, 90 
Lindenbaum-Tarski algebra, see algebra 
linear temporal logic, see temporal logics 
(LTL), 
linguistics, 1031-1073 
mathematical ~, 1054 
liveness, 731 
local proposition, 1102, 1103 
locale, 504 
coherent ~, 508 
continuous ~, 504 
spatial ~, 504 
Löb axiom/principle/formula (see also GL), 
34, 39, 933 
Löwenheim-Skolem 
for modal type theory, 649 
property, 11, 311, 431 
application of ~, 880 
logic of 
action, 997-999, 1005-1010, 1197- 
1203 


logic of (cont.) 
proofs, 929, 932, 933, 942-946, 950 
strings, 1055 
trees, 1061 

logical necessity, see necessity 

logical omniscience, 622, 630, 950, 996, 

1038, 1098 

lossy channel system, 917, 957 

LP, see logic of proofs 

LPP, 948, 949 

LTL, see temporal logics 


p-calculus, see mu-calculus 
MacNeille completion, 383 
Magari algebra, 940 
Makinson’s theorem, 34, 435, 507 
many-dimensional 
connective, 674, 690 
evaluation, 666 
map (between Boolean algebras) 
additive ~, 340 
completely, 349 
multiplicative ~, 340 
normal ~, 340 
smooth ~, 375 
master modality, see modality 
matching, 795 
Matching Pennies, 1081 
matrix (logical), 495 
maximality principle, 960 
McKinsey axiom/formula, 39, 43, 311, 
446 
McKinsey-Tarski theorem, 956 
meaning postulate, 1155 
Medvedev logic, 483 
mereotopological relations, 954 
metaframe, 599 
metaphysical necessity, see necessity 
metric 
modality, see modality 
space, 930, 952-955, 957, 958 
temporal logics, see temporal logics 
Minkowski’s spacetime, 661, 958 
Minsky machine, 440 
modal 
p-calculus, see mu-calculus 
companion of superintuitionistic log- 
ics, 479 
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modal (cont.) 
description logic, 883 
predicate logic, see first-order modal 
logic 
reduction principle, 451 
theory, 254 
type theory, 631 
modality 
causal future ~, 958 
chronological future ~, 958 
converse ~, 126, 185, 202, 281 
difference, 48, 128 
graded ~, 186, 207, 225, 237, 762 
in set theory, 959 
inverse ~, see converse ~ 
master ~, 358, 508, 834 
metric ~, 954, 955 
polyadic ~, 45, 256, 523 
transitive ~, see K4 
universal/global ~, 46, 128, 185, 128, 
386, 387, 954, 958 
model, 
bundle, 606 
counterpart ~ (see also counterpart 
theory /semantics), 610 
existence theorem, 644, 647 
functional ~, 587 
hyperdoctrinal ~, 597 
Kripke ~, 4 
named ~, 829, 836, 837 
pointed ~, 12 
presheaf ~, 604 
topological ~, 604 
topos-theoretic ~, 604 
model checking (see also computational 
complexity), 24-27, 143-145, 982- 
984 
ATL and ATL", 1141 
basic modal logic, 24-26 
game logic, 1134 
hybrid logics, 862-863 
LTL and CTL, 982-984 
modal p-calculus, 735, 739 
temporal epistemic logics, 1106 
modus ponens, see inference rule 
mono, 595 
monadic fragment, see fragment 
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monadic fragment of second-order logic, 
432, 669-670, 679, 705-706, 712, 
749, 899 
its universal fragment, 39, 232, 310, 
686, 705-706 
monodic 
formula, 582, 710 
fragment, see fragment 
Montagna’s principle, 940 
Montague’s intensional logic, see inten- 
sional logic 
Morning Star Paradox, 568, 1157 
mosaic method, 160, 708 
most specific concept, 793 
Mostowski operator, 938 
msc, see most specific subsumer 
MSOL, see monadic second-order logic 
mu-calculus (see also LFP) 
alternating ~, 1142 
modal ~, 61-64, 293, 721-756, 936, 
1097 
with past, 294, 751 
with nominals, 850 
guarded ~, 294, 753 
inflationary ~ (IFP), 753 
Muddy Children, 124, 1100 
multi-dimensional modal logic, 875, 1046 


n-provability, 938-939 
named model, see model 
natural deduction, 95, 702, 854 
necessitation rule, see inference rule 
necessity 

logical ~, 1181 

metaphysical ~, 1181 
neighbourhood 

frame, 335, 952-953 

semantics, 75-76, 952-953 

model, 75, 335, 1088, 1131 
NExt(L), 434, 501 
no forgetting, see perfect recall 
no learning, 1106, 1108, 1110, 1111, 1113 
nominal, 49, 186, 207, 224, 522, 572, 762, 

822 

non-deterministic computation, 146 
non-logical axiom, 185 
non-monotonic logic, 992, 1017, 1022, 1023 


non-rigid (designator), see rigid designa- 
tor 
non-standard inferences, 788 
nonemptiness problem, see automata 
noniterative axiom (see also shallow for- 
mula), 451 
normal form (formula) 
automaton ~ (also disjunctive ~), 
744 
conjunctive ~, 227 
disjunctive ~, 227 
negation ~ (NNF), 184 
of degree n, 449 
positive ~, 
in modal p-calculus, 729 
in CTL and LTL, 979 
normal modal logic, 34 
NP complete problem, 168 
number restriction, 762 


obligation 
conditional ~, 997, 1016 
contrary-to-duty ~ (CTD), 997 

ontological argument, 622 

open 
map, see topology 
neighbourhood, see topology 
set, see topology 

outcome function, 1080 

OWL-DL, 761 


P (conditional logic), 1019, 1023 

It-hard problems, see highly undecid- 
able problems 

p-morphism, see bounded morphism 

p-morphic image, see bounded morphic 
image 

PA, see Peano arithmetic 

packed fragment, see fragment 

partial isomorphism, see isomorphism 

path formula, 1000, 1139 

PDL, 58-61, 291, 725, 761, 1058, 1130 

combinatory ~, 829 

Peano arithmetic, 934, 936, 937, 939- 
942, 948, 949, 953 

pebble game, 279 

Peircean branching time logic, see tem- 
poral logics 


perfect information, see information 
perfect recall, 1086, 1105, 1106, 1108- 
1109, 1111, 1118, 1119 
persistent modal formula, 306-307 
D-~ (see also canonical), 306-307 
polarity, 194 
poly-size model property (see also finite 
model property), 455 
polyadic modality, see modality 
polynomial functor, 392 
finitary Kripke ~, 392 
Kripke ~, 392 
polynomial reduction, 168 
possibilist quantification, 130, 134, 560 
Post correspondence problem, 957 
pre-model, 732 
predicate 
abstraction, 135, 564, 569 
modal logic, see first-order modal 
logic 
temporal logic, see first-order tem- 
poral logic 
preference relation, 1016, 1022, 1080, 1083 
prefixed tableau, see tableau 
prefix stability, 190 
presheaf, 601 
pretabular logic, 454 
Prior’s connectives F, P,G,H (see also 
tense logic), 671, 696-698 
Prisoner’s Dilemma, 1081, 1091 
probabilistic belief, 1125 
product 
direct ~, 298 
finite model property, 889 
of frames, 875, 877 
of modal logics, 876, 877 
relativised ~, 910, 912 
expanding ~, 912-917 
subdirect ~, 345 
topologies, 953 
ultra~, 298, 306 
proof 
checking, 231 
polynomial, 943-947, 950 
predicate, 931, 942, 945 
propositional 
attitudes, 624, 630, 1038, 1176 
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propositional (cont.) 
dynamic logic, see PDL 
quantifiers, 318, 535, 626, 677, 679, 
861 
protocol, 1103 
provability 
algebra, 940, 941 
interpretation, 932-938, 942, 950, 952 
logic (see also GL), 929, 933-938, 
940-942, 949, 950 
predicate, 929-938 
pseudo-model, 158 
public announcement, 1111-1115, 1124 
pullback, 402, 594 
weak ~, 402 
PTL, see temporal logics 


QTC-logic, 890 
quantified 
modal logic, see first-order modal 
logic 
temporal logic, see first-order tem- 
poral logic 
quasi-variety, see variety 
quasimodel, 584, 711, 892, 895, 899 


rational behaviour, see rationality 
rationality, 1091, 1121-1130 
RCC-8, 954 
reference point, 674 
referential multiplicity, 1163 
reflection, 942, 943, 948, 949 
region connection calculus, 954 
regular 
expressions, 677 
formula, 315 
regularity rule, see inference rule 
relation lifting, 400 
relational domain (in first-order modal 
logic), 609 
relativised product of modal logics, see 
product 
relativistic temporal logic, see temporal 
logics 
resolution calculus, 187 
blocking rule, 201 
closed branch, 193 
complete branch, 193 
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resolution calculus (cont.) 
completeness, 194 
derivation, 193 
expansion rules, 193 
for hybrid logics, 857 
for temporal logics, 704 
hyperresolution, 197 
implementation, 203 
incomplete branch, 193 
inference rules, 193 
modal ~, 227 
open branch, 193 
open derivation, 193 
ordered chaining, 201 
refutation, 193 
saturation up to redundancy, 193 
selection function, 192 
separation, 206 
splitting, 193, 206 
subsumption, 192 
rewriting (of concept descriptions), 799 
rigid designator, 135, 551, 555, 564, 668, 
1107, 1156, 1164, 1173, 1177, 
1183 
role 
inverse, 762 
transitive, 762 
hierarchy, 762 
name, 759 
value map, 808 
Robinson consistency, 276 
root modal, 1038 
rule (see inference rule) 
Russell-Myhill paradox, 1180 


S, 934, 935, 937 
d}-hard problems, see highly undecid- 
able problems 
S4, 34, 87 
admissible rules for ~, 536-540 
axiomatization problem for ~, 439 
completeness of ~, 34, 91 
complexity of ~, 177 
dynamic topology and ~, 955-957 
finite model property of ~, 473 
Gédel’s translation of intuitionistic 
logic into S4, 476-481 


S4 (cont.) 
interpolation for ~, 531 
logics containing ~, 453-455, 526 
natural deduction for ~, 98 
tableau for ~, 101-105 
provability interpretation of ~, 929- 
941, 946 
topological semantics of ~, 76-77, 
951-953 
sequent calculus for ~, 116-117 
S4C and S4F, see dynamic topological 
logic 
S4.1, 458 
S4.2, 458, 586 
$4.3 
logics containing ~, 455, 508, 542 
first-order ~, 586 
S5, 87 
completeness of ~, 89 
hypersequents for ~, 117-121 
natural deduction for ~, 98 
tableau for ~, 112-113 
first-order ~, 554, 562, 1152, 1160, 
1169 
S5 x S5, 158, 456, 882 
SAFA axiom, 960 
safety, 731 
Sahlqvist 
theorem, 40, 315, 366, 382, 446 
formula, 314, 366, 446, 834 
SAT, 214, 796 
satisfaction operator, see hybrid logic 
saturation (in model theory), 270, 299 
SDL (see also KD), 996, 997 
second-order propositional modal logic, 
see propositional quantifiers 
second-order quantifier elimination, 232 
SCAN, 232 
SQEMA, 232 
Segerberg’s axiom, 61 
selection of points, 149 
self-reference, 928, 946, 947 
semantic tableau, see tableau 
separation property, 687-689 
sequent calculus, 113, 229 
analytic cut rule, see cut rule 
backward reasoning, 229 


sequent calculus (cont.) 
cut rule, see cut rule 
for hybrid logic, 852 
for temporal logic, 702 
forward reasoning, 229 
hypersequents, 117 
logical rules, 229 
proof, 229 
structural rules, 229 
set theory, 959 
non-well-founded ~, 69, 959 
shallow formula (see also noniterative ax- 
iom), 316 
sheaf theory, 601-606, 958 
SHIQ, 761 
SHOTQ, 761 
signed formula, 99 
simple algebra, see algebra 
simulation (between modal logics), 517 
social choice theory, 1080, 1087, 1144 
solution concept, 1078, 1081, 1092-1094, 
1121-1130 
Solovay’s Theorem, 934 
spatial reasoning, 76, 860, 951 
special theory of relativity, 958 
sphere system, 1189 
splitting, 435, 505 
companion, 505 
representation, 508 
subframe ~, 475 
theorem, 506 
standard deontic logic, see SDL and KD 
standard translation, see translation 
state formula, 682, 999, 1139 
Stavi connectives, 673, 686, 694 
stit-theory, 1198 
Stone duality, 355 
Stone space, see topology 
strategy, 1080, 1103, 1139 
best response ~, 1093, 1096, 1123 
dominant ~, 1082 
dominated ~, 1082, 1122, 1124, 1127 
joint ~, 1138 
mixed ~, 1082 
profile, 1080, 1092 
pure ~, 1082 
uniform ~, 1085, 1107 
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strategy (cont.) 
winning ~, 1084 
strong provability, 941 
structural theory of sets, see STS 
structural 
transformation, 194 
pre-completeness, 542 
subsumption, 778 
STS, 930, 960 
sub-Boolean description logics, 773 
subdirect product, see product 
subdirectly irreducible, see algebra 
subframe logics, 463, 469-475, 531, 911 
first-order ~, 588 
subobject, 595 
subordinate proof, 95 
subreduction, 459 
subsumption (between concepts), 767 
succinctness, 686 
superamalgamation property, 370, 525 
superintuitionistic logics, 476—483, 527 
synonymy, 568 
syntax 
model theoretic, 1070 
natural language, 1054-1072 


tableau calculus, 99-113, 208, 528 
analytic ~, 107 
and automated reasoning, 207—226 
and interpolation, 528, 535 
complete ~, 210 
destructive ~, 101 
tableau expansion rule, 208 
for hybrid logic, 855 
for modal type theory, 638 
for temporal logics, 702-704 
labelled ~, 208 
open ~ 210 
prefixed ~, 108 
semantic ~, 99 
tabular logic, 453 
TBox, 31, 185, 763 
acyclic, 763 
with descriptive semantics, 763 
with fixpoint semantics, 764 
temporal epistemic logic, 667, 882, 1103- 
1106 
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temporal logics 
branching time 
CTL, 682, 700, 704, 723, 735, 831, 
980-985, 1079, 1139 
CTL*, 292, 681, 689, 700, 725, 
831, 1139 
first-order CTL and CTL”, 712 
PCTL* (CTL* with past), 681, 700 
Peircean branching time logics, 681 
interval temporal logics, 675—676 
linear time 
ETL(T), 678 
first-order LTL, 712 
LTL (also called PTL and PLTL), 
673, 699, 979-980, 983, 985, 1057, 
1105 
logics containing Lin/CL, 464-469, 
706-707 
TLA, 677 
UYF and USF, 678-679 
metric temporal logics, 674 
relativistic temporal logic, 661, 958 
temporal 
structure, 659 
reasoning, 696-711, 971-985 
tense 
algebra, see algebra 
logic, 6, 384, 463, 696 
logic of ~, 1041, 1044 
natural language, 1040 
reference time, 1043 
terminal object, 594 
Terminological Box, see TBox 
terminology, see TBox 
theory 
resolution, 203 
unification, 203 
thrashing, 212 
three variable fragment, see fragment 
tiling problem 
corridor ~, 170 
games, 171 
recurrent ~, 432, 590, 710 
square ~, 168 
w X w ~, 44, 147, 581, 905, 910 
topo-Boolean algebra, see algebra 
topological 


duality, 354 
model/semantics 76-79, 951-958 
space, 77, 951, 1189 
topology, 
Alexandrov space, 956, 957 
Cantor’s discontinuum, 953 
closed set, 1189 
clopen set, 354, 1189 
connected space, 79 
continuous map, 78, 955 
derived set, 930, 953-954 
discrete ~, 77 
homeomorphism, 956-957 
open 
map, 78 
neighbourhood, 77 
set, 77, 1189 
scattered ~, 953, 954 
Stone space, 355, 1190 
trivial ~, 77 
topos theory, 601-606, 958 
transaction time, 666, 
transition system, 665, 730, 972 
translation 
axiomatic ~, 201 
from many modal operators to one, 
516 
from polyadic modal operators to 
unary, 522 
functional ~, 236 
optimised functional ~, 188, 194, 
199 
polyadic optimised functional ~, 190 
relational ~, 186, 199 
semi-functional ~, 236 
standard ~ 
of first-order modal logic, 563 
f first-order temporal logic, 691 
f hybrid logics, 832, 838 
f modal logic, 10-11, 254 
f modal logic into second-order 
logic, 38, 318, 432 
of temporal logic, 683 
tree-based relational ~, 199 
tree (in branching time), 660 
branch of ~, 660 
history, 662 
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tree (cont.) 
path, 662 
tree automata, see automata 
tree model property, 261, 295 
finite ~ of basic modal logic (K), 30, 
150, 269 
of modal p-calculs, 736 
generalized ~ of guarded fragment, 
287 
tree unraveling, see unraveling 
truth value, 495 
designated, 495 
two variable fragment, see fragment 


ultrafilter, 37, 351 

principal ~, 38 

extension, 37, 297, 841 

frame, 304, 352 

morphic image, 841 
ultraproduct, see product 
unfolding/unraveling, 15, 260 
unification, 537, 794 
uniform formula, 449 
unique name assumption, 766 
universal 

modality, see modality 

monadic second-order logic, see 

monadic second-order logic 

unraveling, see unfolding /unraveling 
until and since, see temporal logics 
update, 1111, 1114-1121, 1186 
urelement, 959 
utility, 1080 

expected ~, 1128 

function, 1080, 1083, 1126 

maximal expected ~, 1126 


valid time, 666 
value restriction, 760 
van Benthem formula, 313 
van Benthem theorem, 21, 282 
van Benthem—Rosen theorem, 284 
variety (of algebras), 420 
complete ~, 363 
discriminator ~, see discriminator 
quasi-~, 511 
semisimple ~, 514 
varying domain model, 67, 134, 557, 1171 
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Vietoris construction, 392 


w-transitive, see weak transitivity 
weak transitivity, 358, 508 
Worm Principle, 942 


XPath, 689 
yesterday connective, 672 


ZF, 930, 940, 959 
ZFC, 523, 960 
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